MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece
SHA3-384 hash: 206dc79790e3918a7b5600c3e53ee347d7ab33966ea6cd7fe51cab09293294aed974612abd75a894347328d9c4e49ecc
SHA1 hash: c1c039cdc729ed41c519c7ec0ff6d1ca66f6decf
MD5 hash: 25b950ae2c9311862f59e37b71d6af59
humanhash: glucose-football-violet-glucose
File name:9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'565'120 bytes
First seen:2025-07-31 11:58:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:+vq8I3K0XPz+VWR5eRzLkadvdGXkWS9V7XXi3suwG6cnS2GYdAMEOlo:+/I3K0XOWOtdl/V9NXS8uQC/dXl
Threatray 1'054 similar samples on MalwareBazaar
TLSH T122C522CAB625C645C4B43AB84FC3D87507D96DD54AB24B02BBCE7F23B2B0983BD46245
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 4c10786161701044 (1 x AgentTesla, 1 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece
Verdict:
Malicious activity
Analysis date:
2025-07-31 12:56:37 UTC
Tags:
stealer auto redline
Link:
https://app.any.run/tasks/18989f16-a520-44fd-a5ce-aac8fc281942

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18059/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b5a9d0b4775fb2133f3b8
Tags:
ransomware spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Launching a process
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Connection attempt to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/688b5a9ba16348d835f5b72d/reports/6f623c87-2fc1-4e22-8a4d-05741ffa8219/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/981956aa-16a0-455f-9358-742bbc2f4753
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.68 Win 64 Exe x64
Link:
https://app.malva.re/file/25b950ae2c9311862f59e37b71d6af59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2025-07-20 14:25:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=trvwilednahq64iu7xob4mizhfexkfzarcy6wnvgvj3p6aebt3ha._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
redlinestealer
Create hunting rule
Similar samples:
260c17f9aa96c9ca3870e69a7361178c487534c89d004ccae5206a7d214ba43c
RedLineStealer
34815fc9badaa5b7ef9b8394a1aa00bbf98917382f565e9b782293f0e623b5a3
RedLineStealer
67559021bb3b13bef30226a052dd097156aa998543f4a3689649f4e00de86686
RedLineStealer
9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece
RedLineStealer
ae1a3efd351d9b6efb9f8702006380df50d2ade99a1a661b2511479080b929dd
RedLineStealer
af429c283dcd245b61dd36bc463f32b80d12e88bcb2db1fa4ccf252756ee7287
RedLineStealer
error
RedLineStealer
+ 1'044 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:120 infostealer
Link:
https://tria.ge/reports/250731-n5wcwstydt/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
103.59.160.219:1912
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2a66ec5-6d78-4d29-9863-0ee42a088c17
Unpacked files
SH256 hash:
9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece
MD5 hash:
25b950ae2c9311862f59e37b71d6af59
SHA1 hash:
c1c039cdc729ed41c519c7ec0ff6d1ca66f6decf
Link:
https://www.unpac.me/results/0984d7ca-8ef3-445e-b54a-43393a7302f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/9c6b642c83680f0f7114fddc1e3119394975172088b1eb36a6aa76ff00819ece

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18059/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments