MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9df79042b53c89ea13d9ab6640a3f6ad8f63c64fd9d8683378a96ddc0acc225f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9df79042b53c89ea13d9ab6640a3f6ad8f63c64fd9d8683378a96ddc0acc225f
SHA3-384 hash: ac16d82c3c1e713458ce2ed8878247fc68dd7b5fa2c180ebfab007e1672ec38eda5a0dde3617da44a823b9188db9926c
SHA1 hash: 85dce7b10855595a448ef0cdc1deabc175e46bbb
MD5 hash: 4a17be04416a97a4f51808d41010007b
humanhash: gee-salami-enemy-tennessee
File name:4a17be04416a97a4f51808d41010007b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'083'778 bytes
First seen:2025-07-01 01:55:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8494300a1f7342d4c600a7b12e15925 (3 x RedLineStealer, 3 x RemoteManipulator, 1 x njrat)
ssdeep 98304:9Xz+neHoUCmGYvVnsxOqDP3fJNzui29fiJ0c+5HRN73jREMdQsbN72Fnj/mOrTpT:FKnt/mVVnsf3BNChu0cSNDjREUQsctiE
Threatray 21 similar samples on MalwareBazaar
TLSH T1AC36335D3E75D37ED0330E3DAC0B80AAB2BCA515AD7821AFA3DD85D878233574A1524E
TrID 93.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon a2a2c2e2e2a2aa00 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
78.155.194.221:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
78.155.194.221:80 https://threatfox.abuse.ch/ioc/1551796/

Intelligence

File Origin
# of uploads :
1
# of downloads :
593
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
rms
Create hunting rule
ID:
1
File name:
4a17be04416a97a4f51808d41010007b.exe
Verdict:
Malicious activity
Analysis date:
2025-07-01 01:59:04 UTC
Tags:
rms rat upx delphi
Link:
https://app.any.run/tasks/ba32fae1-0c50-460a-8bd7-14dec7428f67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/11731/
Detection(s):
SecuriteInfo.com.Filecoder.I.dropper.22548.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6863400537c3436779480c62
Tags:
vmdetect phishing delphi zeus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Searching for the window
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi fingerprint installer overlay overlay packed packed
Link:
https://www.filescan.io/uploads/686340087423ff017c38421a/reports/9bca3602-7dc7-4759-9a1b-37a2fe2ea6ab/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9df79042b53c89ea13d9ab6640a3f6ad8f63c64fd9d8683378a96ddc0acc225f
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2195df12-f70e-47d3-bbb7-4db8fa7d043a
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1726017
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1726017 Sample: DFDYvzAdQY.exe Startdate: 01/07/2025 Architecture: WINDOWS Score: 100 83 rmansys.ru 2->83 85 oldbet.ru 2->85 87 2 other IPs or domains 2->87 101 Suricata IDS alerts for network traffic 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus / Scanner detection for submitted sample 2->105 107 2 other signatures 2->107 12 DFDYvzAdQY.exe 16 10 2->12         started        15 sysdisk.exe 2->15         started        signatures3 process4 dnsIp5 67 C:\ProgramData\WindowsVolume\File3.exe, PE32 12->67 dropped 69 C:\ProgramData\WindowsVolume\File2.exe, PE32 12->69 dropped 71 C:\ProgramData\WindowsVolume\File.exe, PE32 12->71 dropped 73 2 other malicious files 12->73 dropped 18 DiskServer.exe 6 12->18         started        91 rmansys.ru 31.31.198.18, 49689, 49692, 80 AS-REGRU Russian Federation 15->91 93 main.internetid.ru 77.223.119.187, 49693, 49695, 49696 EKAT-ASRU Russian Federation 15->93 21 volumedisk.exe 15->21         started        24 volumedisk.exe 15->24         started        file6 process7 file8 63 C:\ProgramData\WindowsVolume\OpenDisk.exe, PE32 18->63 dropped 65 C:\ProgramData\WindowsVolume\DiskUpdate.exe, PE32 18->65 dropped 26 OpenDisk.exe 1 18->26         started        109 Antivirus detection for dropped file 21->109 111 Multi AV Scanner detection for dropped file 21->111 29 volumedisk.exe 21->29         started        signatures9 process10 signatures11 117 Multi AV Scanner detection for dropped file 26->117 119 Contains functionality to detect sleep reduction / modifications 26->119 31 DiskUpdate.exe 12 26->31         started        35 File.exe 26->35         started        37 File2.exe 15 4 26->37         started        40 File3.exe 26->40         started        process12 dnsIp13 75 C:\ProgramData\WindowsVolume\vp8encoder.dll, PE32 31->75 dropped 77 C:\ProgramData\WindowsVolume\vp8decoder.dll, PE32 31->77 dropped 79 C:\ProgramData\WindowsVolume\volumedisk.exe, PE32 31->79 dropped 81 2 other malicious files 31->81 dropped 95 Multi AV Scanner detection for dropped file 31->95 42 DiskUpdate1.exe 31->42         started        97 Antivirus detection for dropped file 35->97 99 Contains functionality to detect sleep reduction / modifications 35->99 89 oldbet.ru 78.155.194.221, 443, 49686, 49687 SELECTEL-MSKRU Russian Federation 37->89 45 cmd.exe 37->45         started        file14 signatures15 process16 signatures17 121 Antivirus detection for dropped file 42->121 123 Multi AV Scanner detection for dropped file 42->123 125 Contains functionality to detect sleep reduction / modifications 42->125 47 cmd.exe 42->47         started        50 conhost.exe 45->50         started        52 choice.exe 45->52         started        process18 signatures19 127 Uses cmd line tools excessively to alter registry or file data 47->127 129 Uses regedit.exe to modify the Windows registry 47->129 131 Uses attrib.exe to hide files 47->131 54 sysdisk.exe 47->54         started        57 sysdisk.exe 47->57         started        59 conhost.exe 47->59         started        61 24 other processes 47->61 process20 signatures21 113 Multi AV Scanner detection for dropped file 54->113 115 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 57->115
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9df79042b53c89ea13d9ab6640a3f6ad8f63c64fd9d8683378a96ddc0acc225f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:NONE Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/4a17be04416a97a4f51808d41010007b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9df79042b53c89ea13d9ab6640a3f6ad8f63c64fd9d8683378a96ddc0acc225f/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/9df79042b53c89ea13d9ab6640a3f6ad8f63c64fd9d8683378a96ddc0acc225f
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tx3zaqvvhse6ue6zvntebi7wvwhwhrsp3hmgqm3yvfw5ycwmejpq._file
Verdict:
malicious
Label(s):
rms
Create hunting rule
Similar samples:
16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6
RedLineStealer
89ba05dd82c47779436799efad2651f54e2823b0606a46e984ee7b17881c97c5
RedLineStealer
9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6
RedLineStealer
c42d8d577ec96bccfcb249738c559d47494e7b6de794259663e2c70f7c47bddc
RedLineStealer
error
RedLineStealer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms defense_evasion discovery execution rat trojan upx
Link:
https://tria.ge/reports/250701-cb8wcazvew/
Behaviour
Kills process with taskkill
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Launches sc.exe
UPX packed file
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Sets file to hidden
Stops running service(s)
RMS
Rms family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c458f55-881b-41fa-83f3-acaf1dbf37a2
Unpacked files
SH256 hash:
9df79042b53c89ea13d9ab6640a3f6ad8f63c64fd9d8683378a96ddc0acc225f
MD5 hash:
4a17be04416a97a4f51808d41010007b
SHA1 hash:
85dce7b10855595a448ef0cdc1deabc175e46bbb
Link:
https://www.unpac.me/results/d4c290df-6108-400c-a18f-f0c15916403a/
SH256 hash:
f58453ab27aac7e86cad87245c10af772a57c617899b67ca3167b9b96afff273
MD5 hash:
0b1238a33e9f55a37d5a4ed8cb434060
SHA1 hash:
9c42ece9c5a2d9584caa288a962f466559b3c59f
Link:
https://www.unpac.me/results/d4c290df-6108-400c-a18f-f0c15916403a/
SH256 hash:
8c451a79b734ed123acb24407fb1b3d536138ae7716ed39ecb141f421907e787
MD5 hash:
da959bbb02a12c6690c50778ac1c2eab
SHA1 hash:
5daa4bf818150c007483b17154294d6fee085baa
Link:
https://www.unpac.me/results/d4c290df-6108-400c-a18f-f0c15916403a/
SH256 hash:
011842840bd0a9dd9fd9692e74fd15dd2025f2e758371b0f9a972552c05b30b0
MD5 hash:
7db1fdfd0b4b50051cc86d5851dffccf
SHA1 hash:
1a8f66208527c170368460c45c02e67740efda50
Link:
https://www.unpac.me/results/d4c290df-6108-400c-a18f-f0c15916403a/
SH256 hash:
e5c58f0d2b6c1c2e9c405f30e8fefbdd12de02618e87a2302c3152a44cd612bd
MD5 hash:
ebf7cdaf6e7b03570af728d556dff9e5
SHA1 hash:
50d95f4e3c791e3d413edb6cbc976f0a2bca4d02
Detections:
win_rms_auto
Create hunting rule
win_rms_a0
Create hunting rule
MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.unpac.me/results/d4c290df-6108-400c-a18f-f0c15916403a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9df79042b53c89ea13d9ab6640a3f6ad8f63c64fd9d8683378a96ddc0acc225f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/11731/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::EqualSid
advapi32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
winmm.dll::timeKillEvent
winmm.dll::timeSetEvent
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
shell32.dll::ShellExecuteA
shell32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and Threadsadvapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryInfoKeyA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments