MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e
SHA3-384 hash:	4d7810cd0ce642dd4d3894b68993da9ca2e55af5f93936ecedd3546331332602712e6eabe028790bf8bfe40f569f08d8
SHA1 hash:	e0a811afde7f0017ad68aa990a14ed925e2cda49
MD5 hash:	5d8f71181725b8f18d3246a29a1f199c
humanhash:	leopard-venus-charlie-mango
File name:	9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	12'652'696 bytes
First seen:	2025-04-23 16:49:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	393216:yHDJMDrwRGzucM45LYvG+Djw6d69Bn510ckgy:yjJusRTcMM1Ww6d6HnL0rgy
Threatray	2 similar samples on MalwareBazaar
TLSH	T158D633B1F18659F0DCF211B12EA1C5A081946E18666DA1CBB1EF3B6BFB3533161324DB
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter	JAMESWT_WT
Tags:	exe license-khodavand-shop RedLineStealer signed

Code Signing Certificate

Organisation:	c1968d8a-7eae-48d9-bc25-ddc09fca48dd
Issuer:	c1968d8a-7eae-48d9-bc25-ddc09fca48dd
Algorithm:	ecdsa-with-SHA384
Valid from:	2025-03-05T00:58:23Z
Valid to:	2026-03-05T12:58:23Z
Serial number:	fecd8c2a64cc673a
Intelligence:	6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	d82f75e15197f88ee3dfc381f127b37593cfc3af9edccf501dd76b7c99b20746
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

415

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e

Verdict:

Malicious activity

Analysis date:

2025-04-23 16:50:31 UTC

Tags:

evasion stealer confuser

Link:

https://app.any.run/tasks/4424631a-103a-44ce-8405-8e5bc8522b66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/3751/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68091b463d067f84839872b8

Tags:

infosteal redline

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Running batch commands

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Reading critical registry keys

Sending an HTTP POST request

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

entropy fingerprint microsoft_visual_cc packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/68091cff212716475fadb8ab/reports/a0060e87-a2df-4ed7-9440-b681af58ed32/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cc3ce27e-d3b8-4a1c-96b3-e922660ba432

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1672320

Signature

AI detected suspicious PE digital signature

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

68%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e/

Threat name:

Win32.Trojan.Malgent

Status:

Malicious

First seen:

2025-04-23 12:23:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t5zmkrdokruempo5lk5o2w4c345v4whpgeuavzfhplktsjohl4ha._file

Verdict:

malicious

Label(s):

unc_loader_001

RedLineStealer

error

RedLineStealer

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery

Link:

https://tria.ge/reports/250423-vcdeyaxmw9/

Behaviour

Runs net.exe

Permission Groups Discovery: Local Groups

System Location Discovery: System Language Discovery

Looks up external IP address via web service

Grants admin privileges

Verdict:

Malicious

Tags:

stealer redline trojan external_ip_lookup

YARA:

MALWARE_Win_RedLine MAL_Malware_Imphash_Mar23_1

Link:

https://app.threat.zone/submission/e95066ce-cba0-4dfe-a8b3-d05250378a64

Unpacked files

SH256 hash:

9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e

MD5 hash:

5d8f71181725b8f18d3246a29a1f199c

SHA1 hash:

e0a811afde7f0017ad68aa990a14ed925e2cda49

Link:

https://www.unpac.me/results/7da18a3e-0ec7-4429-8a7b-1ce1e960a478/

SH256 hash:

9d7896b2da06539359e26bcd9c6259ec372019f6a4ab3f94e2c718150fbc28a6

MD5 hash:

270f38b40683df96122dbd3d7fa7ff9b

SHA1 hash:

0b8bcaf6bfdb49946131f4cd1396b87c66412062

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

RedLine_Campaign_June2021

INDICATOR_EXE_Packed_ConfuserEx

INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb

Link:

https://www.unpac.me/results/7da18a3e-0ec7-4429-8a7b-1ce1e960a478/

SH256 hash:

0ed157aa833907b8a21407d3a6d6f4d9c5f8691d0b07eea1bfa20fb9064b91c7

MD5 hash:

621a6f81382998d921058c7bc4d016ec

SHA1 hash:

1bef17f50b689c8696c2310f5eeccd0bfb7c9abc

Detections:

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Link:

https://www.unpac.me/results/7da18a3e-0ec7-4429-8a7b-1ce1e960a478/

SH256 hash:

c6aa3295974c2b42f983b3f6e76797a77e40fc67e53c210cea2ab1a1936a33fb

MD5 hash:

212e02e38aa5128f5bef12bd0eb0de47

SHA1 hash:

5a1aaab8aebc618f0dbd2e417b1864418a98d039

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

INDICATOR_EXE_Packed_ConfuserEx

INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb

Link:

https://www.unpac.me/results/7da18a3e-0ec7-4429-8a7b-1ce1e960a478/

SH256 hash:

1b96081a3203e01fbac5c8fd8b88ad1840f48e8b5faf7c97c000948aad06a4d7

MD5 hash:

9aa417f2212865e418c696d84fc66101

SHA1 hash:

722b8ab049eaf2b3d1da0cef79feeb048a2357bb

Link:

https://www.unpac.me/results/7da18a3e-0ec7-4429-8a7b-1ce1e960a478/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9f72c5446e54/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/3751/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample