MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa
SHA3-384 hash: 55e631f0613b1ddb464fba996239f556bcc1551c7374a9977938a717dca18efea1e5d5d381467dc9632adf98fe27de4c
SHA1 hash: 08fb600e7c5e58aedeeac2cfef2ca76e096ff2fc
MD5 hash: 12aaeaa62796bbc6a5e85690fc79eff6
humanhash: lake-lima-steak-burger
File name:OrderDocuments518024.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'400'832 bytes
First seen:2025-08-19 21:45:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:kVsRIveycAbY8tBbHK5zNHvZpVw27/infatAQ6Bcln24VMqsEH3K3:1eVO8tBgd2at/Zln+wK
Threatray 303 similar samples on MalwareBazaar
TLSH T190552247F98B93A2C2044B36D5AF05011760E782B783F21EF58E136A35CBBF9C68556B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
107.172.132.35:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.172.132.35:1912 https://threatfox.abuse.ch/ioc/1571095/

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
OrderDocuments518024.exe
Verdict:
Malicious activity
Analysis date:
2025-08-19 21:45:42 UTC
Tags:
auto-startup stealer redline metastealer netreactor
Link:
https://app.any.run/tasks/4b302897-ceb9-46e3-8b16-09ad4c1b3233

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22330/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a4f08d8fd55a79c5294c38
Tags:
redline autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Creating a window
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68a4f085419c816a6e8c9bbd/reports/4bdd4f52-4e55-410f-b0f9-a7bb17a6c8a6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a03c1e9d-ee50-4aef-893b-60cf253d8f16
Result
Threat name:
PureLog Stealer, RedLine, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1760594
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1760594 Sample: OrderDocuments518024.exe Startdate: 19/08/2025 Architecture: WINDOWS Score: 100 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 13 other signatures 2->34 7 OrderDocuments518024.exe 5 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 22 C:\Users\user\AppData\Roaming\Id.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Roaming\...\Id.vbs, ASCII 7->24 dropped 42 Found many strings related to Crypto-Wallets (likely being stolen) 7->42 44 Drops VBS files to the startup folder 7->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->46 13 InstallUtil.exe 10 4 7->13         started        48 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->48 17 Id.exe 2 11->17         started        signatures5 process6 dnsIp7 26 107.172.132.35, 1912, 49691, 49692 AS-COLOCROSSINGUS United States 13->26 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->50 52 Found many strings related to Crypto-Wallets (likely being stolen) 13->52 54 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->54 56 Tries to steal Crypto Currency Wallets 13->56 58 Multi AV Scanner detection for dropped file 17->58 19 InstallUtil.exe 10 2 17->19         started        signatures8 process9 signatures10 36 Found many strings related to Crypto-Wallets (likely being stolen) 19->36 38 Tries to harvest and steal browser information (history, passwords, etc) 19->38 40 Tries to steal Crypto Currency Wallets 19->40
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa
Threat name:
ByteCode-MSIL.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 21:32:41 UTC
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzi6lukn47mmjrgzrplmk7xhmxgei3pnhtgbymblyumrjytp3cva._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
0ad0cd40db5e148d8577e7405007c89d2036e81d6fb7401f77ac9def45db097c
RedLineStealer
41700fe0e7369606d4c4739998f3eab0b911c42261b36152424b3907b755e567
RedLineStealer
49dc8828403fab25387e57ef50ea2e5b92a61a54fbdaeec924a368ee4f35a60c
RedLineStealer
4bc434a4fc47e4e3e5345d0a8180dd9ea36272ade2901a6865415acf75f43228
RedLineStealer
8e13758a85fedcb0d0251395c4106c8e9cdf5503cfe47468e39767320c0acdec
RedLineStealer
d9745c3c74bdc3e3a192add8bae6a88bac3b6bfe8da02c4b0bc0df05d8a76870
RedLineStealer
e1a0ab5cadb0af718230bb8f907c649a313f1ff7bcbed6745c678811ce8a4465
RedLineStealer
error
RedLineStealer
+ 293 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware
Link:
https://tria.ge/reports/250819-1mct2sgp7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops startup file
RedLine
RedLine payload
Redline family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/74d879eb-01b2-4e15-b2ce-921c980b89bd
Unpacked files
SH256 hash:
a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa
MD5 hash:
12aaeaa62796bbc6a5e85690fc79eff6
SHA1 hash:
08fb600e7c5e58aedeeac2cfef2ca76e096ff2fc
Link:
https://www.unpac.me/results/2d438e76-2c4d-4e0f-857a-86fce7feae28/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a651e5d14de7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RedLine_Stealer_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Detecting unpacked Redline
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_efdb9e81
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security
Rule name:win_redline_stealer_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22330/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments