MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
SHA3-384 hash: afb5201b8e2ef90529150898c26b9a915e864bcffc9d0c495100ddee0e75c0220b808edf5bca2cb9ff444888b5e67110
SHA1 hash: d636cd516174fbabf403d21c5ca55597f124caa6
MD5 hash: c82a837475376cd2dad0afb7520a5aa4
humanhash: football-bacon-snake-maine
File name:SAMPLE CATALOGS AND DRAWING.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:570'880 bytes
First seen:2025-09-24 07:35:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RjN9IFsYeQKMp11ZIT5jp5s5+clDZR5EgWd0RoypMrXT/:RD0sYdzIjaEcdZR5ERdiBQT
Threatray 252 similar samples on MalwareBazaar
TLSH T183C4F18427EEEA03C0A66BF40971F37513B8AE58E511D7078EFA7CDB78247402D552AB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter GDHJDSYDH1
Tags:exe infostealer Redline RedLineStealer SectopRAT stealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.222.58.54:55615 https://threatfox.abuse.ch/ioc/1599443/

Intelligence

File Origin
# of uploads :
1
# of downloads :
551
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SAMPLECATALOGSANDDRAWING.exe
Verdict:
Malicious activity
Analysis date:
2025-09-24 07:30:08 UTC
Tags:
auto-sch-xml stealer redline
Link:
https://app.any.run/tasks/9cf5d4a2-93e4-4ea4-9308-a897666ccf1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28760/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d53e59cc9425144151ccd2
Tags:
spawn shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin msbuild obfuscated packed packed reconnaissance redline redline regsvcs rezer0 roboski schtasks stealer stego vbc windows
Link:
https://www.filescan.io/uploads/68d39f88c24f53840f3020d0/reports/33feab37-fe17-4dd1-956c-8d2e5a124f37/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-24T04:23:00Z UTC
Last seen:
2025-09-24T04:23:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.Stealer.TCP.C&C Trojan-Spy.Stealer.HTTP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Reline.c VHO:Trojan-Spy.MSIL.Noon.gen Trojan.MSIL.Taskun.sb Backdoor.Agent.TCP.C&C Trojan-PSW.MSIL.Reline.sb Trojan-PSW.MSIL.Reline.b Trojan.MSIL.Inject.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealer.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb Backdoor.Agent.HTTP.C&C Trojan-PSW.Win32.Coins.sb HEUR:Trojan.MSIL.Taskun.sb Exploit.CVE-2017-11882.TCP.C&C HEUR:Trojan-Spy.MSIL.Noon.gen
Link:
https://opentip.kaspersky.com/ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a625ef6-9d08-4cfd-a02a-70f84db209bd
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.45 Win 32 Exe x86
Link:
https://app.malva.re/file/c82a837475376cd2dad0afb7520a5aa4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2025-09-24 07:30:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vobmim5uuxtwhxrue4uvmv3cs6apuikx6dnzs5ogio5emefv3ccq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
redlinestealer
Create hunting rule
Similar samples:
7bed0eed3f423b22cecbfdd23aad0ca8c3b0e8fb5ff0c0402e19e0273f7c27d3
RedLineStealer
9d3f9a29fa2c2a648c653effbc1988600435f6482ef8ffbf7cd15c1f33f2bd2e
RedLineStealer
ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
RedLineStealer
bbd64c624d3ee6df910c2704ab3040d756550476cb446aaa6147cc4914f89ebe
RedLineStealer
e3273b6eedc619441ed6e085b797d9a016a35bf90b0dac930fa9e6478769d67a
RedLineStealer
error
RedLineStealer
+ 242 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat discovery execution infostealer persistence rat trojan
Link:
https://tria.ge/reports/250924-jfj64sej7x/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Malware Config
C2 Extraction:
185.222.58.54:55615
Verdict:
Malicious
Tags:
Redline
YARA:
n/a
Link:
https://app.threat.zone/submission/96daff19-f72d-40f0-b6da-13f796e903f1
Unpacked files
SH256 hash:
ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
MD5 hash:
c82a837475376cd2dad0afb7520a5aa4
SHA1 hash:
d636cd516174fbabf403d21c5ca55597f124caa6
Link:
https://www.unpac.me/results/621c0942-16fd-4b28-90fc-c3b25730510d/
SH256 hash:
889ec14703f1c17652244d66c857df1da8848da497651ba2d3308488b292a1a5
MD5 hash:
d5cde7b39c93212e3faa702e349c5e3f
SHA1 hash:
08f98762af837078675bbf6b2c540761b9dda162
Link:
https://www.unpac.me/results/621c0942-16fd-4b28-90fc-c3b25730510d/
SH256 hash:
ce080849e4a662e0b4bd421e54120e361ef4bc530cd2704fe24eb1d86cfcf7ce
MD5 hash:
2d2f34533ba2a6b6675554979c4f229d
SHA1 hash:
17310337fd0b52bc0630d10b5cd8aae298799bcd
Detections:
RedLine_a
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/621c0942-16fd-4b28-90fc-c3b25730510d/
SH256 hash:
c9a2cfbf62e47f5d8a61b253b83736fdd77f4a5292ec8a148a60ca04329dda3f
MD5 hash:
62fc8cf8a7d064b3abfb8e151d0d3fac
SHA1 hash:
c693302685fb860dc7cf2c0a1b4f8cb01b952310
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/621c0942-16fd-4b28-90fc-c3b25730510d/
Malware family:
ArechClient2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab82c433b4a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885

(this sample)

anyrun
any.run
https://app.any.run/tasks/9cf5d4a2-93e4-4ea4-9308-a897666ccf1f
  
Link
https://tria.ge/250924-jbt6hst1ay/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28760/

Comments