MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf28889ee68a22a628a446f1ee8a57949d24fe51b790fc4553b7cefa0657a50a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf28889ee68a22a628a446f1ee8a57949d24fe51b790fc4553b7cefa0657a50a
SHA3-384 hash: 770aff61d55c4b8e4ea3fdc4fee2abfa833bb279924eb9911e59ab8c5ec068fae80ebbdf417cbe39b9715892d6bce02c
SHA1 hash: a2ac83a44a22f3fe337449ba13c071b23f51e185
MD5 hash: cea6b59fb47d5f49f948b8c277844db7
humanhash: jersey-nineteen-mexico-cup
File name:New I-Con PO PO0704059-2.vbe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:42'314 bytes
First seen:2025-10-09 11:55:14 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 384:6ELQgoOjlaACq7XCqI4LNkxZq2VWJpk8z4FbusSwiNRkQwWtVC/92I6PX+/F1++:fqO5CwXCehkbkd45SwekdWtVC9x6PZ+
Threatray 2'691 similar samples on MalwareBazaar
TLSH T1BB138732B16C46EB2FA3E49180854524EEA9034D02F452F1F455A9F909ADEEEDCF43BD
Magika vba
Reporter abuse_ch
Tags:RedLineStealer vbe


Avatar
abuse_ch
RedLineStealer C2:
103.237.86.27:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.237.86.27:1912 https://threatfox.abuse.ch/ioc/1610047/

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e7a2ca7f305fa2545dedd3
Tags:
virus spawn crypt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68e7a2c8f377ab2310551104/reports/aaceb0f8-47bf-44d1-bb21-834db4a05456/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/bf28889ee68a22a628a446f1ee8a57949d24fe51b790fc4553b7cefa0657a50a
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-09T08:46:00Z UTC
Last seen:
2025-10-11T10:19:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Script.Generic Trojan-Dropper.Win32.Injector.sb Trojan-PSW.MSIL.Reline.sb Trojan.Win32.InjectorNetT.s Trojan.Win32.Agent.sb Trojan.MSIL.Dnoper.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic Backdoor.Win32.Androm PDM:Trojan.Win32.Generic Trojan-Downloader.Agent.HTTP.C&C
Link:
https://opentip.kaspersky.com/bf28889ee68a22a628a446f1ee8a57949d24fe51b790fc4553b7cefa0657a50a/results?tab=lookup
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1792076
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell decode and execute
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1792076 Sample: New I-Con PO PO0704059-2.vbe Startdate: 09/10/2025 Architecture: WINDOWS Score: 100 50 mzgold.ir 2->50 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 10 other signatures 2->70 8 wscript.exe 1 18 2->8         started        13 powershell.exe 2->13         started        15 powershell.exe 19 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 52 mzgold.ir 217.144.107.148, 49684, 80 NETMIHANIR Iran (ISLAMIC Republic Of) 8->52 42 C:\Users\user\AppData\...\system_update.ps1, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\PO-51202509[1].ps1, ASCII 8->44 dropped 46 C:\Temp\FDo1BCjs.ps1, ASCII 8->46 dropped 82 System process connects to network (likely due to code injection or exploit) 8->82 84 Suspicious powershell command line found 8->84 86 Wscript starts Powershell (via cmd or directly) 8->86 92 4 other signatures 8->92 19 powershell.exe 16 8->19         started        88 Writes to foreign memory regions 13->88 90 Injects a PE file into a foreign processes 13->90 22 aspnet_compiler.exe 13->22         started        24 aspnet_compiler.exe 13->24         started        26 conhost.exe 13->26         started        30 5 other processes 13->30 28 conhost.exe 15->28         started        54 127.0.0.1 unknown unknown 17->54 file6 signatures7 process8 signatures9 72 Writes to foreign memory regions 19->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 19->74 76 Injects a PE file into a foreign processes 19->76 32 aspnet_compiler.exe 10 4 19->32         started        36 aspnet_compiler.exe 19->36         started        38 aspnet_compiler.exe 19->38         started        40 12 other processes 19->40 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 80 Tries to steal Crypto Currency Wallets 22->80 process10 dnsIp11 48 103.237.86.27, 1912, 49687, 49692 BGNR-AP2BainandCompanySG unknown 32->48 56 Found many strings related to Crypto-Wallets (likely being stolen) 32->56 58 Tries to steal Crypto Currency Wallets 32->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->60 62 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->62 signatures12
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bf28889ee68a22a628a446f1ee8a57949d24fe51b790fc4553b7cefa0657a50a
Verdict:
Malware
YARA:
1 match(es)
Tags:
Microsoft.XMLDOM VBScript
Link:
https://app.malva.re/file/cea6b59fb47d5f49f948b8c277844db7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf28889ee68a22a628a446f1ee8a57949d24fe51b790fc4553b7cefa0657a50a/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/bf28889ee68a22a628a446f1ee8a57949d24fe51b790fc4553b7cefa0657a50a
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-10-09 11:55:54 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4uirhxgrirkmkfei3y65csxssosj7srw6ipyrktw7hpubsxuufa._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
4107b7ac2f19c4a6d314b2ffd4410735c23ea65152fd999461d3dc5c4fb95186
RedLineStealer
6aefcac9b610a002e37fa3be97de13fdb2dda4b9d1ccda8434cd8994e46d297f
RedLineStealer
90b2c49178e516b845b67bd50549c2df11b3da8ba5fac86843db6f96c4d14385
RedLineStealer
d5bc325e667d561e33105971e625cc3d931ced9c2cd5cc28a879cd45fd8f7ce5
RedLineStealer
error
RedLineStealer
+ 2'681 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pr-vip defense_evasion discovery execution infostealer persistence spyware
Link:
https://tria.ge/reports/251009-n3vzcasvgz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Hide Artifacts: Hidden Window
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
103.237.86.27:1912
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bf28889ee68a22a628a446f1ee8a57949d24fe51b790fc4553b7cefa0657a50a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:GenericRedLineLike
Create hunting rule
Author:Still
Description:Matches RedLine-like stealer; may match its variants.
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:OBFUS_PowerShell_Common_Replace
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the common usage of replace for obfuscation
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:RedLine_Stealer_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Detecting unpacked Redline
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_efdb9e81
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security
Rule name:win_redline_stealer_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments