MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c602e1843d1882bf23f11e83b1372c8779632127571d192f4427f0c02bbe2391. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 35 File information Comments

SHA256 hash:	c602e1843d1882bf23f11e83b1372c8779632127571d192f4427f0c02bbe2391
SHA3-384 hash:	94748452abdd67d3bbf84750d2e9652a961b07fb9e2c5fcb8a48b13c44a99be4fe82f14c7fd94dc088c00d4680a1daa7
SHA1 hash:	9f6ea53eb11e5eea80c10327698b1bd19cfc2b41
MD5 hash:	4eb026640a3616515303bcd7b273aa23
humanhash:	river-illinois-hydrogen-lactose
File name:	Invoice002372.zip
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	498'683 bytes
First seen:	2025-04-22 07:49:16 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:hPslcfd6FA/XT4ZdmoUGhzIo9XQC812M/qdkiMbPPoLL:Fslcfd6m/T4ZRhfY12M/P9bX8L
TLSH	T1CEB42314594A04A6CA041683C7F7818897BBD9EF39E632E96F2893EFE1D05B5DCC2D70
Magika	zip
Reporter	cocaman
Tags:	RedLineStealer zip

Intelligence

File Origin

# of uploads :

# of downloads :

700

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Invoice002372.scr
File size:	668'672 bytes
SHA256 hash:	ffe5dca9d94344ba35262a0eeccb6944b96375c0328b958796f8613149f147a4
MD5 hash:	48d59f54c70f9ebc2940436caee5cf36
MIME type:	application/x-dosexec
Signature	RedLineStealer

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.6487.8116.UNOFFICIAL

Sanesecurity.Malware.23380.ZipHeur.UNOFFICIAL

Sanesecurity.Malware.23382.ZipHeur.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68074bcd280f5f89a0d32e72

Tags:

infosteal redline

Result

Verdict:

Unknown

File Type:

ZIP File

Link:

https://app.docguard.net/c602e1843d1882bf23f11e83b1372c8779632127571d192f4427f0c02bbe2391/results/dashboard

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/c602e1843d1882bf23f11e83b1372c8779632127571d192f4427f0c02bbe2391

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/c602e1843d1882bf23f11e83b1372c8779632127571d192f4427f0c02bbe2391

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

100%

Verdict:

Malware

File Type:

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:redline family:sectoprat botnet:cheat discovery execution infostealer rat spyware stealer trojan

Link:

https://tria.ge/reports/250422-lt767s11dy/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Malware Config

C2 Extraction:

207.244.76.146:29739

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c602e1843d1882bf23f11e83b1372c8779632127571d192f4427f0c02bbe2391

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021 Create hunting rule
Author:	BlackBerry Threat Research Team
Description:	Detects Unobfuscated RedLine Infostealer Executables (.NET)

Rule name:	MAL_RANSOM_COVID19_Apr20_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects ransomware distributed in COVID-19 theme
Reference:	https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

Rule name:	MAL_RANSOM_COVID19_Apr20_1_RID2ECC Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware distributed in COVID-19 theme
Reference:	https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Redline32 Create hunting rule
Author:	Muffin
Description:	This rule detects Redline Stealer

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win32_dotnet_form_obfuscate Create hunting rule
Author:	Reedus0
Description:	Rule for detecting .NET form obfuscate malware

Rule name:	win32_redline_stealer Create hunting rule
Author:	Reedus0
Description:	Rule for detecting RedLine Stealer malware

Rule name:	Windows_Trojan_Generic_40899c85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_15ee6903 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_4df4bcb6 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_6dfafd7b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_f07b3cb4 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_f54632eb Create hunting rule
Author:	Elastic Security

Rule name:	win_redline_stealer_generic Create hunting rule
Author:	dubfib

Rule name:	win_stealer_generic Create hunting rule
Author:	Reedus0
Description:	Rule for detecting generic stealer malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RedLineStealer

zip c602e1843d1882bf23f11e83b1372c8779632127571d192f4427f0c02bbe2391

(this sample)

RedLineStealer

exe ffe5dca9d94344ba35262a0eeccb6944b96375c0328b958796f8613149f147a4

Delivery method

Other

Dropping

SHA256 ffe5dca9d94344ba35262a0eeccb6944b96375c0328b958796f8613149f147a4

Dropping

MD5 48d59f54c70f9ebc2940436caee5cf36

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample