MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d
SHA3-384 hash: 420f81ae0e3854ce9f8963d39a1aedf2d15b181b2218cd10699fb38cb94b7398483e9207c1821ecd16904c33862eb903
SHA1 hash: 70bfa32e81b7addf203bad85c966a60ccea3d642
MD5 hash: 52303973d0a03da08e58283770a5663c
humanhash: ceiling-lion-red-yankee
File name:bot.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:74'240 bytes
First seen:2025-08-11 09:29:28 UTC
Last seen:2025-08-14 15:17:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 954d37274380aae6eac13dd9647ee409 (1 x RedLineStealer)
ssdeep 1536:YAkxArUjMUEADWcQZsr+ADhQNXxZYt57KMtDKKua1syQsmcKQE:Y1mUjAir+ADSNX/MKMteKSyXmcXE
TLSH T1FE73BE8E23F405E5D9BBA6B9C5656B1BD2F1744AA4A4971F07B0CC811F33273A22DB13
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
65
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bot.exe
Verdict:
Malicious activity
Analysis date:
2025-08-11 09:34:07 UTC
Tags:
auto-sch clipper diamotrix
Link:
https://app.any.run/tasks/abda19eb-a4ef-496a-93f6-593ba88dd777

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20117/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6899b867fca70bd90e8e1144
Tags:
redline autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lolbin obfuscated packed packed packer_detected schtasks
Link:
https://www.filescan.io/uploads/6899b92f9ef4d2ff7cf5d458/reports/623ee8fc-b9ba-4b60-84d1-3c08f974e283/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d
Malware family:
Gapz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4e4f4fe-7091-46c6-a9ae-65193502b510
Result
Threat name:
Diamotrix Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1754450
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Diamotrix Clipper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1754450 Sample: bot.exe Startdate: 11/08/2025 Architecture: WINDOWS Score: 100 127 Suricata IDS alerts for network traffic 2->127 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 8 other signatures 2->133 9 bot.exe 1 1 2->9         started        13 ebecabcdbbbdc.exe 2->13         started        15 ebecabcdbbbdc.exe 2->15         started        17 ebecabcdbbbdc.exe 2->17         started        process3 file4 85 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 9->85 dropped 141 Found evasive API chain (may stop execution after checking mutex) 9->141 143 Injects code into the Windows Explorer (explorer.exe) 9->143 145 Uses schtasks.exe or at.exe to add and modify task schedules 9->145 149 4 other signatures 9->149 19 explorer.exe 35 17 9->19 injected 24 schtasks.exe 1 9->24         started        147 Multi AV Scanner detection for dropped file 13->147 26 schtasks.exe 1 13->26         started        28 schtasks.exe 1 15->28         started        signatures5 process6 dnsIp7 105 77.90.153.62, 49691, 49693, 49696 RAPIDNET-DEHaunstetterStr19DE Germany 19->105 107 176.46.152.46, 1911, 49692, 49695 ESTPAKEE Iran (ISLAMIC Republic Of) 19->107 109 176.46.152.47, 49694, 49706, 49709 ESTPAKEE Iran (ISLAMIC Republic Of) 19->109 77 C:\Users\user\AppData\Local\...95C.tmp.exe, PE32+ 19->77 dropped 79 C:\Users\user\AppData\Local\...\D777.tmp.exe, PE32 19->79 dropped 81 C:\Users\user\AppData\Local\...\C35E.tmp.exe, PE32+ 19->81 dropped 83 7 other malicious files 19->83 dropped 135 System process connects to network (likely due to code injection or exploit) 19->135 137 Benign windows process drops PE files 19->137 139 Found evasive API chain (may stop execution after checking mutex) 19->139 30 E95C.tmp.exe 19->30         started        34 9D50.tmp.exe 23 19->34         started        36 C35E.tmp.exe 1 2 19->36         started        44 2 other processes 19->44 38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        file8 signatures9 process10 file11 87 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 30->87 dropped 89 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 30->89 dropped 91 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 30->91 dropped 101 47 other malicious files 30->101 dropped 155 Multi AV Scanner detection for dropped file 30->155 46 E95C.tmp.exe 30->46         started        93 C:\Users\user\AppData\Local\Temp\DfIl5.exe, PE32+ 34->93 dropped 95 C:\Users\user\AppData\Local\Temp\DfIl4.exe, PE32+ 34->95 dropped 103 8 other malicious files 34->103 dropped 48 DfIl4.exe 34->48         started        52 DfIl2.exe 34->52         started        54 DfIl1.exe 34->54         started        56 DfIl3.exe 34->56         started        97 C:\ProgramData\systemdrv.exe, PE32+ 36->97 dropped 157 Antivirus detection for dropped file 36->157 159 Found evasive API chain (may stop execution after checking mutex) 36->159 161 Creates multiple autostart registry keys 36->161 163 Contains functionality to inject code into remote processes 36->163 58 systemdrv.exe 36->58         started        99 C:\ProgramData\owvqg.exe, PE32+ 44->99 dropped 165 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->165 167 Tries to harvest and steal browser information (history, passwords, etc) 44->167 169 Found direct / indirect Syscall (likely to bypass EDR) 44->169 60 owvqg.exe 44->60         started        signatures12 process13 file14 65 C:\...\api-ms-win-core-rtlsupport-l1-1-0.dll, PE32+ 48->65 dropped 67 C:\...\api-ms-win-core-profile-l1-1-0.dll, PE32+ 48->67 dropped 69 api-ms-win-core-pr...sthreads-l1-1-1.dll, PE32+ 48->69 dropped 75 22 other malicious files 48->75 dropped 111 Multi AV Scanner detection for dropped file 48->111 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->113 115 Tries to harvest and steal browser information (history, passwords, etc) 52->115 71 C:\ProgramData\dll_2B7DDEA9.dll, PE32+ 58->71 dropped 117 Antivirus detection for dropped file 58->117 119 Found evasive API chain (may stop execution after checking mutex) 58->119 121 Injects code into the Windows Explorer (explorer.exe) 58->121 125 3 other signatures 58->125 73 C:\ProgramData\atzsd.exe, PE32+ 60->73 dropped 123 Found direct / indirect Syscall (likely to bypass EDR) 60->123 62 atzsd.exe 60->62         started        signatures15 process16 signatures17 151 Multi AV Scanner detection for dropped file 62->151 153 Found evasive API chain (may stop execution after checking mutex) 62->153
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/52303973d0a03da08e58283770a5663c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d/
Verdict:
Malicious
Threat:
VHO:Trojan.Win32.Tasker
Link:
https://tip.neiki.dev/file/d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d
Threat name:
Win64.Trojan.PowerLoader
Create hunting rule
Status:
Malicious
First seen:
2025-08-10 19:39:00 UTC
File Type:
PE+ (Exe)
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gkbn7y6ucxztcziufbn5b22hgqd2uy3oomimagg6hta7irpyjwq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:jajaja discovery execution infostealer persistence spyware stealer
Link:
https://tria.ge/reports/250811-ljz3vatvaw/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
176.46.152.46:1911
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58954749-61a8-44b2-9f78-96be915d12c8
Unpacked files
SH256 hash:
d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d
MD5 hash:
52303973d0a03da08e58283770a5663c
SHA1 hash:
70bfa32e81b7addf203bad85c966a60ccea3d642
Link:
https://www.unpac.me/results/c47b9094-2401-4916-8bbf-95c8df72ef42/
Malware family:
RedLine.F
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d19416ff1ea0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d19416ff1ea0af998b28a142de875a39a03d531b73988600c6f1e60fa22fc26d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3593488/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/20117/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertSidToStringSidA
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIntdll.dll::NtQueryInformationThread
KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetTempFileNameA
KERNEL32.dll::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::LookupAccountNameA
ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
ADVAPI32.dll::RegSetValueExW

Comments