MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae
SHA3-384 hash: daf6512b434c25310a75e68c001f3b325201ff316b96367171f01c881700de8b3ffe9e3957c6fa84719876b0076d265c
SHA1 hash: 6e44c7dcafb018bd208dded43aaa22687e5f5b4c
MD5 hash: 34bfb454cdaddeb511671af6847d2548
humanhash: nuts-vegan-green-wolfram
File name:QUOTATION-V042_IV-08112025.pif
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:571'904 bytes
First seen:2025-10-30 11:36:24 UTC
Last seen:2025-11-06 11:44:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:7WjJYNZ2QmqqFxo584hNHezmZphfaUc7Zw8/Q2DWSXBSM6zC:EYxmq5D2mZphLc7Zz42DWYSI
Threatray 1'237 similar samples on MalwareBazaar
TLSH T144C412446364C627C9AA57B126F1F1BD03BCAE85B812E35A8FCCBDDB7632F151844263
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
4
# of downloads :
136
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
QUOTATION-V042_IV-08112025.pif
Verdict:
Malicious activity
Analysis date:
2025-10-30 11:39:21 UTC
Tags:
stealer redline lefthook metastealer
Link:
https://app.any.run/tasks/48be26e8-d040-4cb0-a157-58a864305cea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34787/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69034dd59942f1282eca7768
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Connection attempt
Sending an HTTP POST request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-30T05:27:00Z UTC
Last seen:
2025-11-01T08:14:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.MSIL.Reline.c Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Reline.sb Backdoor.Agent.HTTP.C&C PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae/results?tab=lookup
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44d94bb8-14d8-4e3e-a07f-09ac02271bb7
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1805109
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.36 Win 32 Exe x86
Link:
https://app.malva.re/file/34bfb454cdaddeb511671af6847d2548
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-10-30 08:42:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ikfc5pmk3ls7f35m4vdealddvijdvco7bayqpexctsqxuyv7sxa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
redlinestealer
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
144db9817dfd0a6e61cf7dd18c34c862be3e98fda4e7bf18f230149703575e3b
RedLineStealer
593ce4cdc76392a894b3cb77beec4352b0be6dc06b4f86b9a7352d57041c1b4e
RedLineStealer
7bed0eed3f423b22cecbfdd23aad0ca8c3b0e8fb5ff0c0402e19e0273f7c27d3
RedLineStealer
d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae
RedLineStealer
error
RedLineStealer
+ 1'227 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:chung li discovery infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/251030-nqzrrszld1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Malware Config
C2 Extraction:
161.35.177.165:55123
Unpacked files
SH256 hash:
d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae
MD5 hash:
34bfb454cdaddeb511671af6847d2548
SHA1 hash:
6e44c7dcafb018bd208dded43aaa22687e5f5b4c
Link:
https://www.unpac.me/results/5eff43a5-52d1-4387-aedc-5bcfd19e8a06/
SH256 hash:
0aaa631f69722ba1d56b9ae06a4b02d02c117be9223f4f17a65c4264e12c2288
MD5 hash:
c3799aa7b30b444203251246018fdd5b
SHA1 hash:
2330c2e7959bd47912049651d69c09cb87dcf0cb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5eff43a5-52d1-4387-aedc-5bcfd19e8a06/
SH256 hash:
01d2a8079ec579b121d3018c0a75dbc830f9c9c2d1965f240636a25b6ed64322
MD5 hash:
b501a2e380f80ddb2fd3e0cffa048430
SHA1 hash:
972fd7b0f48abe0a8cfafc0b0a53ce5a0e0d1b49
Detections:
RedLine_a
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/5eff43a5-52d1-4387-aedc-5bcfd19e8a06/
Parent samples :
144db9817dfd0a6e61cf7dd18c34c862be3e98fda4e7bf18f230149703575e3b
593ce4cdc76392a894b3cb77beec4352b0be6dc06b4f86b9a7352d57041c1b4e
d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae
SH256 hash:
81c878e71a82aa8f4175648d188a1f75acf99cd0b02ef0f48e814fb4f44f0fc0
MD5 hash:
2c401550efe4777b67fa67fb7cecdfbc
SHA1 hash:
e5515434b9685499ad38499f4b59ed8c017b88b4
Link:
https://www.unpac.me/results/5eff43a5-52d1-4387-aedc-5bcfd19e8a06/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d2145175ec56/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34787/

Comments