MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 17 File information Comments

SHA256 hash:	f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c
SHA3-384 hash:	a19ff61749c2a425571f64f92869067b5e2c06d342d299286798a720d648f29cd07f2ef46155b07e30d05d58fa3c8a64
SHA1 hash:	5d882fd51438b55ad7623d2725d6b275af2c0a93
MD5 hash:	42d4d03e34133e506fc34374b5dd17b7
humanhash:	saturn-alpha-kansas-five
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	382'976 bytes
First seen:	2026-04-10 13:34:56 UTC
Last seen:	2026-04-10 13:37:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	59f37c13d2cae7cc547b602d07aa7033 (3 x RedLineStealer)
ssdeep	3072:KXiZYkCItXCGpSFRSJyE18jSaCTBIJCfCr8OIRachyk2Wh/RgaaJzUxtVmj3qh8l:KHkCItizSJJwYmUU3yacEkMzUD0Fl
TLSH	T1B2843910A6C18BE1C456F6B84EE4D630C7296CC81BA096FE9E7CFF558630DA0DE3059E
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	ba71dcdcc4c471a6 (1 x AveMariaRAT, 1 x Stealc, 1 x RedLineStealer)
Reporter	Bitsight
Tags:	282234 dropped-by-amadey exe RedLineStealer

Bitsight

url: http://62.60.226.159/kk.exe

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

XUpdate

Details

XUpdate

download addresses, a user-agent, a windows shortcut name, and CryptoCurrency addresses

Link:

https://research.acce.ciphertechsolutions.com/results/663bbd6e-ce86-4840-9f92-d8696e130f04/

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-04-10 13:36:17 UTC

Tags:

stealer stealc redline metastealer auto-reg auto-sch anti-evasion auto vidar python delphi inno installer upx

Link:

https://app.any.run/tasks/0dc4a2b8-9ce1-493f-b6fc-887371373d41

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61042/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69d8fcaf66ab6d001dd0f9d5

Tags:

autorun emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Searching for synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Sending an HTTP POST request to an infection source

Creating a window

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt to an infection source

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug autorun fingerprint lolbin microsoft_visual_cc update

Link:

https://www.filescan.io/uploads/69d8fca8d920e19044f64783/reports/ab0fb0e1-98c5-49d9-8188-5ecfa447656b/overview

Verdict:

Malicious

Labled as:

Doina.Generic

Link:

https://www.hybrid-analysis.com/sample/f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c

Result

Gathering data

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c/results?tab=lookup

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/338b743c-fd15-4a95-a439-c4ab4affbd55

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c

Threat name:

Win32.Trojan.Doina

Status:

Malicious

First seen:

2026-04-10 13:35:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ly44rrwgnyt7c65swwibnk2atxsrwtstn3i6yrk5iapxrc354ga._file

Verdict:

malicious

Label(s):

redlinestealer

shellcode_loader_008

Similar samples:

error

RedLineStealer

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/260410-qvznnsg151/

Behaviour

System Location Discovery: System Language Discovery

Unpacked files

SH256 hash:

f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c

MD5 hash:

42d4d03e34133e506fc34374b5dd17b7

SHA1 hash:

5d882fd51438b55ad7623d2725d6b275af2c0a93

Link:

https://www.unpac.me/results/fee60e91-fb1d-4695-a76e-c0384db83cc5/

Malware family:

RedLine.F

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f2f1ce463633/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f2f1ce463633713f8bdd95ac80b55a04ef28da729b768f622aea00fbc45bef0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.