MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1
SHA3-384 hash: 4c9950d29dc37a46e974c26c9e411a57afb2112b97cde07b3e1409a3834c4695f7c91f0d466921b5a076549f3b092376
SHA1 hash: 28c2b6ad13e9c0edfd908ef0ad045f95e4767bd8
MD5 hash: 5582b94cb4c46cd44eae80dfa81121a8
humanhash: neptune-oregon-red-ohio
File name:PO79152069.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'056'640 bytes
First seen:2025-06-23 22:15:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:1AE2zshqZTAO65D4RttsPUrpX1w3Rr53a/XsaEPmjfnwEOtvA6:GEkcqP6Z4RttpLgd35aEXftY
Threatray 3'835 similar samples on MalwareBazaar
TLSH T114E53340A58AC335CD9DBE3316B752BAA171F00E98710999E247425F9E7C1DB3B3EA0D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
107.172.232.92:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.172.232.92:1912 https://threatfox.abuse.ch/ioc/1548758/

Intelligence

File Origin
# of uploads :
1
# of downloads :
561
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
PO79152069.exe
Verdict:
Malicious activity
Analysis date:
2025-06-23 22:21:16 UTC
Tags:
stealer metastealer redline auto-startup
Link:
https://app.any.run/tasks/bec2bf01-b711-4df6-9a0c-7b60b11d5301

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10741/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6859d2c0b06783b9ebd6c2c4
Tags:
autorun virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Creating a window
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0dce6e84-f391-4c45-b1ab-bf1c32428bcc
Result
Threat name:
RedLine, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1721327
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1721327 Sample: PO79152069.exe Startdate: 24/06/2025 Architecture: WINDOWS Score: 100 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 12 other signatures 2->36 7 PO79152069.exe 5 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 22 C:\Users\user\AppData\Roaming\TypeId.exe, PE32 7->22 dropped 24 C:\Users\user\...\TypeId.exe:Zone.Identifier, ASCII 7->24 dropped 26 C:\Users\user\AppData\Roaming\...\TypeId.vbs, ASCII 7->26 dropped 42 Found many strings related to Crypto-Wallets (likely being stolen) 7->42 44 Drops VBS files to the startup folder 7->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->46 13 InstallUtil.exe 10 4 7->13         started        48 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->48 17 TypeId.exe 2 11->17         started        signatures5 process6 dnsIp7 28 107.172.232.92, 1912, 49682, 49684 AS-COLOCROSSINGUS United States 13->28 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->50 52 Found many strings related to Crypto-Wallets (likely being stolen) 13->52 54 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->54 56 Tries to steal Crypto Currency Wallets 13->56 58 Antivirus detection for dropped file 17->58 60 Multi AV Scanner detection for dropped file 17->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->62 19 InstallUtil.exe 10 2 17->19         started        signatures8 process9 signatures10 38 Tries to harvest and steal browser information (history, passwords, etc) 19->38 40 Tries to steal Crypto Currency Wallets 19->40
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/5582b94cb4c46cd44eae80dfa81121a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 22:13:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=62bqk7ah2l43r5ybebye6t5ivgb4e6o4p7t5shnhx5j2uesdypiq._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
167840f5f5ad88007e20720f09445a1d6b4f8e1c2f4e8d9238a0b918c62ed5fb
RedLineStealer
94f46a73df32470400d1fc25336146155321a04c4eec0f40cb8527db702499e3
RedLineStealer
b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387
RedLineStealer
dc6ccef702d63f94fcfe296035d6fd3125a814f94d9fd1d36dbc1f464efb0595
RedLineStealer
e3fe04a6924263fc3b589b9d1d5dab4970a1f3b0de25400090c4e6ad7682c2f0
RedLineStealer
error
RedLineStealer
f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1
RedLineStealer
+ 3'825 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:fip discovery infostealer spyware
Link:
https://tria.ge/reports/250623-18wt2swvfs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops startup file
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
107.172.232.92:1912
Verdict:
Malicious
Tags:
stealer metastealer c2 redline
YARA:
n/a
Link:
https://app.threat.zone/submission/d28c64bb-c404-4a97-a6cf-fafc49939ede
Unpacked files
SH256 hash:
f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1
MD5 hash:
5582b94cb4c46cd44eae80dfa81121a8
SHA1 hash:
28c2b6ad13e9c0edfd908ef0ad045f95e4767bd8
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
SH256 hash:
ec368667383414746d42d942fae33c715c1c2d284cf05ea325aa13e4732f6700
MD5 hash:
edbc2965f5fff2bd46a5493127b61448
SHA1 hash:
d79cddd8d986b82d6804ec0d73211be6f9992436
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
SH256 hash:
b8cbd79ad6085eafaf8f53542205014d2f234e81f125ea1eec8923b412138335
MD5 hash:
4d7c15d4aa1479ea5275f50f97b4a645
SHA1 hash:
041ef6191880cfa15be71be6648640c0d8664070
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
SH256 hash:
feae95c7c80165d1e02b93fa0a9d3d69163e5059560964145d5463791f59ac29
MD5 hash:
3d3e991fd2f1098015efa935782db5c0
SHA1 hash:
0a038c4619cd15c7f448ddf7e33b15d4aad4ea38
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
Parent samples :
f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1
d5216161745892f74669ddebc72e8a0b6cfd9c8ee02b3d94a9c8b713c689a925
5f1076cca448d6b92b864e84ed023f201b3c79ff314934a99416cd69665de8d8
SH256 hash:
f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1
MD5 hash:
5582b94cb4c46cd44eae80dfa81121a8
SHA1 hash:
28c2b6ad13e9c0edfd908ef0ad045f95e4767bd8
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
SH256 hash:
4d679a3ea8c5e1af6bc6d564551d34632cf31bafded5ee91b3768420142b7dfe
MD5 hash:
1e073055e85af71931abd1462609249e
SHA1 hash:
62e1af35d3eb0e500917ddc9f7efa28ab76e2642
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
SH256 hash:
66231a66c12e6274f16d9bc3ba8097426c06b2cf4ce1b166a87cf28448490645
MD5 hash:
0661382b0c7a11b00a86fd63ca9c1e1f
SHA1 hash:
6ed3222c5160922566ed1b26da3b474b61485d01
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
SH256 hash:
55481f089ca79b33b7966f1197334b7d6ec5577577dd9a93a8ba8610474d9b8e
MD5 hash:
adab6d00a879864deffe803620505a58
SHA1 hash:
f5ba01cb258eb6558a0db4d801d038fed2fe87c7
Link:
https://www.unpac.me/results/8ebed194-d96d-4e91-b2da-ff8f99ec68e7/
Malware family:
RedLine.F
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f683057c07d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f683057c07d2f9b8f70120704f4fa8a983c279dc7fe7d91da7bf53aa1243c3d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:GenericRedLineLike
Create hunting rule
Author:Still
Description:Matches RedLine-like stealer; may match its variants.
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:RedLine_Stealer_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Detecting unpacked Redline
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_efdb9e81
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security
Rule name:win_redline_stealer_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/10741/

Comments