MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f
SHA3-384 hash:	963f539a6eddd710843f24d00579c77ceb7864aeb1aa60dd41db725d53c677dda2eaf9ad8dbe7a92e2b20eeacef71bbd
SHA1 hash:	6a5153d046bdd50b60c0ec89b80c73a9ced883aa
MD5 hash:	45f85236996400374386fc38ea6b93dd
humanhash:	tennessee-hot-magnesium-echo
File name:	svchost.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	570'880 bytes
First seen:	2025-11-23 09:19:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	12288:Fh1Lk70TnvjctIKWLbv7uXP6EO4NTxEB0BB1+2zYrYz8OC+w7T2mrXkn2A5U:Rk70TrctIZbv7uXC+RxyC14xOC3nFkny
TLSH	T1ECC40224B1C2C173C4BA053044F6CB659F3574220765A6DBBBED17BAAF202E5A3762CD
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Hexastrike
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f.exe

Verdict:

Malicious activity

Analysis date:

2025-11-22 16:43:16 UTC

Tags:

auto-sch loki ransomware auto-startup smb netreactor confuser evasion lockbit4

Link:

https://app.any.run/tasks/9511ecdc-9ef3-4896-b0d2-7f38d2a97939

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/40269/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6921e8238cf6736ec0b0a91c

Tags:

infosteal redline autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Running batch commands

Creating a process with a hidden window

Creating a file

Creating a file in the Windows directory

Launching a process

Creating a file in the %temp% directory

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Launching the process to change the firewall settings

Searching for synchronization primitives

Launching a service

Sending a UDP request

Connection attempt

Enabling autorun with the shell\open\command registry branches

Deleting volume shadow copies

Blocking the Windows Defender launch

Enabling autorun for a service

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug darkkomet filecoder fingerprint loki lokilocker microsoft_visual_cc packed ransomware

Link:

https://www.filescan.io/uploads/6922d5106c89728b9825e95e/reports/be98355e-e07b-46c7-b005-7a3e95e0c3d8/overview

Verdict:

Malicious

Labled as:

Ransom.LokiLocker.Generic

Link:

https://www.hybrid-analysis.com/sample/3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-02T23:06:00Z UTC

Last seen:

2025-11-23T01:47:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.DelShad.sb Trojan.Win32.Agent.sb Trojan.Win32.Diztakun.sb VHO:Trojan-Spy.MSIL.KeyLogger.gen Trojan.MSIL.Dnoper.sb HEUR:Trojan.BAT.Alien.gen Trojan-Dropper.Win32.Agent.sb Trojan.MSIL.Agent.sb HEUR:Hoax.Win32.Loki.gen HEUR:Hoax.MSIL.FakeRansom.gen Backdoor.MSIL.Cardinal.sb HEUR:Trojan.MSIL.DelShad.gen BSS:Trojan.Win32.Generic Trojan-Ransom.Win64.Agent.sb Trojan-Ransom.MSIL.Loki.sb HEUR:Trojan-Ransom.Win32.Generic BSS:Trojan.Win32.Generic.nblk

Link:

https://opentip.kaspersky.com/3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f

Verdict:

Malware

YARA:

5 match(es)

Tags:

.Net Obfuscator .Net Reactor Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/45f85236996400374386fc38ea6b93dd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f/

Verdict:

Malicious

Threat:

VHO:Trojan-Spy.MSIL.KeyLogger

Link:

https://tip.neiki.dev/file/3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f

Threat name:

Win32.Ransomware.LokiLocker

Status:

Malicious

First seen:

2025-11-18 22:12:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gflktrffwpwcwb2neg7aapvmdhonrqpblj7nswjoegotnklrzkhq._file

Verdict:

malicious

Label(s):

genericransomware

unc_loader_001

unc_loader_078

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan

Link:

https://tria.ge/reports/251123-ljt7lasqfw/

Behaviour

Modifies Control Panel

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Volume Shadow Copy service COM API

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Sets desktop wallpaper using registry

Drops desktop.ini file(s)

Enumerates connected drives

Looks up external IP address via web service

.NET Reactor proctector

Checks computer location settings

Drops startup file

Executes dropped EXE

Disables Task Manager via registry modification

Modifies Windows Firewall

Deletes shadow copies

Modifies Windows Defender DisableAntiSpyware settings

Modifies Windows Defender Real-time Protection settings

Verdict:

Malicious

Tags:

stealer redline trojan

YARA:

MALWARE_Win_RedLine MAL_Malware_Imphash_Mar23_1

Link:

https://app.threat.zone/submission/3a370dd9-69fd-4349-80ec-b46a4503a92f

Unpacked files

SH256 hash:

3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f

MD5 hash:

45f85236996400374386fc38ea6b93dd

SHA1 hash:

6a5153d046bdd50b60c0ec89b80c73a9ced883aa

Link:

https://www.unpac.me/results/44f1abdc-3dc4-4776-b0bb-c30caa32f350/

SH256 hash:

b9163b6ff5347415eba9f30927dfaa073f515f0c004ee0f565c7e66eb84912d4

MD5 hash:

6eb8e22cc085abf17b596e2ee456fb41

SHA1 hash:

10a05fd0e48797ab5b8f04abeda23412970ca800

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/44f1abdc-3dc4-4776-b0bb-c30caa32f350/

Parent samples :

3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f
9069a2118a62d6ff7531821ed946403f8d6713d2321b91fe397394527edce078
b9163b6ff5347415eba9f30927dfaa073f515f0c004ee0f565c7e66eb84912d4

SH256 hash:

210306a43405cbfdad8ee1fe1c09b559455ced2ac62b6319e580caf2061a0469

MD5 hash:

435dfb8cd13d09cf0e17be46ebf46478

SHA1 hash:

893856450b0de5ef84fceaa974b0572e10da117f

Detections:

PureCrypter_Stage1

INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector

Link:

https://www.unpac.me/results/44f1abdc-3dc4-4776-b0bb-c30caa32f350/

Parent samples :

c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b
3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f
9069a2118a62d6ff7531821ed946403f8d6713d2321b91fe397394527edce078

SH256 hash:

c6f9f6c83f766ac17f21d9c97e1c1df0ffd749178e32bdfb12354bb0fe779686

MD5 hash:

43bb7a4ebfc00e10879ae03dbc65bf0f

SHA1 hash:

9450d6dc7883477d2f34d45f876450a73af4140d

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/44f1abdc-3dc4-4776-b0bb-c30caa32f350/

Parent samples :

3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f
9069a2118a62d6ff7531821ed946403f8d6713d2321b91fe397394527edce078

SH256 hash:

578f58cb680b0b18aade9e5a4deddde826181576116bb9d27fd959c70b6d5834

MD5 hash:

7a2e37a2c874e68006c3fd58ab2e8dd4

SHA1 hash:

afbed8d63aaf7b22c4f4163f0250c4ed6d3a9a80

Detections:

PureCrypter_Stage1

INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector

Link:

https://www.unpac.me/results/44f1abdc-3dc4-4776-b0bb-c30caa32f350/

Parent samples :

3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f
9069a2118a62d6ff7531821ed946403f8d6713d2321b91fe397394527edce078

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3156a9c4a5b3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3156a9c4a5b3ec2b074d21be003eac19dcd8c1e15a7ed9592e219d36a971ca8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40269/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample