MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2
SHA3-384 hash: 9650f0ec122565c9bee3ad8fbd879092dc2b10ae6f6d6348bc399888693896f143bfc37b5b518ef3c36d447b487796b8
SHA1 hash: c138012043eda35b2ea92f16ee51d54155966e29
MD5 hash: eb8ca19e6f2da86fed19942c70f11ca7
humanhash: five-mockingbird-hotel-xray
File name:dxdiag.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'039'996 bytes
First seen:2025-08-29 13:57:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cdfba68edbb115e7aa5ed6776bb6546 (29 x RedLineStealer, 1 x MassLogger)
ssdeep 49152:Qae4tw4NdbnH9o1ppv3Yagw42Gzq/gtXP:Xhlndo1bv8wzGeYBP
Threatray 580 similar samples on MalwareBazaar
TLSH T1719533579860291DC01DBAF3135DBB0D4620AF0A3270EADC7E2EB7263B7353598625E7
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter ubc
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dxdiag.exe
Verdict:
Malicious activity
Analysis date:
2025-08-29 14:00:12 UTC
Tags:
themida netreactor
Link:
https://app.any.run/tasks/456e1454-34b9-4b71-ba65-ba9845275970

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24132/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b1b1e13e988eb6ab82ed93
Tags:
vmdetect packed virus msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc obfuscated overlay packed packed themidawinlicense zero
Link:
https://www.filescan.io/uploads/68b1b1fa39a6221faa750300/reports/ab7acfb0-695e-4bab-9041-c8de8e893217/overview
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-18T05:30:00Z UTC
Last seen:
2025-08-18T05:30:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df252a68-da1b-4d1a-b7bd-1b4f7b97792b
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/eb8ca19e6f2da86fed19942c70f11ca7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-18 13:02:43 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcixqhdtdk5ft7qeh4ronuyqkjxtb7xo3krquyyzx5ohtifzqpra._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
Similar samples:
1692fd69c4df84cf2edc5dc189e6fd9e249fa21038885f536f55e5a23ebe3830
RedLineStealer
3b117d869f38ab4e7c14507d969467820208dcb26f5564612cc8329c76b1f156
RedLineStealer
79a2fa17db3d9e811ed4ee08615daeb52151ea966f5ae1b2bd1911e2bf86c3c4
RedLineStealer
7f7addef00195b936618e5033be9094859ce409b56a41ef8673fe5df20106940
RedLineStealer
8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88
RedLineStealer
d790c946ee2fd9219c7051db90fbd044e0d4a88f883ab130f53c6964cac36f93
RedLineStealer
dca5762afcbdd54dcbdf8c0b2de6313ba681f42bd5f958bec47891cc2a24113d
RedLineStealer
e97817e3aab6079cc0ecdd4c10d3e056e9a20af2bb91555608490c61af27b31e
RedLineStealer
error
RedLineStealer
ff1c1d6c42c8aa77fc465eea36ce1c671a78192b4ccfb3bd19c96dfde4cd182e
RedLineStealer
+ 570 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery themida trojan
Link:
https://tria.ge/reports/250829-q9r75sdp7t/
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0b1704df-395b-43f8-8444-3353f30aef7e
Unpacked files
SH256 hash:
bc0061e3f73b568d73c4e07d77365c3e52326b13f5fbab060b6ab31854021f8c
MD5 hash:
af867d824da7455ae2ac6878bb61c3a0
SHA1 hash:
e314784858eaaec694a7ca821c7b6f6fc282aeaa
Detections:
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
INDICATOR_EXE_Packed_Themida
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/d2558d23-8606-494a-bc9b-774ed06e9447/
SH256 hash:
824bdf28a84b3d240092a06514c1f4a174e1cf22df1b771aacf138129e36f5ce
MD5 hash:
d381b00d28dda2de04757b4506f7a4fd
SHA1 hash:
3ac95c4b9b1c30b37e2021c28918588e2c31d875
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d2558d23-8606-494a-bc9b-774ed06e9447/
SH256 hash:
2692ada1821aa32a923f7020322eb8b9b5b5d1b7835afa81f9f375772002537d
MD5 hash:
c7e820eea7196598df1c13c4bea19571
SHA1 hash:
67f33d7e965feb49de20ad776a498bdb17e79847
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d2558d23-8606-494a-bc9b-774ed06e9447/
SH256 hash:
3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2
MD5 hash:
eb8ca19e6f2da86fed19942c70f11ca7
SHA1 hash:
c138012043eda35b2ea92f16ee51d54155966e29
Link:
https://www.unpac.me/results/d2558d23-8606-494a-bc9b-774ed06e9447/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3891781c731a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24132/

Comments