MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb
SHA3-384 hash: b85b2f98479892d232c624be8930a75343e04bb2735acbca2fb6cc7e04cee4459c3b0f73fc29bc020437df7505dc1d93
SHA1 hash: a3b35c51aeec51aa1d6836cc4666cd1cfee066b4
MD5 hash: e86746cc20a88bba55f670bfda30a4fe
humanhash: fish-alaska-football-massachusetts
File name:E86746CC20A88BBA55F670BFDA30A4FE.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'345'024 bytes
First seen:2025-10-20 08:40:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'070 x AgentTesla, 20'023 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:VO5qbFbAH257PnF4D0HQaEKydmq8Gj2mY3mxKu6Mmob:QoFbyGnFs0t/ydm0j2Cx76Mmo
Threatray 235 similar samples on MalwareBazaar
TLSH T1AC552384674BDA0AD5A663B42AB1F57017B40E8CD812E2564FDCAEDF746BF424D00BC7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon eccccc9cc4d8e8f4 (3 x SnakeKeylogger, 2 x RedLineStealer, 1 x GuLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
38.255.34.55:27204

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
38.255.34.55:27204 https://threatfox.abuse.ch/ioc/1618357/

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
_22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb.exe
Verdict:
Malicious activity
Analysis date:
2025-10-20 08:40:57 UTC
Tags:
xred backdoor redline stealer
Link:
https://app.any.run/tasks/3ef14da6-bb8c-4a98-b861-bd185c3a61fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33391/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f5f56b6dc4a08515e3667a
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected snakekeylogger vbnet
Link:
https://www.filescan.io/uploads/68f5f59011ff3db29f6446b6/reports/3db13aea-eda3-47a3-9e66-ab146dabb1e8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-17T11:56:00Z UTC
Last seen:
2025-10-20T20:29:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Reline.sb Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Reline.gen Trojan-Spy.Stealer.TCP.C&C Trojan-PSW.MSIL.Reline.b Trojan-PSW.Win32.Coins.sb HEUR:Trojan-PSW.MSIL.Agensla.gen PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Reline.c Trojan.MSIL.Taskun.sb Backdoor.Win32.Androm Trojan-PSW.Win32.Stealer.sb Backdoor.Agent.HTTP.C&C Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.XRed.sb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan-Spy.Stealer.HTTP.C&C Exploit.CVE-2017-11882.TCP.C&C
Link:
https://opentip.kaspersky.com/22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb/results?tab=lookup
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f4244cd-134c-4f96-9a0a-32d950a49ab3
Result
Threat name:
RedLine, XRed
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798147
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798147 Sample: Y1RnO07kM1.exe Startdate: 20/10/2025 Architecture: WINDOWS Score: 100 39 c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com 2->39 41 ax-ring.ax-9999.ax-msedge.net 2->41 43 5 other IPs or domains 2->43 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 9 Y1RnO07kM1.exe 3 2->9         started        13 Synaptics.exe 1 2->13         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\Y1RnO07kM1.exe.log, ASCII 9->33 dropped 67 Found many strings related to Crypto-Wallets (likely being stolen) 9->67 69 Writes to foreign memory regions 9->69 71 Allocates memory in foreign processes 9->71 73 Injects a PE file into a foreign processes 9->73 15 MSBuild.exe 1 4 9->15         started        18 MSBuild.exe 9->18         started        21 conhost.exe 13->21         started        signatures6 process7 file8 35 C:\Users\user\Desktop\._cache_MSBuild.exe, PE32 15->35 dropped 37 C:\ProgramData\Synaptics\Synaptics.exe, PE32 15->37 dropped 23 ._cache_MSBuild.exe 15 50 15->23         started        27 Synaptics.exe 2 15->27         started        49 Contains functionality to detect sleep reduction / modifications 18->49 signatures9 process10 dnsIp11 45 38.255.34.55, 27204, 49690, 49694 COGENT-174US United States 23->45 47 api.ip.sb.cdn.cloudflare.net 172.67.75.172, 443, 49691 CLOUDFLARENETUS United States 23->47 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->59 61 Found many strings related to Crypto-Wallets (likely being stolen) 23->61 63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->63 65 2 other signatures 23->65 29 conhost.exe 23->29         started        31 conhost.exe 27->31         started        signatures12 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.50 Win 32 Exe x86
Link:
https://app.malva.re/file/e86746cc20a88bba55f670bfda30a4fe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb/
Verdict:
Malicious
Threat:
Family.XRED
Link:
https://tip.neiki.dev/file/22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb
Threat name:
Win32.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-10-17 20:14:32 UTC
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=elz5mdz6pwcis6fuzaf3nwev657cym27wl3vu2tovoxbjmfhaxvq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
redlinestealer
Create hunting rule
xredbackdoor
Create hunting rule
Similar samples:
102f3695bcc747312ab744876f0558a1404b96a043fbfd90410d3c36930f1ac7
RedLineStealer
22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb
RedLineStealer
578b07364d330f57c234cc86673661c830c9fd5144eb3bed4a8acd7e8823b67e
RedLineStealer
error
RedLineStealer
fc610b4cced347838ba55300f64acda6538ecba45ecab1cf73fc4807339ef6ea
RedLineStealer
fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423
RedLineStealer
+ 225 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat family:xred botnet:cheat backdoor discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251020-kk7nmsskck/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Reads user/profile data of web browsers
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
38.255.34.55:27204
Unpacked files
SH256 hash:
22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb
MD5 hash:
e86746cc20a88bba55f670bfda30a4fe
SHA1 hash:
a3b35c51aeec51aa1d6836cc4666cd1cfee066b4
Link:
https://www.unpac.me/results/c85838b0-5cec-40cf-a77b-25a079880ba5/
SH256 hash:
78731b510a2e4f8b13ee63716c9fa0c2141cd5d29be85af84b5a12b70843d842
MD5 hash:
20b3fae29398f037de28b4b66c97a726
SHA1 hash:
116f6db159b4c85aeefd64874e1adfb3b11c7bc3
Detections:
RedLine_a
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/c85838b0-5cec-40cf-a77b-25a079880ba5/
SH256 hash:
bed3f6fca06cec2cb26743007fc79601a7a357137b238c2860bd674fd9e8edd1
MD5 hash:
4ba841f1b700f08a8d88f4c1d7a7745a
SHA1 hash:
33873ed8ce3a2c570db96113ffd25a038e8cb39e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c85838b0-5cec-40cf-a77b-25a079880ba5/
SH256 hash:
39f618068244985a226cb5bc3639ec22824cbedd6f5e6ab34786aff99d9c3c97
MD5 hash:
c582a1259637b8d7ac0f900cc5c6f1aa
SHA1 hash:
50ca8370d57f9af1c14fb6714ffef6e6491fade9
Detections:
RedLine_a
Create hunting rule
mal_xred_backdoor
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/c85838b0-5cec-40cf-a77b-25a079880ba5/
SH256 hash:
b6781edd819929c2fe8b41985314c4eaed3c35ce05a61cdf911da3f09de53074
MD5 hash:
69fe9dc75c1792830f0a6d2525d05b22
SHA1 hash:
ae712836721804406194a813b91c7dd9f122d28c
Link:
https://www.unpac.me/results/c85838b0-5cec-40cf-a77b-25a079880ba5/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/c85838b0-5cec-40cf-a77b-25a079880ba5/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/22f3d60f3e7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22f3d60f3e7d848978b4c80bb6d895f77e2c335fb2f75a6a6eabae14b0a705eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33391/

Comments