MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3
SHA3-384 hash: a0850fde9fe026a671f0949c63e038f790cace16cb18684ea2fd981fcf9158a9c72df75f923f50ac94576824d0dd85c7
SHA1 hash: d0bc775470beb682dd90342499c83895170fccd2
MD5 hash: 8ecda20bc81a08af07797063aa08bd82
humanhash: nebraska-ceiling-vermont-sink
File name:739100524.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:594'432 bytes
First seen:2025-12-15 10:12:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'650 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:fwc64LAlfzT6A+eh0ppFZLg1MfrFbWHLaOM52KhU:idSXdg6frkHrTK
Threatray 1'129 similar samples on MalwareBazaar
TLSH T166C4F1D03F766702CD715770AA28EDB8426A1E687012B9E79DDE7F5737C9210AE08F12
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/446220c1-f5c7-4dd2-858a-40f1090bdba4/
Malware family:
redline
Create hunting rule
ID:
1
File name:
739100524.exe
Verdict:
Malicious activity
Analysis date:
2025-12-15 12:34:06 UTC
Tags:
stealer redline metastealer auto-sch-xml
Link:
https://app.any.run/tasks/a1915cdc-296f-4fa0-94c2-4bee8ad5f3f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44859/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693fe41f838ad7e48539927d
Tags:
redline virus shell crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Connecting to a non-recommended domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/693fe1251eac7b9b76aac8d8/reports/84a38333-c9fe-464b-b223-14d10cf26938/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-15T04:13:00Z UTC
Last seen:
2025-12-17T08:45:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e1137a9-bf3e-4837-94fd-206ba90ddc69
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3/
Threat name:
Win32.Spyware.Redline
Create hunting rule
Status:
Malicious
First seen:
2025-12-15 08:07:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ga6lvjedeaitoox4no7r25q2i4hu5eirzxjscexrfw3i6liz2xbq._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
4eb9804a8558edab914ee49e62c0335b6bb77df7c2c0e7bcae1d69aa15180e6c
RedLineStealer
6aefcac9b610a002e37fa3be97de13fdb2dda4b9d1ccda8434cd8994e46d297f
RedLineStealer
90ee1e7a6193aa7c62de6fd466fc0ca1fe7b8aaec67fa98e96183079222593f4
RedLineStealer
d5bc325e667d561e33105971e625cc3d931ced9c2cd5cc28a879cd45fd8f7ce5
RedLineStealer
+ 1'119 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:panta_logs discovery execution infostealer persistence spyware stealer
Link:
https://tria.ge/reports/251215-ml6tvavkfj/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
213.209.157.78:1912
Verdict:
Malicious
Tags:
MetaStealer Stealer c2 Redline
YARA:
n/a
Link:
https://app.threat.zone/submission/9ec54279-43d6-485a-985e-658b4dd9c08b
Unpacked files
SH256 hash:
303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3
MD5 hash:
8ecda20bc81a08af07797063aa08bd82
SHA1 hash:
d0bc775470beb682dd90342499c83895170fccd2
Link:
https://www.unpac.me/results/44c539d4-28e8-4ffa-b447-75fe3c771948/
SH256 hash:
791430027e8e78a45f64c36b75eee7a31ea6b13997053dec81f1ae82f7cefba9
MD5 hash:
7199c1039a54fad503515dde185c93f8
SHA1 hash:
5d3258f6dfb0c9ffeaa0c2e5bce780d4027e1f9e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/44c539d4-28e8-4ffa-b447-75fe3c771948/
SH256 hash:
f7eb663a0675db35d1e15b18012b97307cc0354e4a8068cc140c282980799b2b
MD5 hash:
020499decff9caaed0e0ea960af5e034
SHA1 hash:
5f991ffff71071e3d5a8b1d8ddd966d6db00463a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/44c539d4-28e8-4ffa-b447-75fe3c771948/
Parent samples :
303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3
c01020bddf0722615647d37dffb887e4110e7d20074ec1ac525ebe00a036c2e9
9569089d9460ec165d7c01d889e239a16155515867d198e8664e4327d07142b3
SH256 hash:
0069563d20755ea328fb9b65b848328b62126082db0ee972dd4e968c06d4bb0e
MD5 hash:
03a7f5e1f8b890a6b4a07c48124a26d8
SHA1 hash:
d496ae9dc8f97937ccd664e906f4a99deaa025ac
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/44c539d4-28e8-4ffa-b447-75fe3c771948/
Malware family:
RedLine.F
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/303cbaa48320/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44859/

Comments