MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 16 File information Comments

SHA256 hash:	870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44
SHA3-384 hash:	7f142134a6c4d3ca1227eb3681b7b41fef8c4a587a5cb3923ee2c37defbc047d5ec02af343dd78f19eaec3e3be39d389
SHA1 hash:	5f44336e48f63d985bf83b95761c1cbfa22519ac
MD5 hash:	3bc900d370b1c515dcbe1bfcedb1d8f2
humanhash:	jersey-paris-comet-angel
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	209'920 bytes
First seen:	2026-01-25 10:34:11 UTC
Last seen:	2026-01-25 12:37:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	59f37c13d2cae7cc547b602d07aa7033 (1 x RedLineStealer)
ssdeep	3072:7WrSZbkCItYBenSORiJSU18U6aSTBY6SfCr4KRa8hfHmu/RgaaAJXxtu+8l:7WokCItO6iJ5PI2b0ta8RdJXDuJl
TLSH	T164248E21B9928433D5AB097498F9DF79893EFC510F7169D763840FBE89206C1AF34B1A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey e3db0b exe RedLineStealer

Bitsight

url: http://45.93.20.151/xopbs.exe

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-01-25 10:36:08 UTC

Tags:

crypto-regex stealer stealc python loader auto-reg arch-doc

Link:

https://app.any.run/tasks/c695f3eb-49dc-4fc5-bab0-af5c86c2f754

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/50038/

Detection(s):

SecuriteInfo.com.FileRepMalware.17873223.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6975f1b16fa3eed1652ebdc3

Tags:

extens trojan blic

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autorun fingerprint lolbin microsoft_visual_cc update

Link:

https://www.filescan.io/uploads/6975f1ae5db9ae4770911f7d/reports/4b6cc989-e849-4be3-8009-190266beef8f/overview

Verdict:

Malicious

Labled as:

Trojan.TP.Generic

Link:

https://www.hybrid-analysis.com/sample/870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44

Result

Gathering data

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5eaaa497-400d-4bc5-a1d7-57fd1e5810db

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/3bc900d370b1c515dcbe1bfcedb1d8f2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2026-01-25 10:34:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 36 (44.44%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q4hed22zpsqm7j57lxbjczxeha5kt5hjooisgzhbg422st6orjca._file

Result

Malware family:

svcstealer

Score:

10/10

Tags:

family:redline family:stealc family:svcstealer botnet:crypted botnet:loaded adware defense_evasion discovery downloader execution infostealer installer persistence pyinstaller spyware stealer upx

Link:

https://tria.ge/reports/260125-ml9kqshs4f/

Behaviour

Checks SCSI registry key(s)

Modifies Internet Explorer Protected Mode

Modifies Internet Explorer Protected Mode Banner

Modifies Internet Explorer settings

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

Browser Information Discovery

Detects Pyinstaller

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops autorun.inf file

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Detects SvcStealer Payload

Modifies visibility of file extensions in Explorer

RedLine

RedLine payload

Redline family

Stealc

Stealc family

SvcStealer, Diamotrix

Svcstealer family

Malware Config

C2 Extraction:

http://196.251.107.23
196.251.107.104:1912

Unpacked files

SH256 hash:

870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44

MD5 hash:

3bc900d370b1c515dcbe1bfcedb1d8f2

SHA1 hash:

5f44336e48f63d985bf83b95761c1cbfa22519ac

Link:

https://www.unpac.me/results/66ec76a1-3484-4ebe-b14b-d44923e90d6e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/870e41eb597c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MAL_packer_lb_was_detected Create hunting rule
Author:	0x0d4y
Description:	Detect the packer used by Lockbit4.0

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 870e41eb597ca0cfa7bf5dc29166e4383aa9f4e973912364e13735a94fce8a44

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3763582/

Cape

https://www.capesandbox.com/analysis/50038/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample