MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6
SHA3-384 hash: 5579d32ea45628d8ce4cae97c0e00bdda3d2481a200298658c5163670d193e6a59f01bbe76ee3cb68277e7fc7f2af86b
SHA1 hash: a42e04c1adf37c815aaafeafd9ce9f5ce3674453
MD5 hash: 67c6a075b37b11e324c035c032219a48
humanhash: emma-moon-ack-illinois
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:502'376 bytes
First seen:2026-01-23 23:09:19 UTC
Last seen:2026-01-24 01:17:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c785070d31918effde68a86f76fb27b (2 x RedLineStealer, 1 x DonutLoader, 1 x XWorm)
ssdeep 6144:MBSbnvsgOFgHit/EXU0cK66x0d07dR3dIe2C6SdBHUWq+9yN86IpKIGl9AvXZq2K:MBSIeit/E2KTbHnSjafJkJ++DnrQBg
TLSH T19AB4C58336DB0CEAEE932B3C51D76336AB36FE608B3A4B6B5114C2311C135D16E6A754
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 RedLineStealer


Avatar
Bitsight
url: http://130.12.180.43/files/7377994722/pwx8Qhg.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
31.57.219.210:1912 https://threatfox.abuse.ch/ioc/1736276/

Intelligence

File Origin
# of uploads :
14
# of downloads :
193
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-23 23:09:46 UTC
Tags:
ftp stealer redline metastealer
Link:
https://app.any.run/tasks/75cf6eac-1cce-41f9-859a-b58dfb1f7348

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49934/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader49.29739.3831.24280.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6973ffa4f3cf908ba507d81e
Tags:
redline emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto explorer hacktool lolbin overlay packed
Link:
https://www.filescan.io/uploads/6973ffa355805a763ff36e18/reports/bd7a3162-7512-4378-8900-c39e8a72700a/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.KCJ trojan
Link:
https://www.hybrid-analysis.com/sample/e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-23T20:38:00Z UTC
Last seen:
2026-01-25T12:54:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.DonutInjector.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.Multi.Donut.b Trojan-PSW.MSIL.Reline.sb Trojan.Win64.Donut.sb Trojan-PSW.MSIL.Reline.aarm HEUR:Trojan-Spy.MSIL.Stealer.gen Trojan-Spy.Stealer.TCP.ServerRequest Trojan-Spy.Stealer.TCP.C&C Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Shellcode.sb Trojan.MSIL.Donut.sb Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Win64.Donut.a
Link:
https://opentip.kaspersky.com/e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6/results?tab=lookup
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93fde096-6aa9-4b5c-a22a-b39edb19ae72
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/67c6a075b37b11e324c035c032219a48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6
Threat name:
Win64.Spyware.Redline
Create hunting rule
Status:
Suspicious
First seen:
2026-01-23 23:10:36 UTC
File Type:
PE+ (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4objyjpj6ofxpdwudkty6nevlis2fjjsg2aqvlooddocllawah3a._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
donutloader
Create hunting rule
Similar samples:
error
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:redline botnet:3clickports infostealer loader persistence ransomware spyware
Link:
https://tria.ge/reports/260123-25am3sdx2e/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Detects DonutLoader
DonutLoader
Donutloader family
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
31.57.219.210:1912
Unpacked files
SH256 hash:
e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6
MD5 hash:
67c6a075b37b11e324c035c032219a48
SHA1 hash:
a42e04c1adf37c815aaafeafd9ce9f5ce3674453
Link:
https://www.unpac.me/results/8763423c-39b4-406a-8e16-dad4c782ac02/
Malware family:
RedLine.F
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3829c25e9f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e3829c25e9f38b778ed41aa78f34955a25a2a53236810aadce18dc25ac1601f6

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/49934/
  
URLhaus
https://urlhaus.abuse.ch/url/3762790/

Comments