{ "type": "MD5", "indicator": "71c8c0a2d8bb60c4dcba767c3c48c834", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "71c8c0a2d8bb60c4dcba767c3c48c834", "validation": [], "base_indicator": { "id": 3922641560, "indicator": "71c8c0a2d8bb60c4dcba767c3c48c834", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "66a0cdffcc549af39b00a9d8", "name": "Stealer Malware (Hash / C2)", "description": "Malware that stealing capabilities like Vidar, Raccoon, Mars, and Redline (will update in the future). \nany detection from internal network from this otx pulse indicates data leak. please fullscan your endpoint using antivirus and make sure change your all password.\n\nFamily :\nSteal C Malware;\nRedline Stealer;\nFlame Stealer;\nLumma Stealer;\nCheana Stealer;\nGomorra Stealer;\nMeduza Stealer;\nHawkeye Malware;\nNode Stealer;\nAmatera Stealer\n; Last Update : 16/12/2024 (Update Lumma Stealer, Add Amatera Stealer, Telegram Stealer and other)", "modified": "2025-01-15T04:01:02.090000", "created": "2024-07-24T09:48:47.666000", "tags": [ "Stealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 73, "FileHash-MD5": 208, "FileHash-SHA1": 198, "FileHash-SHA256": 255, "domain": 46, "hostname": 13, "URL": 9 }, "indicator_count": 802, "is_author": false, "is_subscribing": null, "subscriber_count": 95, "modified_text": "501 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "66ae653a2126a5f2cec65a23", "name": "ACTIVIDAD MALICIOSA | Relacionada con RedLineStealer 03-08-2024", "description": "\"RedLine Stealer\" (tambi\u00e9n conocido como RedLine) es un programa malicioso que se puede comprar en foros de hackers por $150/$200 dependiendo de la versi\u00f3n. Se puede utilizar para robar informaci\u00f3n e infectar sistemas operativos con otro malware. En general, los ciberdelincuentes intentan infectar equipos con software malintencionado como \"RedLine Stealer\" para generar ingresos mediante el uso indebido de datos a los que se accede (robados) y/o infectando sistemas con otro software de este tipo para lograr el mismo prop\u00f3sito.", "modified": "2024-08-03T17:13:30.454000", "created": "2024-08-03T17:13:30.454000", "tags": [ "discovery", "zdyuim5toujlce", "jdizdpshclgaowe", "tcticas", "ta0043", "ta0042", "development", "ta0001", "t1057", "t1087" ], "references": [ "https://www.virustotal.com/graph/embed/gb9413c52243f44b19d198645a92e03d7d495f12a92964c43b180224cded0574b?theme=light", "https://www.pcrisk.es/", "https://www.alertasyseguridad.net/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1201", "name": "Password Policy Discovery", "display_name": "T1201 - Password Policy Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 350, "FileHash-SHA256": 350 }, "indicator_count": 1050, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "666 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/gb9413c52243f44b19d198645a92e03d7d495f12a92964c43b180224cded0574b?theme=light", "https://www.alertasyseguridad.net/repositorio-ioc/", "https://www.pcrisk.es/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Redline stealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "66a0cdffcc549af39b00a9d8", "name": "Stealer Malware (Hash / C2)", "description": "Malware that stealing capabilities like Vidar, Raccoon, Mars, and Redline (will update in the future). \nany detection from internal network from this otx pulse indicates data leak. please fullscan your endpoint using antivirus and make sure change your all password.\n\nFamily :\nSteal C Malware;\nRedline Stealer;\nFlame Stealer;\nLumma Stealer;\nCheana Stealer;\nGomorra Stealer;\nMeduza Stealer;\nHawkeye Malware;\nNode Stealer;\nAmatera Stealer\n; Last Update : 16/12/2024 (Update Lumma Stealer, Add Amatera Stealer, Telegram Stealer and other)", "modified": "2025-01-15T04:01:02.090000", "created": "2024-07-24T09:48:47.666000", "tags": [ "Stealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 73, "FileHash-MD5": 208, "FileHash-SHA1": 198, "FileHash-SHA256": 255, "domain": 46, "hostname": 13, "URL": 9 }, "indicator_count": 802, "is_author": false, "is_subscribing": null, "subscriber_count": 95, "modified_text": "501 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "66ae653a2126a5f2cec65a23", "name": "ACTIVIDAD MALICIOSA | Relacionada con RedLineStealer 03-08-2024", "description": "\"RedLine Stealer\" (tambi\u00e9n conocido como RedLine) es un programa malicioso que se puede comprar en foros de hackers por $150/$200 dependiendo de la versi\u00f3n. Se puede utilizar para robar informaci\u00f3n e infectar sistemas operativos con otro malware. En general, los ciberdelincuentes intentan infectar equipos con software malintencionado como \"RedLine Stealer\" para generar ingresos mediante el uso indebido de datos a los que se accede (robados) y/o infectando sistemas con otro software de este tipo para lograr el mismo prop\u00f3sito.", "modified": "2024-08-03T17:13:30.454000", "created": "2024-08-03T17:13:30.454000", "tags": [ "discovery", "zdyuim5toujlce", "jdizdpshclgaowe", "tcticas", "ta0043", "ta0042", "development", "ta0001", "t1057", "t1087" ], "references": [ "https://www.virustotal.com/graph/embed/gb9413c52243f44b19d198645a92e03d7d495f12a92964c43b180224cded0574b?theme=light", "https://www.pcrisk.es/", "https://www.alertasyseguridad.net/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1201", "name": "Password Policy Discovery", "display_name": "T1201 - Password Policy Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 350, "FileHash-SHA256": 350 }, "indicator_count": 1050, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "666 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "71c8c0a2d8bb60c4dcba767c3c48c834", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "71c8c0a2d8bb60c4dcba767c3c48c834", "found": true, "verdict": "malicious", "file_type": "exe", "file_size": "346664", "md5": "71c8c0a2d8bb60c4dcba767c3c48c834", "sha256": "718dc1cb85c3f686e07c49be4aa4b731784c8fb1ef76104d5a48cddfa9198363", "signature": "RedLineStealer", "first_seen": "2024-07-16", "last_seen": "", "url_count": "2", "urls": [ { "url": "http://88.198.89.4/auto/7869fe697b38eacd367fdb01cf539f58/217.exe", "status": "offline", "threat": "", "date_added": "", "tags": [] }, { "url": "http://static.88-198-89-4.clients.your-server.de/auto/7869fe697b38eacd367fdb01cf539f58/217.exe", "status": "offline", "threat": "", "date_added": "", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1780258609.9058058 }