MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c
SHA3-384 hash: 50feba5ca6c85d70153acefa114d95eb6d380c901e6596b3dfa1b1c69c4cb2b2f10a852d81c327ed2d9726b46655b810
SHA1 hash: 2ec2f409acbaecda5fcc129c9b4f6be417c491e6
MD5 hash: 11d120907a5692fd48598573d457b340
humanhash: artist-river-six-friend
File name:SecuriteInfo.com.Win64.MalwareX-gen.32545821
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:91'648 bytes
First seen:2026-02-24 23:22:00 UTC
Last seen:2026-02-25 00:36:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48ca3036180f0cfc822176b8bce52945 (1 x RedLineStealer)
ssdeep 1536:gzKPUGVAND/R58vjohR2yTjV6cpFwb5Wnel16W9Xa+t1ku1ZTs0+:gzSU1J58vjohgyTjV6cpFwb3NK+3kgT
TLSH T104935B5F33A430F8D5679174C9E14A46E773B87659B0A30F4774869A9F232C2AE2D332
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
FR FR
Vendor Threat Intelligence
Malware configuration found for:
TinyLoader
Details
TinyLoader
xor decoded strings including cryptocurrency addresses and a c2 url
Link:
https://research.acce.ciphertechsolutions.com/results/16e1e72e-b65c-410b-832a-3ea4f225d81d/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
bot.exe
Verdict:
Malicious activity
Analysis date:
2026-02-24 22:45:36 UTC
Tags:
anti-evasion auto-reg amadey botnet stealer stealc loader redline
Link:
https://app.any.run/tasks/feb531fa-0089-489c-b8ee-3afb68ae6a73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54509/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.32545821.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699e2a0fc950ab5d9ab15009
Tags:
ransomware redline trojan virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/699e32a791ad9169e533d316/reports/d083d954-2723-4a3f-8652-ac18f9fb7df7/overview
Verdict:
Malicious
Labled as:
Application.Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c
Verdict:
Malicious
File Type:
exe x64
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb HEUR:Trojan.Win64.Generic
Link:
https://opentip.kaspersky.com/2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3e062e8-85e6-44c0-aedd-c059b66a35e8
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/11d120907a5692fd48598573d457b340
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-24 22:45:37 UTC
File Type:
PE+ (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3e2zw3ol2uaf5olidqavn7jopz3dk5oiaz3urvxtyik62k5tzwa._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:fff discovery execution infostealer persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/260224-3cnjxaht5f/
Behaviour
Checks processor information in registry
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
196.251.107.104:1912
Unpacked files
SH256 hash:
2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c
MD5 hash:
11d120907a5692fd48598573d457b340
SHA1 hash:
2ec2f409acbaecda5fcc129c9b4f6be417c491e6
Link:
https://www.unpac.me/results/14a8944a-dad4-4db7-a76f-ffca3f1a3324/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2ec9acdb6e5ea802f5cb40e00ab7e973f3b1abae4033ba46b79e10af695d9e6c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/54509/
  
URLhaus
https://urlhaus.abuse.ch/url/3785197/
  
Delivery method
Distributed via web download

Comments