MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7
SHA3-384 hash: fe20d515599395fa7817b9a94539573187c32aee979a5cfbe5c704eb559207a06f3aef1db85cceb039a5d4a43bb0d004
SHA1 hash: 1061afa294912351c71a605cb4aff53ece93d34e
MD5 hash: 257ed84eaac0ca43391ccd094a5e2317
humanhash: illinois-carpet-india-pizza
File name:x7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'435'276 bytes
First seen:2026-02-10 02:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (45 x BlankGrabber, 23 x Efimer, 18 x PythonStealer)
ssdeep 196608:noOLtbW897GXPHMe81SF2RPUewce97BtKZ2/HsMRq+bRgFtDUq:nZL1wPsZg2KeGxK4/HsMRq+bYtwq
Threatray 81 similar samples on MalwareBazaar
TLSH T1C296339993B009EAD8676D3F4A755053D3E1B4250BA1C9CF1BA0832E2F9B2FE2C35754
TrID 66.5% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.216.2.96:33816

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.216.2.96:33816 https://threatfox.abuse.ch/ioc/1744116/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/ff6deb60-af13-47d7-83e9-22a8830f5701/
Malware family:
redline
Create hunting rule
ID:
1
File name:
x7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7.exe
Verdict:
Malicious activity
Analysis date:
2026-02-10 00:41:49 UTC
Tags:
python stealer redline
Link:
https://app.any.run/tasks/a507719d-19aa-4352-b9e0-d747f21c3d70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52871/
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698a7ece42fd65534cce1c1a
Tags:
infosteal redline
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-09T09:41:00Z UTC
Last seen:
2026-02-09T23:08:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Stealer.TCP.C&C Trojan-Spy.Stealer.HTTP.C&C Trojan-PSW.MSIL.Reline.b Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Reline.sb Trojan-PSW.MSIL.Reline.c Trojan-PSW.MSIL.Reline.aasv Exploit.CVE-2017-11882.TCP.C&C
Link:
https://opentip.kaspersky.com/7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ab5941da-bf31-4354-9f02-ba66b5242eb8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1866453
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1866453 Sample: x7dce26dea5fe8cfee7d161ce30... Startdate: 10/02/2026 Architecture: WINDOWS Score: 100 36 api.ip.sb.cdn.cloudflare.net 2->36 38 api.ip.sb 2->38 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 5 other signatures 2->54 9 x7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a.exe 63 2->9         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->22 dropped 24 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->24 dropped 26 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->26 dropped 28 52 other files (none is malicious) 9->28 dropped 12 x7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a.exe 2 9->12         started        process6 file7 30 C:\Users\user\AppData\...\cc7f69347a.exe, PE32 12->30 dropped 56 Found many strings related to Crypto-Wallets (likely being stolen) 12->56 16 cc7f69347a.exe 15 50 12->16         started        signatures8 process9 dnsIp10 32 95.216.2.96, 33816, 49690, 49697 HETZNER-ASDE Germany 16->32 34 api.ip.sb.cdn.cloudflare.net 104.26.12.31, 443, 49696 CLOUDFLARENETUS United States 16->34 40 Multi AV Scanner detection for dropped file 16->40 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->42 44 Found many strings related to Crypto-Wallets (likely being stolen) 16->44 46 3 other signatures 16->46 20 conhost.exe 16->20         started        signatures11 process12
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/257ed84eaac0ca43391ccd094a5e2317
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxhcnxvf72gp5z6rmhhdbvc7acou2eexrm5bdfbkui2euov6cxlq._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
229dc501624a2771814c16a6e35edb145b4c9d989094c21510aa271f0e2f1400
RedLineStealer
3a41d10e6cc959ea17ef0f6ad27ab37c5c064b42a3587e66b299efd9a3025a0e
RedLineStealer
499252ad2d4e44ff699fbc6418da823e3111ef8a0cdc7174de06754819056739
RedLineStealer
55790767e48d39d71bf0814ba9ab4bd294de825ccab8b01cfa854399e2e935c8
RedLineStealer
99f6808d5523f4e31dcf70c458993d848161c06cb9b93411e6b3e5b101ac25a4
RedLineStealer
bd7eff537e917ccb959311ac470365ead524278a36cc4380e227c9cc70108a14
RedLineStealer
be3cfc2710911f0449de96842f1f41b6e2e01fa829575abc5a058886728a020c
RedLineStealer
cdbc954ef8c291add837596a3bd4024164ae74d6d7160c8da820cce2584a0b5b
RedLineStealer
e05bf246d46f0002553a2b940ac726358c90748a66f35efafe77cf91b22701c9
RedLineStealer
e260f26d5d5514968685b55712535276c2470b29295822f82e7877e5cf70db8b
RedLineStealer
error
RedLineStealer
+ 71 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:fud_test discovery infostealer pyinstaller rat spyware stealer trojan
Link:
https://tria.ge/reports/260210-czb7aaaw9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Malware Config
C2 Extraction:
95.216.2.96:33816
Unpacked files
SH256 hash:
7dce26dea5fe8cfee7d161ce30d45f009d4d10978b3a11942aa2344a3abe15d7
MD5 hash:
257ed84eaac0ca43391ccd094a5e2317
SHA1 hash:
1061afa294912351c71a605cb4aff53ece93d34e
Link:
https://www.unpac.me/results/50706241-28cf-4911-88cb-62d25c553e62/
Malware family:
ArechClient2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7dce26dea5fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/52871/

Comments