MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 21

Intelligence 21 IOCs 1 YARA 3 File information Comments

SHA256 hash:	9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c
SHA3-384 hash:	62e339bf155fb7673f31ef90fbc5c8f782f8e85714cdc3504b03dd8bec5af8eaa909e7eb8bfaa2d770e69ba3943c264d
SHA1 hash:	4ae62923ebe646be41cddfafa4b1b9f42f9ae393
MD5 hash:	4af5a50bf18ca67d6ddfa8d8b670292b
humanhash:	six-oregon-maine-kilo
File name:	4AF5A50BF18CA67D6DDFA8D8B670292B.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	528'384 bytes
First seen:	2026-01-15 01:05:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'016 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	12288:dVITn6LpSDPBNa7eXayTzP3NbMOXbEOx:y6LpSBFTnXbEi
Threatray	19 similar samples on MalwareBazaar
TLSH	T1BDB4F158135AC902C8921FF50972E3F80F784FD9E962D313DFEA7DEBB93A9541880259
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	48d4f4f0f0f0d8c0 (47 x RedLineStealer, 18 x AgentTesla, 12 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.241.208.141:55615

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.241.208.141:55615	https://threatfox.abuse.ch/ioc/1732320/

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/fdb2b6fb-f8ee-446c-93d7-62669ff0a44a/

Malware family:

redline

ID:

File name:

4AF5A50BF18CA67D6DDFA8D8B670292B.exe

Verdict:

Malicious activity

Analysis date:

2026-01-15 01:05:47 UTC

Tags:

stealer redline lefthook metastealer

Link:

https://app.any.run/tasks/58f0c2db-b4c1-4584-9fea-8af1cedd6c84

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/48938/

Detection(s):

Win.Packed.Boxter-10005643-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69683d6657243ef151cd38d0

Tags:

agenttesla infosteal redline

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypt davinci krypt packed unsafe vbnet xworm

Link:

https://www.filescan.io/uploads/69683d63b5214ecba5eff0fe/reports/e65888d8-789d-4544-90fa-33e7627a298d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-12T02:47:00Z UTC

Last seen:

2026-01-12T12:25:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.Stealer.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb Backdoor.Agent.TCP.C&C Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Reline.b Trojan-Spy.Stealer.HTTP.C&C PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-PSW.MSIL.Reline.sb Trojan.Win64.Agent.sb HEUR:Trojan.MSIL.Injector.gen Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Reline.c Trojan.MSIL.Crypt.sb HEUR:Trojan-PSW.MSIL.Agensla.gen Exploit.CVE-2017-11882.TCP.C&C

Link:

https://opentip.kaspersky.com/9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c/results?tab=lookup

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26c1d649-7c4b-4341-856f-f23c7b0dbd8a

Result

Threat name:

PureLog Stealer, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1851011

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.30 Win 32 Exe x86

Link:

https://app.malva.re/file/4af5a50bf18ca67d6ddfa8d8b670292b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c/

Verdict:

Malicious

Threat:

Family.REDLINE

Link:

https://tip.neiki.dev/file/9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c

Threat name:

ByteCode-MSIL.Trojan.PureLogStealer

Status:

Malicious

First seen:

2026-01-12 07:06:16 UTC

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=twhkha6xguycsmfcxiimuf65t77ip4nrvyewq53zadv6jkpmnywa._file

Verdict:

malicious

Label(s):

redlinestealer

unc_loader_078

RedLineStealer

93b27c20a350438c5a232a5fcc9801d39047b03e1b9149d5c0655d8b8cd6d7af

RedLineStealer

9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c

RedLineStealer

e3f1902421faae100167994834c994a1ae8c66ff91955011f85cc99339cd97e1

RedLineStealer

error

RedLineStealer

+ 9 additional samples on MalwareBazaar

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:redline family:sectoprat botnet:cheat discovery infostealer rat spyware stealer trojan

Link:

https://tria.ge/reports/260115-bft3bacw9d/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Malware Config

C2 Extraction:

185.241.208.141:55615

Verdict:

Malicious

Tags:

Win.Packed.Boxter-10005643-0

YARA:

n/a

Link:

https://app.threat.zone/submission/358a5346-989d-4ce3-8cc4-d83d6f1d575d

Unpacked files

SH256 hash:

9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c

MD5 hash:

4af5a50bf18ca67d6ddfa8d8b670292b

SHA1 hash:

4ae62923ebe646be41cddfafa4b1b9f42f9ae393

Link:

https://www.unpac.me/results/10d5673b-9d60-4e1f-98b9-a0a5770eabe9/

SH256 hash:

8a291c6d9710c7b742d65670f569968cc99fc23fcda532e3e3e04b3b16bdc29e

MD5 hash:

cca71e940a3200a7d54bcabad8eded9b

SHA1 hash:

1c0e3b6ad120e8eef3ea4945e9bcd7e1418d5d93

Link:

https://www.unpac.me/results/10d5673b-9d60-4e1f-98b9-a0a5770eabe9/

SH256 hash:

aeb2bb4904280e9f81845c5268e8a843302bff0a725fb2a1db2fe5b25b44879f

MD5 hash:

0a5ebed3b623664fa621e3d38a10d15f

SHA1 hash:

74d75e556fa107744cb2967a8b01c35fc0f5458f

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/10d5673b-9d60-4e1f-98b9-a0a5770eabe9/

SH256 hash:

370f1b165117a9f9163c56bb99e8edcfd3b0fde44bbf3aa273c2e6fc81c62bf2

MD5 hash:

30e1d868c9e825fb4e91708469185656

SHA1 hash:

e1ab67db0893526c73ed578b06ae16ea2e990568

Detections:

RedLine_a

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/10d5673b-9d60-4e1f-98b9-a0a5770eabe9/

Malware family:

SectopRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9d8ea383d735/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/9d8ea383d735302930a2ba10ca17dd9ffe87f1b1ae0968777900ebe4a9ec6e2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/48938/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample