MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 20 File information Comments

SHA256 hash:	a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d
SHA3-384 hash:	d1894e0e8fd9ad52eadb3461352bad29c6aadc59aa16921ec78cc700b39ddca8625f1e1d134118d967723fe4f231e55b
SHA1 hash:	7c436723df0214fd0b3fac6ae92ccf7f9d83de20
MD5 hash:	c8badcb37bb3de22a8ce193bbe0ebd7f
humanhash:	florida-hotel-delaware-purple
File name:	a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'560'412 bytes
First seen:	2025-07-31 11:51:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6c18c7b89560eb088466f55ac077ce7b (6 x XTinyLoader, 3 x RedLineStealer, 1 x PythonStealer)
ssdeep	98304:iwUjQ0UVEbkrBJXkB3D29ptH3uLxceqoDIenyOf:WQ3WbPzYXJepDhr
TLSH	T17326F058379065BFC07F86B299A41D60DB35B862671BC34BA5A701FC5E5E782CF202B3
TrID	38.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 21.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 16.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.5% (.EXE) Win64 Executable (generic) (10522/11/4) 5.2% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika	pebin
dhash icon	f08eb24f23b2cc70 (1 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d

Verdict:

Malicious activity

Analysis date:

2025-07-31 12:31:35 UTC

Tags:

auto-reg delphi confuser

Link:

https://app.any.run/tasks/00a55282-23a3-49c7-93d7-01105322df49

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18033/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688b58fcaf3050dc8d32b4d6

Tags:

redline emotet nemty

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Creating a process from a recently created file

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Enabling the 'hidden' option for recently created files

Сreating synchronization primitives

Creating a process with a hidden window

Searching for synchronization primitives

Moving a recently created file

Connection attempt

Launching a process

Sending an HTTP POST request

Loading a suspicious library

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Dropper.Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e46ce239-8a8f-42ee-bc9e-4e424189098f

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/c8badcb37bb3de22a8ce193bbe0ebd7f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d/

Threat name:

Win32.Ransomware.RedLine

Status:

Malicious

First seen:

2025-07-26 19:25:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uzrjm6bkzv37b7bweuraspb5tl2xfd5cy4aq6usxv3gd5dd2croq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:jajaja discovery execution infostealer persistence pyinstaller spyware stealer

Link:

https://tria.ge/reports/250731-n1wsvswkt7/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Detects Pyinstaller

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

ConfuserEx .NET packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

RedLine

RedLine payload

Redline family

Malware Config

C2 Extraction:

176.46.152.46:1911

Verdict:

Malicious

Tags:

red_team_tool

YARA:

SUSP_NET_NAME_ConfuserEx

Link:

https://app.threat.zone/submission/d7399412-5c8d-4313-9df1-509873c22fcd

Unpacked files

SH256 hash:

a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d

MD5 hash:

c8badcb37bb3de22a8ce193bbe0ebd7f

SHA1 hash:

7c436723df0214fd0b3fac6ae92ccf7f9d83de20

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

333e72765659c4b24cbdd4a327fdc6d27e47e34b0431c61ffbdf551fd4278a6b

MD5 hash:

330193d906bf1141a2cb35d75d67b477

SHA1 hash:

0a744258ba5e8ad28c8515330014941750a5ebcf

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_NET_NAME_ConfuserEx

MAL_Unknown_PWDumper_Apr18_3

INDICATOR_EXE_Packed_ConfuserEx

INDICATOR_EXE_Packed_Enigma

INDICATOR_EXE_Packed_Loader

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

2a07e9d82531a6e8707d010d217157303a827d8ecce36f58372401b87849728e

MD5 hash:

6564864bc27d4f1fd140648fbea35a0f

SHA1 hash:

0fbce743661919c46427c59237a2c823155eac31

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

MD5 hash:

0ee914c6f0bb93996c75941e1ad629c6

SHA1 hash:

12e2cb05506ee3e82046c41510f39a258a5e5549

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

MD5 hash:

2ecb51ab00c5f340380ecf849291dbcf

SHA1 hash:

1a4dffbce2a4ce65495ed79eab42a4da3b660931

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

3e1aa9a65ea9ac0969e5a881e20e45b54e91415001419be3958284adce179cae

MD5 hash:

85b2e82368001b942d67f5cba8611ed7

SHA1 hash:

2c633348ee775f27aaf20085e39fac61612dc102

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

afde268102fc799c306b70be34dc0e58adf1cab7b4d88e939ce1b57f90349257

MD5 hash:

34581c24e7e785515166ce9fdbf9fe44

SHA1 hash:

3dc79e5ed31dd31712018eaa28f2c8de551594d6

Detections:

SUSP_XORed_Mozilla

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

Parent samples :

afde268102fc799c306b70be34dc0e58adf1cab7b4d88e939ce1b57f90349257
a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d
9cd894b88555d099f3f4a4bfe2c157ebac405bd17470a044aa264f4f1ce7c21a
54c4c50d843657d94cb994b44a9730dd6aef56c241b9359e852fdd3cd31c889c
e6b3328e1c410fbff389fcf3c99b7b19e608ca16ede705df019276d249a819be

SH256 hash:

b8e906449abe92d4f9a7c69bb21cf07b1270ea8112753c4f515c59fbe0d93709

MD5 hash:

834c9344ac3adfbb29bbf00897d22196

SHA1 hash:

722ecc756dd973cd263c2dbc641bb2997ecd8939

Detections:

MAL_Unknown_PWDumper_Apr18_3

INDICATOR_EXE_Packed_Loader

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

9a5850827fe2694c271af9f63b15002ca3d6b8ded8b1e2a7dd620e04ddf8d0ac

MD5 hash:

00d9448e06390490c3e14db34ae9599c

SHA1 hash:

7238b4ef5162689a126e14064e5a9494dfa17137

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

dadca335ab25517609326de40001ea5aaeb0bfa1139f3458df26b07209dc121b

MD5 hash:

5f2a0d681844db68511822247258b551

SHA1 hash:

8fc493af235064349122c82d6bdfb010762734c3

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

74990b7b3cdb9c650ed31da724962d682c19d4f6aaf374eaeb45271c70c3da6a

MD5 hash:

8a80e42126fbaab7cb25f3930fd9f468

SHA1 hash:

b0b20805c2e841c36e75abaf4d6ab58e7dfcc778

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

2ac175b4d44245ee8e7aee9cc36df86925ef903d8516f20a2c51d84e35f23da4

MD5 hash:

3df8d87a482efad957d83819adb3020f

SHA1 hash:

f5b710581355ac5d0de7a36446b93533232144db

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

SH256 hash:

7ac62cafdd04c087fe053906fc0f9dc55c31aade184ba4dd16be7aa41b785e10

MD5 hash:

2fb0f11b778b00c78b56367fd1623011

SHA1 hash:

a1a37cea301f2388c50d85d0479978c9b858672d

Link:

https://www.unpac.me/results/655333b1-9b60-4ede-a26e-411e59b09059/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	INDICATOR_EXE_Packed_Enigma Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Enigma

Rule name:	INDICATOR_EXE_Packed_Loader Create hunting rule
Author:	ditekSHen
Description:	Detects packed executables observed in Molerats

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETDLLMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	ScanStringsInsocks5systemz Create hunting rule
Author:	Byambaa@pubcert.mn
Description:	Scans presence of the found strings using the in-house brute force method

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/18033/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample