MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d20ac6d6eda2d70adf552f3bca04c1e030611df9e61febee7246b87410e68d6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 21 File information Comments

SHA256 hash: d20ac6d6eda2d70adf552f3bca04c1e030611df9e61febee7246b87410e68d6e
SHA3-384 hash: f679fb79e49ea7586a149cfe59530a93809db155e25a67ce746dcc3028da67ca653dec6ca695778f860c386002a5dc42
SHA1 hash: ed87b2e3088e4bb147855d2829a48a9e45f03351
MD5 hash: 3f48ee014cdde9588eddecf08bf35821
humanhash: harry-kilo-floor-victor
File name:3f48ee014cdde9588eddecf08bf35821.exe
Download: download sample
Signature RedLineStealer
File size:602'112 bytes
First seen:2026-06-26 15:00:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'116 x AgentTesla, 20'118 x Formbook, 12'358 x SnakeKeylogger)
ssdeep 12288:QkUWLo2zz5eA1GoYqqbnIXWksf1PQQQQQQQMc9VhbO/7T:Q2HzL136
TLSH T1CAD4FF1859BFC015D0E7EAB12DDCA8BBD9A990E3644D793710B4633B4B52784EE0F0B9
TrID 69.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win64 Executable (generic) (6522/11/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
52.43.119.120:80

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
52.43.119.120:80 https://threatfox.abuse.ch/ioc/1838147/

Intelligence


File Origin
# of uploads :
1
# of downloads :
255
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
redline
ID:
1
File name:
_d20ac6d6eda2d70adf552f3bca04c1e030611df9e61febee7246b87410e68d6e.exe
Verdict:
Malicious activity
Analysis date:
2026-06-26 15:01:11 UTC
Tags:
redline

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
infosteal redline
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Connection attempt to an infection source
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla base64 obfuscated
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-19T15:23:00Z UTC
Last seen:
2026-06-27T20:09:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Reline.c HEUR:Trojan-PSW.MSIL.Reline.gen PDM:Trojan.Win32.Generic Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Reline.sb
Malware family:
RedLine Stealer
Verdict:
Malicious
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Gathering data
Threat name:
Win32.Trojan.AgentTesla
Status:
Malicious
First seen:
2026-06-19 20:20:06 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 36 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
redlinestealer
Result
Malware family:
sectoprat
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:885310924 discovery infostealer rat trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Family: RedLine
Family: SectopRAT
RedLine payload
SectopRAT payload
Malware Config
C2 Extraction:
salanoajalio.xyz:80
Unpacked files
SH256 hash:
d20ac6d6eda2d70adf552f3bca04c1e030611df9e61febee7246b87410e68d6e
MD5 hash:
3f48ee014cdde9588eddecf08bf35821
SHA1 hash:
ed87b2e3088e4bb147855d2829a48a9e45f03351
SH256 hash:
4c9da27c0f3f8dc1efc9a3358da6dbe79fcf8403afedcbd729546e1e2b497e93
MD5 hash:
520d86d743b4afcef10decbdc7807302
SHA1 hash:
de2893321c3d56eb7397942f9cb907d6ae246dd3
Detections:
triage_redline_infostealer triage_redlinestealer_infostealer triage_redlinestealer_rat_crime
Malware family:
SectopRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:MALWARE_Win_MetaStealer
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:MALWARE_Win_RedLine
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RedLine_a
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Generic_40899c85
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_4df4bcb6
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f07b3cb4
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Author:Elastic Security
Rule name:win_redline_stealer_generic
Author:dubfib

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments