MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4974a39e83741760fbac190891d92d54acb5ae1b1648690b52ad9a409f76d054. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 16 File information Comments 1

SHA256 hash:	4974a39e83741760fbac190891d92d54acb5ae1b1648690b52ad9a409f76d054
SHA3-384 hash:	a5b0e19fe01c87667fd5fef4158ee7540951727317d465d111879314f251a4dd61a8e4fe65b5dad3b9bd044662b8539f
SHA1 hash:	4235c33b668bdea307d21f99a27c4915de9c54ce
MD5 hash:	2883e4a702f36371021622d301737ed9
humanhash:	magnesium-lemon-mockingbird-fix
File name:	2883e4a702f36371021622d301737ed9
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	118'379 bytes
First seen:	2024-10-19 09:39:54 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	3072:ovmMfhT9vyXK2sfr5u8ZJFJmg6dmROAcptplLM:ovmQtqKf48xAg6dmROtpxM
TLSH	T14AC3121D42142F8C483798F57830474F7654357E95C32A6BEBE2643283B026AB2BF7C6
Magika	zip
Reporter	zbetcheckin
Tags:	RedLineStealer zip

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
176.111.174.140:1912	https://threatfox.abuse.ch/ioc/1304645/

Intelligence

File Origin

# of uploads :

# of downloads :

498

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	x.exe
File size:	307'712 bytes
SHA256 hash:	9053b6bbaf941a840a7af09753889873e51f9b15507990979537b6c982d618cb
MD5 hash:	97eb7baa28471ec31e5373fcd7b8c880
MIME type:	application/x-dosexec
Signature	RedLineStealer

Vendor Threat Intelligence

Detection(s):

Win.Malware.Trojanx-9862538-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67137e7ae706a56b5a0303a1

Tags:

Redline Virus Crypt Msil

Result

Verdict:

Malicious

File Type:

PE File

Link:

https://app.docguard.net/4974a39e83741760fbac190891d92d54acb5ae1b1648690b52ad9a409f76d054/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

infostealer keylogger redline redline rijndael

Link:

https://www.filescan.io/uploads/67137e791b8848d25cabfa85/reports/06ca0c0d-5f87-4997-9c6d-c9add00a490a/overview

Verdict:

Suspicious

Labled as:

Troj/Redline

Link:

https://www.hybrid-analysis.com/sample/4974a39e83741760fbac190891d92d54acb5ae1b1648690b52ad9a409f76d054

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/4974a39e83741760fbac190891d92d54acb5ae1b1648690b52ad9a409f76d054

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

100%

Verdict:

Malware

File Type:

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:diamotrix discovery infostealer spyware stealer

Link:

https://tria.ge/reports/241019-qt4k8sydkb/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

176.111.174.140:1912

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4974a39e83741760fbac190891d92d54acb5ae1b1648690b52ad9a409f76d054

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	GenericRedLineLike Create hunting rule
Author:	Still
Description:	Matches RedLine-like stealer; may match its variants.

Rule name:	MALWARE_Win_MetaStealer Create hunting rule
Author:	ditekSHen
Description:	Detects MetaStealer infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	RedLine_Stealer_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Detecting unpacked Redline

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_OneNote Create hunting rule
Author:	spatronn
Description:	Hard-Detect One

Rule name:	Windows_Generic_Threat_efdb9e81 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Generic_40899c85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_6dfafd7b Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

zip 4974a39e83741760fbac190891d92d54acb5ae1b1648690b52ad9a409f76d054

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3242586/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-10-19 09:39:55 UTC

url : hxxp://176.111.174.140/x.zip