MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e
SHA3-384 hash: 3792022967c6084d7ec7bca77eddcf5c89b64e234fae1ca82465b7cb0253c5233bc3cbd05da21423f1887951ca03c15f
SHA1 hash: ae92354606e30d7b2a626a4bf5d5543b17cb9bbb
MD5 hash: d2c3d087707686a60ee673ca17a13537
humanhash: september-virginia-idaho-winter
File name:SWIFT.docx.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'032'192 bytes
First seen:2021-01-19 07:34:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RDTTG91rBlegGdBDo45+LY3Xee6mCo42Y1e0LwajVery3OoS0Xglmgap7zBLvnn4:4t+29XgYUGwaRe+/MGNLvn
Threatray 99 similar samples on MalwareBazaar
TLSH 9425AD112288BF14F1BD1B3794A8585497FEFD01E762C92EADD43A8D1AB2F82D617307
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.vasl.ir
Sending IP: 95.217.69.227
From: ProCredit Bank a.d. <info@borbet.sk>
Subject: Fwd: SWIFT
Attachment: SWIFT.docx.cab (contains "SWIFT.docx.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT.docx.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 08:20:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8ce99b55-c568-4c75-a5ca-9169bf90c857

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112800/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/584673
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341372 Sample: SWIFT.docx.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 92 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected RedLine Stealer 2->22 24 Yara detected AntiVM_3 2->24 26 5 other signatures 2->26 7 SWIFT.docx.exe 3 2->7         started        process3 file4 16 C:\Users\user\AppData\...\SWIFT.docx.exe.log, ASCII 7->16 dropped 28 Injects a PE file into a foreign processes 7->28 11 SWIFT.docx.exe 2 7->11         started        signatures5 process6 process7 13 dw20.exe 22 6 11->13         started        file8 18 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->18 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 07:34:46 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgilafslmygz5clg7m27ypk7j4ylild6hbq2ct6jevihlmjjzbxa._file
Verdict:
malicious
Similar samples:
134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b
RedLineStealer
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
RedLineStealer
5c7b804890877a7a9da085d878b0fc1a444aa1b75965e16beab74c978fab6079
RedLineStealer
608d70c1cb35d04fa09469743651ee50e859d9ea016f7492bc53008de310deb7
RedLineStealer
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
RedLineStealer
85dd5d9ef955400038cae7ac32f2931c3b6966792bbfd353f14627c2261f2d9c
RedLineStealer
a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a
RedLineStealer
e56fe870da3015a5537b82acf5b9228953cafa74235b5c9257eaf049a6045cc6
RedLineStealer
ef93be06b93e89bc68dd92ca713f40e320a654c49a241a6884785acf964b8ba9
RedLineStealer
ff8d39974554acf40538107995f0f6b000be41747ca6c34dae415df33596d5a3
RedLineStealer
+ 89 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210119-vvjphctlre/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Unpacked files
SH256 hash:
23225f2d86003f21a827b2e08b4935dd203563013963f48ccc4ce6d026a5b06c
MD5 hash:
5523e663cf4697857df93a9bd262f12a
SHA1 hash:
e7214f499dffac1125ad423de465b4d5289954b3
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/ff65c617-f987-4343-94db-2f4a48fdd57b/
SH256 hash:
52d35fabfc97d3e903b5d9eb253e8f84d1dfee2967fa9dde6d6ca37cc61951c5
MD5 hash:
b5a7f2596efe4c5fc5f5d2c733d49259
SHA1 hash:
c121578124375dc293e4daf12fac22442a8131b6
Link:
https://www.unpac.me/results/ff65c617-f987-4343-94db-2f4a48fdd57b/
SH256 hash:
b281327bf7bb57d1bb5cde6ad4aa2ac96abf83042e7944374ca3548a271a1755
MD5 hash:
2c871499cfb6299cd978f24528d5b761
SHA1 hash:
ac0cd078054950eba5adf83cf43d93d00306acfb
Link:
https://www.unpac.me/results/ff65c617-f987-4343-94db-2f4a48fdd57b/
SH256 hash:
4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e
MD5 hash:
d2c3d087707686a60ee673ca17a13537
SHA1 hash:
ae92354606e30d7b2a626a4bf5d5543b17cb9bbb
Link:
https://www.unpac.me/results/ff65c617-f987-4343-94db-2f4a48fdd57b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_redline_stealer_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:Detects unpacked main component of Redline Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

cab fd6f5ba78e9edefb88bf74e98c5e6bb96ba10d0a81b6f347a702891168ada961

RedLineStealer

Executable exe 4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e

(this sample)

  
Dropped by
MD5 81dcb9edaafb18d391670d06f722d266
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fd6f5ba78e9edefb88bf74e98c5e6bb96ba10d0a81b6f347a702891168ada961
Cape
Cape
https://www.capesandbox.com/analysis/112800/

Comments