MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b74d174f38f35432e255b26c97fd0d6e42f986b3efc76045edf69485d23e143. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 12 File information Comments

SHA256 hash:	4b74d174f38f35432e255b26c97fd0d6e42f986b3efc76045edf69485d23e143
SHA3-384 hash:	7400c20c2c19ec920b24e6028519577abdc5ede4dc0e51175f358e358c9ea936792755b025f85b62dc49049207fa5243
SHA1 hash:	9ee479d077da8bf954650485dfedd435079755fe
MD5 hash:	aa551334952249d96c5f610a274edaf1
humanhash:	mockingbird-single-mexico-london
File name:	aa551334952249d96c5f610a274edaf1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'195'520 bytes
First seen:	2021-10-06 18:35:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 80 x RedLineStealer)
ssdeep	24576:xVgAWYPVaaFNGhCwp9LaysZqgZzIyDm9chbMqME5s8UUtt2rLhK58QG:cAndN4DnTgmybX6+CtK5Z
Threatray	115 similar samples on MalwareBazaar
TLSH	T140453329786D4A7FCCF01674F3722F0351F6FA1D66E766711AA87B8D61A3FE50A000A1
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
92.119.115.229:48282

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
92.119.115.229:48282	https://threatfox.abuse.ch/ioc/231116/

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Loader(5).exe

Verdict:

Malicious activity

Analysis date:

2021-10-02 17:37:08 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/2aec7588-d4e5-408b-af74-3eecf07e12c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/195527/

Detection(s):

Win.Malware.Enigma-9786119-0

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for analyzing tools

Launching a service

Creating a window

Connection attempt

Sending an HTTP POST request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

enigma packed zpevdo

Link:

https://www.filescan.io/uploads/615dec9ee3d213d202b8c953/reports/8d53d819-b491-416a-ad9f-d338138f5cc9/overview

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/48021ec2-edba-4e65-9862-c2b375a91b81

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/865801

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b74d174f38f35432e255b26c97fd0d6e42f986b3efc76045edf69485d23e143/

Threat name:

Win32.Trojan.RedLineSteal

Status:

Malicious

First seen:

2021-10-03 03:01:58 UTC

AV detection:

26 of 45 (57.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jn2nc5htr42uglrflmtms76q23sc7gdlh36hmbc635uuqxjd4fbq._file

Verdict:

malicious

RedLineStealer

5947d6a7fc4014628b957c4ed8ffff7c961f37f155cb814224a89e1f3700f060

RedLineStealer

5d4a8635a8bd54c96eb76c61ba879998437d96bc72557ef2be44183797e49149

RedLineStealer

6c9063a9eff83a71d5cf09591de3f3cb09fc9a209ea67901b939e53cf16eea4d

RedLineStealer

732ba56b4b4044d7356b745db037e41fafe74dd8610e29c5b8c811a18936c09a

RedLineStealer

82a92a627eea0fe47fa124940b5c020a557f5a5bcc347851e9d901a2f134ad30

RedLineStealer

919022b4d48980a56a1805f80646201ae7312cdf64891c3ac591e7eb33a96973

RedLineStealer

d162aea95889e147b96c2ab4da7cf27ec2538abd149a08f96d993fb7a41b002f

RedLineStealer

dee5a4188daae44966c5b8892b85d5e50990045d8d32668e8debb40825dad5b1

RedLineStealer

+ 105 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211006-w8zhqabea7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Unpacked files

SH256 hash:

4b74d174f38f35432e255b26c97fd0d6e42f986b3efc76045edf69485d23e143

MD5 hash:

aa551334952249d96c5f610a274edaf1

SHA1 hash:

9ee479d077da8bf954650485dfedd435079755fe

Link:

https://www.unpac.me/results/ab831fb8-67aa-4358-a2ef-772a6f43a301/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4b74d174f38f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b74d174f38f35432e255b26c97fd0d6e42f986b3efc76045edf69485d23e143

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_mem Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_smominru_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195527/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample