MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d7164f19dd9253bd7183d0079e9214228fe5807f0767177d4dcb81a9613f630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d7164f19dd9253bd7183d0079e9214228fe5807f0767177d4dcb81a9613f630
SHA3-384 hash: 6678f77de114a03139e37400ed502ba5849dccb096eb459bfbf8ef2acbc455a8e340b8f93336c16f88aa4c0c899e949a
SHA1 hash: 39a2b6c23f170e363296c8f1e46cbc5b958f3363
MD5 hash: 8345491616bf59595b083d75fe034499
humanhash: whiskey-alabama-arkansas-utah
File name:8345491616bf59595b083d75fe034499.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'139'200 bytes
First seen:2021-07-29 15:30:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:pPbK1CX4d/dVkKjksUALeA/yscfK3LWaIoTW8rzy8jXksEN6Z7:pzl9KJehaLrBTWqkN6Z7
Threatray 889 similar samples on MalwareBazaar
TLSH T19E35E0386C8CCE96EE5E0737CB8D02689FF0895530F1EA267D593235A480A67F8796C5
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.230.143.16:32115

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.230.143.16:32115 https://threatfox.abuse.ch/ioc/163855/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SYNAPSE+X+CRACKED.rar
Verdict:
Malicious activity
Analysis date:
2021-07-29 14:59:06 UTC
Tags:
evasion trojan kelihos autoit rat redline stealer vidar
Link:
https://app.any.run/tasks/4519e1ca-cac7-4d20-8818-8532d3e75195

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175084/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5fa4762c-8087-412f-882b-0d133c06f3c2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/823964
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d7164f19dd9253bd7183d0079e9214228fe5807f0767177d4dcb81a9613f630/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 11:37:36 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvywj4m53estxvyyhuaht2jbiiup4wah6b3hc56u3s4bvfqt6yya._file
Verdict:
malicious
Similar samples:
1ba812e8f200b18b8f04bf694314c9b5127aa8a3ce5351ac389639fb69d6d528
RedLineStealer
384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc
RedLineStealer
420b49fe0c671b7cad57dcdee0839d65c565c5e84a00c0470e5fe7380248d452
RedLineStealer
89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
RedLineStealer
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
RedLineStealer
ac5a5556c63a939d8b7f819abed37f562e07a53d4cc774676a7145fff7b5145c
RedLineStealer
d9886bd374d41e121835cb726da295b753c5c6307949da904b1cf3b69bc1fcb9
RedLineStealer
ed834c43c24a468fbbdf46fef36c44e0979d996b8ce1d6c16f4f39323151519d
RedLineStealer
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
RedLineStealer
+ 879 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:new 29.07 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210729-rwzxb5rsjs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
CustAttr .NET packer
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.230.143.16:32115
Unpacked files
SH256 hash:
2857579a75eda2e6f0d3f7ad9532d804edb43beee843fb49cbb82627e8896269
MD5 hash:
8623c1df92c883834ca4a8e91983f5bf
SHA1 hash:
f3e73b9a009c7c14a9c6fb99f268709df2af1781
Link:
https://www.unpac.me/results/2fb80f6a-28c2-48a5-952c-7d1b0a9b0bd2/
SH256 hash:
e67018edcc248c5ef2f95cf3f45b795fe5868d102a80915d00ca9a26c4edb2c0
MD5 hash:
fd77e9a28d7b7db2b35fe9cb4e5abed9
SHA1 hash:
edb405b8599450a87e6f720a193c612b90e0cec2
Link:
https://www.unpac.me/results/2fb80f6a-28c2-48a5-952c-7d1b0a9b0bd2/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/2fb80f6a-28c2-48a5-952c-7d1b0a9b0bd2/
SH256 hash:
4d7164f19dd9253bd7183d0079e9214228fe5807f0767177d4dcb81a9613f630
MD5 hash:
8345491616bf59595b083d75fe034499
SHA1 hash:
39a2b6c23f170e363296c8f1e46cbc5b958f3363
Link:
https://www.unpac.me/results/2fb80f6a-28c2-48a5-952c-7d1b0a9b0bd2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d7164f19dd9253bd7183d0079e9214228fe5807f0767177d4dcb81a9613f630

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4d7164f19dd9253bd7183d0079e9214228fe5807f0767177d4dcb81a9613f630

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1478751/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175084/

Comments