MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75ae1751515b48d24859c91fd08bd0595d84decb06566c1d3eec6363b0be9d82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75ae1751515b48d24859c91fd08bd0595d84decb06566c1d3eec6363b0be9d82
SHA3-384 hash: 198c57e5561498c9738873854937a6bbaef4d9e47707a40bd349477db6fb1b4b56a39fc95d6684a2c9c560e7aad76b9a
SHA1 hash: f6fd583d071cf8167fc065fbddbb89c92d18f4cf
MD5 hash: 51e9c5a0bcf4e9e1e9f33bd91b3e50f2
humanhash: august-beryllium-victor-seventeen
File name:OneTapV4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:851'064 bytes
First seen:2021-02-24 07:43:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:EjJXAT5AKpcT/2z6hGiBKMK/RXuYf+FIRqrdZX3EtBD4kdHDmxRJPzSYhwbG7i5S:qdgeKe/BW/huc+FIRI9kdCxRJmUhiS
Threatray 1'142 similar samples on MalwareBazaar
TLSH 2E054A006F418894D2AE3D3ECBE6C83423F6ADA71A21E2837BD49FE7755D9436853385
Reporter Finch39487976
Tags:RedLineStealer


Avatar
Finch39487976
RedLineStealer spreading via Youtube, to find other videos similar search this:
https://www.youtube.com/results?search_query=free+hack+download&sp=EgIIAQ%253D%253D and watch the description, must be something similar to this:
"Download : https://mega.nz/file/gY8ymKDA#O2QyXWm8c4pHWe6rllvdFARwrDqJ37aoYEAlls3SHLA
Download : https://www.sendspace.com/file/17z2s9​
Password : 1111"

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://mega.nz/file/gY8ymKDA#O2QyXWm8c4pHWe6rllvdFARwrDqJ37aoYEAlls3SHLA
Verdict:
Malicious activity
Analysis date:
2021-02-22 00:27:27 UTC
Tags:
trojan rat redline danger beware
Link:
https://app.any.run/tasks/9040620c-f1d0-4e5e-b714-805d3d91eadb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118901/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616294
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected AntiVM_3
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75ae1751515b48d24859c91fd08bd0595d84decb06566c1d3eec6363b0be9d82/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 20:30:45 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=owxboukrlnenesczzep5bc6qlfoyjxwlazlgyhj65rrwhmf6twba._file
Verdict:
malicious
Similar samples:
002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9
RedLineStealer
2f227912aff8b075c24231e4fd18051f8f5cbbba230810f3724de95e62fdba9a
RedLineStealer
4b69264d212fab133ea59acc6214291f5915ab027ed8b9535214d8a655b0cc91
RedLineStealer
55bb46bf486c75b1774c07b2d71a819131bcf3005e30a6f1817c3e24ed8e2589
RedLineStealer
58bee6329b0740ddeb2191717620b272f3f088d5e9cfa105c2cd52a282aa5092
RedLineStealer
e575af9a4b8de92d24859894514462f2c9ab0a5cb16cf1798a55c923613cd13c
RedLineStealer
ed07c985a733c95aefb4fa4c1fca696471260dd5c72f71f21297a94dd23c159d
RedLineStealer
eff1bcca16d0e0e0838298d7595b9eb098d70bd47fd19fcb7e1e62c8109a7b0e
RedLineStealer
f8ecf503c77e2e7a97a626cb5bcd6954eca80c2a7e2963fd916ce9d0d17b8be0
RedLineStealer
fe474e0bfd1d003f7ae0265c362767a1bcb739fa473deb1da660c907074055ad
RedLineStealer
+ 1'132 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware
Link:
https://tria.ge/reports/210224-y8zzjjzsax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
b2f91d1427c7b60a3ad485bed04ba75636560783c9265a8f26542d5f6aa5d8a9
MD5 hash:
5ad6dc03137fc80e4e691f4b409d9120
SHA1 hash:
edb38e49ce79ecce33ce9a891df56468c3a4016e
Link:
https://www.unpac.me/results/c58c148f-e939-4a2a-942b-968218f58071/
SH256 hash:
75ae1751515b48d24859c91fd08bd0595d84decb06566c1d3eec6363b0be9d82
MD5 hash:
51e9c5a0bcf4e9e1e9f33bd91b3e50f2
SHA1 hash:
f6fd583d071cf8167fc065fbddbb89c92d18f4cf
Link:
https://www.unpac.me/results/c58c148f-e939-4a2a-942b-968218f58071/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 75ae1751515b48d24859c91fd08bd0595d84decb06566c1d3eec6363b0be9d82

(this sample)

  
X
https://twitter.com/Finch39487976/status/1364479461157183488
Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118901/

Comments