Avast detects Redline Stealer as malware?

Avast detects this as Avast (Win32:DropperX-gen [Drp]), RedLine Stealer running in Task Manager as “AddInProcess.exe”.

Detected here: hxtp://37.0.11.8/USA/Ghazals.exe Online 32 exe RedLineStealer
See: https://urlhaus.abuse.ch/url/1478827/ (address is cache banned when one is behind a proxy - varnish cache).
Dutch IP Address active. Win 32 exe application/x-msdos-program malware.

3 security vendors detect: https://www.virustotal.com/gui/url/b751f19cd96353ce6da97507fefea0870e30ccd64eee12fc4161199cef3010fc/detection

Blacklisted: https://sitecheck.sucuri.net/results/37.0.11.8/tinyfilemanager.php
See: https://sitereport.netcraft.com/?url=http%3A%2F%2F37.0.11.8%2Ftinyfilemanager.php+++
H3K file manager - not a secure connection, see: https://sitereport.netcraft.com/netblock?q=SERVER-37-0-8-0%2C37.0.8.0%2C37.0.11.255 & https://sitereport.netcraft.com/?url=http://37.0.11.8#history_table (server)

polonus

Avast detects this as Avast (Win32:DropperX-gen [Drp]),
Win32:PWSX-gen [Trj]

https://www.virustotal.com/gui/file/47e664136a31fc84d67b966a9d31cf9828a61a1c82c763b4f0c3f7df3803dafa/detection

Hi Pondus,

Thanks for checking. But there is a different IP mentioned: https://www.virustotal.com/gui/file/47e664136a31fc84d67b966a9d31cf9828a61a1c82c763b4f0c3f7df3803dafa/relations

pol

You posted this link. https://urlhaus.abuse.ch/url/1478827/

Scroll down to payload, file hash is given (sha-265) search it at VT and see result

Ok, Pondus, got that, ;D

At first I didn’t see that because I visited that page behind an encrypted proxy and got a 405 banned,
described here, like: https://www.section.io/blog/varnish-cache-503-error-guru-meditation/ where
the 405 error can also have the background that the corresponding HTTP methods for certain MIME types
– like an HTML document, for example – have been disabled by the hosting provider for security reasons.

like

➜ ~ curl -X BAN localhost -H “X-Ban: /v1/account/123”

200 Ban added

Error 200 Ban added

Ban added

Guru Meditation:

XID: 14


Varnish cache server

being behind an epic browser VPN from London.

polonus