MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908
SHA3-384 hash: daea1cc227bd6a5f1310b46f9da9b1321cd492ab8f3acc5e6b9c038ace64c49117418e0c18e2ded8c3e9de935636b48d
SHA1 hash: 5fba64903404a864bd327195aac09768eb9510f0
MD5 hash: 02970447f658c421d337ef66803298f9
humanhash: eleven-leopard-yellow-double
File name:WEXTRACT5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'197'248 bytes
First seen:2024-01-05 21:16:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 98304:uzht5P2O+Wx7XDY7PeNXENGjTD9Xn69yVQ0sGZiBGGclOXMWgR+dQxyViJK8j:uzh7ZZ87mNEE2uZiYzlVWgR+dQYVik8
Threatray 118 similar samples on MalwareBazaar
TLSH T18E56331957B265D6F46B2F38C1B14192CFB8FD733EEE25AF8380582D06060C4B5BAB56
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RedLineStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
MetaStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469688/
Detection(s):
SecuriteInfo.com.Generic.Exploit.Shellcode.2.8A834396.12339.1511.UNOFFICIAL
Create hunting rule

Win.Malware.Trojanx-9862538-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Creating a file
Running batch commands
Unauthorized injection to a recently created process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack CAB control explorer installer lolbin packed replace rundll32 setupapi sfx shell32 stealer
Link:
https://www.filescan.io/uploads/659871d3fd5068bbc3c67c8e/reports/3ae85703-6803-4237-a53c-fbe588e589e3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f68063e-6c3d-4ed7-84ed-9d739f7a6c83
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370616
Signature
C2 URLs / IPs found in malware configuration
Creates files with lurking names (e.g. Crack.exe)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1370616 Sample: WEXTRACT5.exe Startdate: 05/01/2024 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 3 other signatures 2->46 8 WEXTRACT5.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\...\no.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\SMTPCR~1.EXE, PE32+ 8->28 dropped 13 SMTPCR~1.EXE 19 8->13         started        17 no.exe 8 4 8->17         started        process5 dnsIp6 30 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 13->30 dropped 32 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 13->32 dropped 34 C:\Users\user\AppData\Local\...\python27.dll, PE32+ 13->34 dropped 36 11 other files (8 malicious) 13->36 dropped 48 Creates files with lurking names (e.g. Crack.exe) 13->48 20 SMTPCR~1.EXE 2 13->20         started        22 conhost.exe 13->22         started        38 148.163.89.57, 44136, 49707 IOFLOODUS United States 17->38 50 Multi AV Scanner detection for dropped file 17->50 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->52 54 Machine Learning detection for dropped file 17->54 56 3 other signatures 17->56 file7 signatures8 process9 process10 24 cmd.exe 1 20->24         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-05 13:06:00 UTC
File Type:
PE+ (Exe)
Extracted files:
733
AV detection:
17 of 37 (45.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cifuz52li6brbgi3rdzdgtx3azjjn7gwplb6uqenkswtauxs3eea._file
Verdict:
suspicious
Similar samples:
120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908
RedLineStealer
b023eaad2a07154df78306aa1295197c7f766c6adda7481318cff984a4125092
RedLineStealer
b62a82b6e80e1aeac41958829ca5b03217be8cb4b574a8c47c5c3617fd3306b6
RedLineStealer
c85533dc3627cc14b81a22fb204c42c9e5527e15ad78c832da7a159825de6ec7
RedLineStealer
e840d96297d0a1260965678819666722e37401b84676656a8c6213b42d26dd9f
RedLineStealer
f199aff3254f8943d2f616782a1fb4c5f69f0a6faa0325a10781be8a2fdb77ff
RedLineStealer
+ 108 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:nooname discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/240105-z42n3aagel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
148.163.89.57:44136
Unpacked files
SH256 hash:
120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908
MD5 hash:
02970447f658c421d337ef66803298f9
SHA1 hash:
5fba64903404a864bd327195aac09768eb9510f0
Link:
https://www.unpac.me/results/4ebca50c-48bb-4b40-8a1a-41dfa808cef1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/120b4cf74b47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469688/

Comments