MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4633320e3dc8b4e95e5acb0aac61816517045f73e2313ebbc73e42f5fc168dab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4633320e3dc8b4e95e5acb0aac61816517045f73e2313ebbc73e42f5fc168dab
SHA3-384 hash: f55b850e9d36457cb81f9f4a1516c91cad9d52eed4d919227f1658e8ebad1b652f3b53ab936092c45d18738cbfab61f7
SHA1 hash: 0fdea1ab1c6e840dd9b264ab2b2a6225b85cbcf3
MD5 hash: ecf9749ed25221ba4f1d947b7f76ce39
humanhash: triple-vermont-jersey-mango
File name:wextract.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:775'168 bytes
First seen:2023-10-25 03:26:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:hMrWy90PJM3jg2wG6ec9xGKdIL+/Svx6BFod+zOJ1GP8xitmLHjQzgqHvEsx54OU:DyaJn2wtr+LfYBFoVJ1GEAm7jQJvEI4f
Threatray 2'072 similar samples on MalwareBazaar
TLSH T118F41222B3E48932D9F6573454F613C30F32BCE55A38C65A3AD65C5B09B22C9B93173A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe MysticStealer RedLineStealer


Avatar
adm1n_usa32
mystic stealer or variant of stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
wextract.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 03:23:33 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/885ba679-6761-44a1-8446-7d5951d98b8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456126/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer greyware installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65388b0858fd0a90733a159d/reports/1b5b75f2-20c2-49bc-9207-44c7c35e9e2a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/4633320e3dc8b4e95e5acb0aac61816517045f73e2313ebbc73e42f5fc168dab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/108a9182-0dbb-497e-a423-de36cb92975b
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331653
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1331653 Sample: wextract.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Antivirus detection for URL or domain 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 9 other signatures 2->52 8 wextract.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\...\SM2CX2fW.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\3lu5nF31.exe, PE32 8->30 dropped 15 SM2CX2fW.exe 1 4 8->15         started        process5 file6 32 C:\Users\user\AppData\Local\...\2OQ775Qh.exe, PE32 15->32 dropped 34 C:\Users\user\AppData\Local\...\1OB86Jv8.exe, PE32 15->34 dropped 40 Antivirus detection for dropped file 15->40 42 Multi AV Scanner detection for dropped file 15->42 44 Machine Learning detection for dropped file 15->44 19 1OB86Jv8.exe 15->19         started        22 2OQ775Qh.exe 2 15->22         started        signatures7 process8 dnsIp9 54 Multi AV Scanner detection for dropped file 19->54 56 Contains functionality to inject code into remote processes 19->56 58 Writes to foreign memory regions 19->58 64 2 other signatures 19->64 25 AppLaunch.exe 12 19->25         started        36 109.107.182.133, 19084 TELEPORT-TV-ASRU Russian Federation 22->36 60 Antivirus detection for dropped file 22->60 62 Machine Learning detection for dropped file 22->62 signatures10 process11 dnsIp12 38 5.42.92.88, 49712, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 25->38
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4633320e3dc8b4e95e5acb0aac61816517045f73e2313ebbc73e42f5fc168dab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4633320e3dc8b4e95e5acb0aac61816517045f73e2313ebbc73e42f5fc168dab/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-22 19:15:05 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyztedr5zc2osxs2zmfkyymbmulqix3t4iyt5o6hhzbpl7awrwvq._file
Verdict:
malicious
Similar samples:
16d1a075654019ae8daaa42fdd5de6900f9956c9bcd76d0213678af49acacacf
RedLineStealer
48f7a5ea24629389edc536091f1926ebc0ed159a000f31e847e90c9fa5d5ab34
RedLineStealer
4fcea54a9c17fac90f3b6b0d80308d5f2b7ae10c2bf51e495aed311cf2dee18a
RedLineStealer
64219b448e6239125597fce4a61477bb627f5e5f25bbda18c1d332f3a7f335f6
RedLineStealer
95b032534407f098cd6afaf8388a08348f7c3ce991059cd65eb66885451018cf
RedLineStealer
97a6ff69b40f3587e4a792235f4cddd5dbc76940ae8630e9e474c807ad1634e4
RedLineStealer
b3ef8346783b53a63fd52fa50cfba5f0322ee95dc1f723bee0405c4d5c44263b
RedLineStealer
c279bdf117c56f3ae2931ce5864df8d291f523c359342ef48ced08ed47b72127
RedLineStealer
ce78b18767d7895f03c85d5993742c8b0b02c2b9a64db086191ae434f9991d19
RedLineStealer
f88cd251b69365735b28791a22f55c246039ea1358b594f08972ca465fae617c
RedLineStealer
+ 2'062 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kinder infostealer persistence
Link:
https://tria.ge/reports/231025-dzrseadg54/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
RedLine payload
Malware Config
C2 Extraction:
109.107.182.133:19084
Unpacked files
SH256 hash:
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
MD5 hash:
53e28e07671d832a65fbfe3aa38b6678
SHA1 hash:
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
Link:
https://www.unpac.me/results/d4d905be-02db-4304-9282-08682f5307f6/
SH256 hash:
1e34bede1d60299f2891682a79b3b19a06479dfc169638821a38f69b314ac619
MD5 hash:
42bf583378b4e437b13d68644aa5bfd4
SHA1 hash:
d92b9e6ad60bbc2784dafcbf4a2726386fa82a0d
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/d4d905be-02db-4304-9282-08682f5307f6/
Parent samples :
2ebae477e9d5a7f395a441445a0979679048773858f745581bab5d89000b0434
a9bac69d4a1aa3a14034d7367b20311a959caeb5d82d192562798da4ff8ae85e
4633320e3dc8b4e95e5acb0aac61816517045f73e2313ebbc73e42f5fc168dab
SH256 hash:
18df768eb30cfc114fc21b8928dd444ff2588383ae4ce49b27c5eadfbee62494
MD5 hash:
0572982621418a0e19a3a6eec521a34c
SHA1 hash:
09cfe83d59ae05772ffcb60eb51f9fcec1c1ca80
Link:
https://www.unpac.me/results/d4d905be-02db-4304-9282-08682f5307f6/
SH256 hash:
4633320e3dc8b4e95e5acb0aac61816517045f73e2313ebbc73e42f5fc168dab
MD5 hash:
ecf9749ed25221ba4f1d947b7f76ce39
SHA1 hash:
0fdea1ab1c6e840dd9b264ab2b2a6225b85cbcf3
Link:
https://www.unpac.me/results/d4d905be-02db-4304-9282-08682f5307f6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4633320e3dc8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/885ba679-6761-44a1-8446-7d5951d98b8f
Cape
Cape
https://www.capesandbox.com/analysis/456126/

Comments