MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 babb9cd1e9f5437122072090d5248009cd4b249feac002f64347b60cadfb3a68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: babb9cd1e9f5437122072090d5248009cd4b249feac002f64347b60cadfb3a68
SHA3-384 hash: 3831233f5f9cd6b24edfb3f7480ac31ecc44816a2c6b153381366723cf1c817f35e3dfa9d3232185e8bbce330f93520d
SHA1 hash: 8d87b4551b51d041b0266d33f7ffda746f2bf3a9
MD5 hash: 7d52c9e4aa01a8b68a903fe3238340fc
humanhash: illinois-victor-twenty-robert
File name:WEXTRACT.EXE
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:576'000 bytes
First seen:2023-10-25 16:30:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:oMryy90n01w/71mh3mxbxuBU/tUP51dBhKMttBqKWRTs5lgvw:ay+71mhkxHU3T0XTGlYw
Threatray 2'127 similar samples on MalwareBazaar
TLSH T1CEC41212B9F98033E9F62BB158F603E70A367CA04935837F7294AD9A4D72595B43133B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe MysticStealer RedLineStealer


Avatar
adm1n_usa32
C&C at hxxp://193.233.255.73/loghub/

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
WEXTRACT.EXE
Verdict:
Malicious activity
Analysis date:
2023-10-25 16:28:33 UTC
Tags:
stealc stealer redline
Link:
https://app.any.run/tasks/d7455ad5-f995-45d8-80a1-0fcffb2c9334

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456339/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Setting a single autorun event
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
82%
Tags:
advpack anti-vm CAB config-extracted confuserex control explorer greyware installer lolbin lolbin masquerade packed packed redline replace rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/653942cdbc703e36b08cd5f4/reports/0b5c11bf-6415-498a-ac74-f4460b0490f7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/babb9cd1e9f5437122072090d5248009cd4b249feac002f64347b60cadfb3a68
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f937e4d-3c4b-4ac0-8479-40b4ce261533
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332077
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/babb9cd1e9f5437122072090d5248009cd4b249feac002f64347b60cadfb3a68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/babb9cd1e9f5437122072090d5248009cd4b249feac002f64347b60cadfb3a68/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 13:23:38 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307
RedLineStealer
305653109239144203fae4638c4f7eead4a84928ded603244b35ed1dc07b69d6
RedLineStealer
3861572608ff98d5b620849e73d67dcf776eaccecfe7f59e9c27871ea294fc31
RedLineStealer
46d36cf735f059102b5722d7aaa33c69dfa3f6d6a4f63a8d3528e56952f7a53c
RedLineStealer
6bb828d4ff1635fbb147f9a4accb3a083212ce9c730aec321a4038f0468d73ae
RedLineStealer
71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f
RedLineStealer
92ec90b07b5568d1f3effbb964848ee21f5257843ab5a7fb97135e6b476221b4
RedLineStealer
ad545209b27a1f79bf5d9a2d56694bdeafcb4df7b018704bd08df4995447f19f
RedLineStealer
b5b47105645a8f5d02429e5d856f3b57411344272202a89c7d88a28fcc96a18b
RedLineStealer
d21d77361ba8b190552b4cc7014c8edc11c6599cb3be3948bfb69f7870fb76e3
RedLineStealer
+ 2'117 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kinza infostealer persistence
Link:
https://tria.ge/reports/231025-t1dvyacg41/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine payload
RedLine
Malware Config
C2 Extraction:
77.91.124.86:19084
Unpacked files
SH256 hash:
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
MD5 hash:
0635bc911c5748d71a4aed170173481e
SHA1 hash:
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
Link:
https://www.unpac.me/results/8e083555-28e8-4bc8-b2ec-d71e44a1893c/
SH256 hash:
e42d8e4fa8969941f6f1e3c8160e28ad2bbc0416f2bb0c65400905c187c46ec8
MD5 hash:
ccc90091fb379b152aa91d32e86e078d
SHA1 hash:
9f7647d266f8752e2e06187d5dae4fdb348cf401
Link:
https://www.unpac.me/results/8e083555-28e8-4bc8-b2ec-d71e44a1893c/
SH256 hash:
2d04733eb1005a63239a6516cfc3ea8c305287d22db0fffb9ef3a8f34bb126a8
MD5 hash:
53c34af00ca2bb1a34645a669da32cec
SHA1 hash:
4f8b1cd261beec58fa99e3b13c750df5ec4768a5
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8e083555-28e8-4bc8-b2ec-d71e44a1893c/
Parent samples :
0da921990e3adf5f4e1e222e4de086733839772aabd9caa954600baa797968c4
e1538f04482893bab777c4a7dd075f5852105724eb1cb0a0947fab5590924f3b
8910c865cc2f368e2272f48b55656bf12ca421d7c6d25aabf51a0c09925f4232
babb9cd1e9f5437122072090d5248009cd4b249feac002f64347b60cadfb3a68
f12ecffd21520fbc12c7537d269532299b2ba86bc9249117c84ff1bc25fe05c3
SH256 hash:
babb9cd1e9f5437122072090d5248009cd4b249feac002f64347b60cadfb3a68
MD5 hash:
7d52c9e4aa01a8b68a903fe3238340fc
SHA1 hash:
8d87b4551b51d041b0266d33f7ffda746f2bf3a9
Link:
https://www.unpac.me/results/8e083555-28e8-4bc8-b2ec-d71e44a1893c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/babb9cd1e9f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/babb9cd1e9f5437122072090d5248009cd4b249feac002f64347b60cadfb3a68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/d7455ad5-f995-45d8-80a1-0fcffb2c9334
Cape
Cape
https://www.capesandbox.com/analysis/456339/

Comments