MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd
SHA3-384 hash: 30413c3751683f8538dd5e6d6c65d6c48c791ab8aaffcb61ff0f1ca14cdb9a6d669e227272b45c8dd9a0cb7bb087cf84
SHA1 hash: 404846b104e6aefc99e7086ea1a6668bb02dfcdf
MD5 hash: 3feabdbc736736bc35e8746e9149444c
humanhash: wisconsin-hot-dakota-minnesota
File name:wextract.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:777'216 bytes
First seen:2023-10-30 15:51:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:eMr4y90dUNJXv196FZqTUaZQsjjC7TTjBV0rFs62P7Cx8KQgnnHzPehU1KNh6V+w:eyFTfLQqTzZQsUzBKrBjWKBnyWKX6oJu
Threatray 2'381 similar samples on MalwareBazaar
TLSH T1DDF42343A7E685B1D9B223B06DFB02830A39BC559D7C83372305AE5E0D732A5A436737
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457132/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer installer lolbin mokes packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/653fd123a8078613bf207121/reports/e78eb623-b73d-4d2a-aa7a-37817832b00f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12646ee0-39fb-4195-9286-364058e8d1b1
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334358
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1334358 Sample: wextract.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Antivirus detection for URL or domain 2->50 52 10 other signatures 2->52 8 wextract.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\...\yo3pi4Tj.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\3Hp9nm34.exe, PE32 8->30 dropped 15 yo3pi4Tj.exe 1 4 8->15         started        process5 file6 32 C:\Users\user\AppData\Local\...\2Wa026iT.exe, PE32 15->32 dropped 34 C:\Users\user\AppData\Local\...\1BL94hl5.exe, PE32 15->34 dropped 40 Antivirus detection for dropped file 15->40 42 Multi AV Scanner detection for dropped file 15->42 44 Machine Learning detection for dropped file 15->44 19 2Wa026iT.exe 4 15->19         started        23 1BL94hl5.exe 15->23         started        signatures7 process8 dnsIp9 36 77.91.124.86, 19084, 49738 ECOTEL-ASRU Russian Federation 19->36 54 Antivirus detection for dropped file 19->54 56 Multi AV Scanner detection for dropped file 19->56 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->58 66 2 other signatures 19->66 60 Machine Learning detection for dropped file 23->60 62 Contains functionality to inject code into remote processes 23->62 64 Writes to foreign memory regions 23->64 68 2 other signatures 23->68 25 AppLaunch.exe 12 23->25         started        signatures10 process11 dnsIp12 38 193.233.255.73, 49737, 80 FREE-NET-ASFREEnetEU Russian Federation 25->38
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-29 12:57:24 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dccoao2sk5qc5fk5rndentjlpdmjsaahco4baaiohm3of35fpoq._file
Verdict:
malicious
Similar samples:
31111863184999972398bd14df902dc5f24dae8549b4b734c6981501ecb0efa9
RedLineStealer
4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35
RedLineStealer
afd16a178685cbd5fab13e133a2d4db5122ec638f936474547fde620c9660070
RedLineStealer
bf6b84d8e2a2c5f43fd7ced193b7ee22e3ae30e6fde67571bacd4dfb3ddac9d5
RedLineStealer
c6954a8566262d8395ac3861a1dffe990bbce05ef20750716aa63703981a3fbf
RedLineStealer
e776c8b8f6577d90f9fe9a73224690befcdd6a8060ca326c75ec9d5e5b1bd4b8
RedLineStealer
f7864ce4882075fe298e7d312067b9ca244e15aaf4884d755f372580f34a42bd
RedLineStealer
fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
RedLineStealer
ff1dffb89fbb43e42796b56bca4bfe0878568bcbb62f0503b583aea2c3218e2c
RedLineStealer
+ 2'371 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kinza infostealer persistence
Link:
https://tria.ge/reports/231030-ta2t3sfh32/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.86:19084
Unpacked files
SH256 hash:
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
MD5 hash:
e561df80d8920ae9b152ddddefd13c7c
SHA1 hash:
0d020453f62d2188f7a0e55442af5d75e16e7caf
Link:
https://www.unpac.me/results/7794b57f-ba40-458d-9524-54db62adf896/
SH256 hash:
119c6910c4df8db17a206606e0d1f8e0774cc04041d8e75b8fc084914fc837e5
MD5 hash:
db5e3884e9927aa6e25d77ca341245e7
SHA1 hash:
6583af616513201d9dd624bb2efc9e17020a58bc
Link:
https://www.unpac.me/results/7794b57f-ba40-458d-9524-54db62adf896/
SH256 hash:
cd14bec25b6eac99fe3d267f49ade1a01d21544d55a1e8431bc4b9b68fb69192
MD5 hash:
94fdcaea5fd5e8a0980de19f57fd0ccc
SHA1 hash:
63364c575cd95c948e5961a133ed1e3aed0eed86
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7794b57f-ba40-458d-9524-54db62adf896/
Parent samples :
fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd
9a2c37acab79076d98161a87c94c3c0ff08ab04313692591bf49cab9490d316f
SH256 hash:
e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd
MD5 hash:
3feabdbc736736bc35e8746e9149444c
SHA1 hash:
404846b104e6aefc99e7086ea1a6668bb02dfcdf
Link:
https://www.unpac.me/results/7794b57f-ba40-458d-9524-54db62adf896/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8c42701da92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/74cbd591-e1d8-44a0-8ca7-14eee4e3e7cc
Cape
Cape
https://www.capesandbox.com/analysis/457132/

Comments