Threat Intel Report: Red Stealer (RedLine) — Unmasking a Commodity Credential Harvester via VirusTotal, MalwareBazaar & ThreatFox
Platform: CyberDefenders
Challenge: Red Stealer
Category: Threat Intelligence
Difficulty: Easy
Tools: VirusTotal, MalwareBazaar, ThreatFox, ANY.RUN
Achievement: Proof of Completion
1. Executive Summary
Incident Type: Credential Stealer / Dropper / Information Theft Trojan
Malware Family: RedLine Stealer
A suspicious executable was discovered on a colleague’s workstation with signs of network activity consistent with C2 communication. As part of the Threat Intelligence team, the task was to fully profile the binary using OSINT and threat intelligence platforms — without executing it locally — to extract IOCs, identify C2 infrastructure, map MITRE ATT&CK techniques, and provide actionable intelligence for the incident response team.
RedLine Stealer is one of the most well-documented commodity malware families sold as Malware-as-a-Service (MaaS) on underground forums. It operates as a dropper and information stealer simultaneously — first establishing persistence and process injection, then systematically harvesting browser credentials, cookies, cryptocurrency wallet data, and system information before exfiltrating everything to a configurable C2 server.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b | RedLine Stealer dropper |
| File Name | WEXTRACT.EXE | Original filename on disk |
| IPv4:Port | 77.91.124.55:19071 | C2 Server (Ukraine, AS203727 byon) |
| Botnet ID | frant | RedLine botnet campaign identifier |
| XOR Key | Soumings | XOR key for traffic obfuscation |
| Process | AppLaunch.exe | RedLine process name on victim host (PID 5356) |
| YARA Rule | detect_Redline_Stealer | MalwareBazaar YARA rule by author Varp0s |
| Malware Alias | RECORDSTEALER | Alternative name per ThreatFox |
| Privilege Escalation DLL | ADVAPI32.dll | DLL utilized for privilege escalation |
MITRE ATT&CK Mapping Overview
| Tactic | Technique | ID |
|---|---|---|
| Privilege Escalation | Abuse Elevation Control Mechanism | T1548 |
| Defense Evasion | Masquerading | T1036 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Discovery | Application Window Discovery | T1010 |
| Discovery | Query Registry | T1012 |
| Discovery | Process Discovery | T1057 |
| Discovery | Security Software Discovery | T1063 |
| Discovery | System Information Discovery | T1082 |
| Collection | Data from Local System | T1005 |
| Collection | Input Capture | T1056 |
| Collection | Automated Collection | T1119 |
| Command and Control | Uncommonly Used Port | T1065 |
| Command and Control | Application Layer Protocol | T1071 |
| Command and Control | Non-Standard Port | T1571 |
| Impact | Data Destruction | T1485 |
| Impact | Service Stop | T1489 |
| Impact | System Shutdown/Reboot | T1529 |
2. Phase 1: Sample Identification — VirusTotal Detection (Q1 & Q2)
Objective: Submit the SHA-256 hash to VirusTotal to determine the malware’s threat category and identify the original filename associated with this sample.
The lab provides a FileHash.txt file with the SHA-256 hash: 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b. This is our primary pivot point for all subsequent intelligence gathering.
Q1: What category has Microsoft identified for this malware in VirusTotal?
Q2: What is the file name associated with this malware?
Findings:
VirusTotal returned a detection ratio of 62 out of 72 vendors — an extremely high consensus confirming this is definitively malicious. From this single page, both Q1 and Q2 are answered:
For Q1 — Threat Category:
The Threat categories field shows trojan and dropper. Microsoft (and the community consensus) classifies this as a Trojan. The dropper sub-category is significant — it means this RedLine variant doesn’t just steal data; it also extracts and executes additional payloads on the victim system.
For Q2 — Filename:
The filename clearly shown is WEXTRACT.EXE .MUI. The WEXTRACT name is a forensic tell: WExtract is a legitimate Microsoft utility for creating self-extracting archives. RedLine abuses this binary to package and deliver its payload components. The answer (without extension) is Wextract.
Notable behavioral tags from the detection page:
| Tag | Meaning |
|---|---|
long-sleeps | Anti-sandbox timing evasion — the malware sleeps to outlast short sandbox analysis windows |
detect-debug-environment | Anti-analysis — checks if running inside a debugger or VM |
persistence | Survives reboots via autostart mechanisms |
executes-dropped-file | Drops and runs secondary executables (multi-stage dropper) |
spreader | Has lateral movement or propagation capability |
Analyst Note:
Thedroppercategory distinction matters for incident response. A pure stealer is a “burn-it-down-and-rebuild” scenario — credentials are gone. A dropper-based stealer is worse: by the time the stealer runs, a second payload may already be established that you haven’t found yet. Every machine running this sample needs a full forensic investigation, not just a quick antivirus scan.
Answer Q1:
Trojan
Answer Q2:
Wextract
3. Phase 2: First Submission Timestamp (Q3)
Objective: Find the UTC timestamp of the malware’s first submission to VirusTotal to understand when this threat first appeared in the wild.
Q3: What is the UTC timestamp of the malware’s first submission to VirusTotal?
The Details tab on VirusTotal provides submission timeline information including the first time this hash was ever seen. The lab and community data confirms the first submission was recorded on:
2023-10-06 04:41(UTC)
This timestamp tells us the sample was relatively new at the time of initial discovery — meaning threat intel feeds and YARA rules may not have been fully mature yet. Newly detected malware requires more urgent containment compared to older, well-documented threats where widespread IOC blocking is already in place.
4. Phase 3: MITRE ATT&CK — Data Collection Technique (Q4)
Objective: Identify the specific MITRE ATT&CK technique ID for how RedLine collects data from the system before exfiltration.
Q4: What is the MITRE ATT&CK technique ID for the malware’s data collection from the system before exfiltration?
Findings:
The ATT&CK matrix reveals comprehensive coverage across multiple tactics. The Collection tactic is highlighted with T1005 — Data from Local System (shown in blue/highlighted in the screenshot), which directly answers the question.
T1005 — Data from Local System describes how RedLine collects data stored on the local system before exfiltration. In practice, this means:
- Reading SQLite browser databases (Chrome
Login Data, Firefoxlogins.json) - Harvesting cookies, session tokens, and autofill data
- Extracting cryptocurrency wallet files from known paths
- Collecting system profile information (OS version, hardware, installed software)
The matrix also shows remarkable breadth in the Discovery tactic — 10 techniques including:
- T1012 — Query Registry (4 events): Enumerates installed applications, browser paths, and autorun entries
- T1057 — Process Discovery (8 events): Scans running processes to identify browser targets and detect security tools
- System Information Discovery (13 events): The highest event count — aggressively profiles the victim for the attacker
The Impact techniques (T1485, T1489, T1529) — Data Destruction, Service Stop, and System Shutdown/Reboot — are also visible, indicating this RedLine variant can disrupt recovery efforts beyond just stealing data.
Answer Q4:
T1005
5. Phase 4: DNS Resolution — Social Media Domains (Q5)
Objective: Identify which social media-related domains the malware resolved via DNS queries following execution.
Q5: Following execution, which social media-related domain names did the malware resolve via DNS queries?
Findings:
The Relations tab shows 62 contacted URLs. The vast majority are from Facebook CDN infrastructure (static.xx.fbcdn.net, fbsbx.com) and Google (fonts.gstatic.com, gstatic.com). Most importantly — facebook.com appears explicitly in the list.
At first glance this might look like benign network activity coming from legitimate CDN services. But context is everything here: this is exactly what browser credential theft looks like in network telemetry. When RedLine targets a browser:
- It reads the browser’s SQLite databases on disk to extract saved passwords and cookies
- The browser’s network stack (which RedLine may spawn or inject into) makes requests to CDNs the browser was previously in contact with
- These CDN requests appear in the sandbox network log as “contacted URLs”
The heavy Facebook presence is a strong intelligence signal. The victim had active Facebook sessions — a high-value target for account hijacking, social engineering of contacts, and potential access to business Facebook pages/advertising accounts.
The answer to Q5 specifically asks for the social media domain: the URL https://facebook.com/security/hsts-pixel.gif?c=3.2 confirms facebook.com as the social media domain resolved.
Analyst Note:
Don’t dismiss a sample just because its network activity shows CDN traffic. In browser credential theft, the stealer reads cookies from SQLite databases on disk and exfiltrates them over the C2 channel. The CDN requests visible in sandbox telemetry are artifacts of the browser’s own activity — not C2 traffic. The real exfiltration to77.91.124.55:19071won’t appear as a “contacted URL” in VirusTotal’s Relations tab.
Answer Q5:
facebook.com
6. Phase 5: C2 Infrastructure & Malware Configuration (Q6)
Objective: Extract the C2 server IP address and destination port from the ANY.RUN malware configuration panel.
Q6: Can you provide the IP address and destination port the malware communicates with?
Findings:
![ANY.RUN Malware Configuration panel for RedLine. Fields: (PID) Process: (5356) AppLaunch.exe, C2 (1): 77.91.124.55:19071 (highlighted in blue), Botnet: frant, Options — ErrorMessage: [empty], Keys — Xor: Soumings.](/assets/Red Stealer/anyrun-malware-config-redline-c2-77-91-124-port19071.png)
The ANY.RUN MalConf panel extracted the complete RedLine configuration from the running process:
| Field | Value | Interpretation |
|---|---|---|
| Process | AppLaunch.exe (PID 5356) | RedLine injected into or masqueraded as Microsoft ClickOnce Application Host |
| C2 Server | 77.91.124.55:19071 | Raw TCP connection on a non-standard port — the answer to Q6 |
| Botnet | frant | Campaign/affiliate identifier — tracks which RedLine MaaS customer deployed this build |
| XOR Key | Soumings | Used to XOR-encode traffic between victim and C2 |
Why AppLaunch.exe?
AppLaunch.exe is a legitimate Microsoft binary — the ClickOnce Application Launcher. RedLine uses injection or masquerading into this trusted process as a defense evasion technique. Security tools monitoring process names see a known Microsoft application making network connections — far less suspicious than an unknown executable.
Port 19071 and non-standard port abuse:
Standard enterprise firewalls and web proxies only inspect ports 80 and 443. Port 19071 flies under most proxy inspection rules, allowing RedLine to exfiltrate data over a raw TCP channel that bypasses HTTP-layer content filtering. This maps to T1571 — Non-Standard Port in the ATT&CK framework.
Detection Opportunity:
Alert on any outbound TCP connections to port 19071 from workstations. Block77.91.124.55at the perimeter firewall on all ports. Search EDR for anyAppLaunch.exeprocess making outbound connections to non-Microsoft IP ranges.
Answer Q6:
77.91.124.55:19071
7. Phase 6: MalwareBazaar YARA Analysis (Q7)
Objective: Cross-reference the sample with MalwareBazaar’s YARA rule engine to identify the detection rule and its author.
Q7: What’s the name of the YARA rule created by “Varp0s” that detects the identified malware?
Findings:
MalwareBazaar — operated by ABUSE.CH — maintains a community-sourced YARA rule database that it runs against every uploaded sample. For this RedLine sample, the matching rule is:
- Rule Name:
detect_Redline_Stealer - Author:
Varp0s
YARA rules match on binary characteristics — byte sequences, strings, PE header attributes — rather than just hash values. This means the detect_Redline_Stealer rule will match any RedLine Stealer binary that shares the same core code patterns, regardless of recompilation or minor obfuscation changes. This gives defenders a robust detection capability that survives malware updates.
For the SOC, this YARA rule can be deployed in:
- Endpoint Detection: Most EDR platforms support custom YARA rule deployment for real-time file scanning
- Network Detection: Network traffic analysis tools that extract and scan PE files from PCAP
- SIEM Integration: Threat intelligence feeds that distribute YARA rules for automatic alerting
Detection Tip:
The MalwareBazaar “Alert” subscription button visible in the screenshot lets threat intel analysts receive automatic email notifications whenever a new sample matchingdetect_Redline_Stealeris uploaded. This is a free, highly effective way to track new RedLine variants as they emerge.
Answer Q7:
detect_Redline_Stealer
8. Phase 7: ThreatFox IOC Enrichment — Malware Alias (Q8)
Objective: Validate the C2 IP:port on ThreatFox to confirm attribution, and identify the malware alias associated with this infrastructure.
Q8: Can you provide the different malware alias associated with the malicious IP address according to ThreatFox?
Findings:
ThreatFox confirms and enriches the entire intelligence picture:
| Field | Value | Intelligence Value |
|---|---|---|
| IOC Type | ip:port | Specific IP and port combination |
| Threat Type | botnet_cc | Confirmed active C2 controller, not an infected host |
| Malware | RedLine Stealer | Platform-level attribution with 100% confidence |
| Malware alias | RECORDSTEALER | The alternative name used in some threat intel feeds |
| Confidence Level | 100% (High) | No ambiguity — confirmed RedLine C2 |
| Is Compromised | False | This IP belongs to the attacker — not a hijacked legitimate server |
| ASN | AS203727 — byon | Bulletproof hosting provider associated with criminal infrastructure |
| Country | Ukraine (UA) | Geographic location of C2 server |
| First Seen | 2023-09-27 01:05:23 UTC | C2 server operational for over 2 years |
| Last Seen | 2026-03-19 07:01:00 UTC | Still active as of the challenge date |
The fact that Is Compromised: False is significant — this is not a legitimate server that was hacked and repurposed. It is deliberately deployed infrastructure operated by the threat actor on a bulletproof hosting provider (AS203727 byon) known for ignoring abuse complaints.
The malware alias RECORDSTEALER is the answer to Q8. This alternative name is used in some threat intelligence platforms and threat hunting queries — knowing both names (RedLine Stealer and RECORDSTEALER) ensures you won’t miss hits when pivoting through different intel feed databases.
Answer Q8:
RECORDSTEALER
9. Phase 8: Privilege Escalation DLL (Q9)
Objective: Identify the DLL utilized by the malware for privilege escalation, by examining the runtime modules loaded during execution.
Q9: Can you provide the DLL utilized by the malware for privilege escalation?
Findings:
The Activity Summary reveals a classic self-extracting dropper execution pattern and highlights the key DLLs loaded at runtime. Two are immediately visually highlighted:
- APPHELP.DLL (orange) — Application compatibility helper; generally benign
- advapi32.dll (blue/highlighted) — The critical answer to Q9
Why ADVAPI32.dll for privilege escalation?
ADVAPI32.dll (Advanced API) is a core Windows system library that provides access to:
- Windows Security Account Manager (SAM) APIs — for user account and group enumeration
- Registry operations — reading/writing sensitive registry keys that require elevated access
- Service Control Manager — for starting, stopping, and creating Windows services
- Windows Cryptography API — for key management and cryptographic operations
- Local Security Authority (LSA) functions — for token manipulation and privilege adjustment
RedLine’s heavy use of ADVAPI32.dll is what enables its privilege escalation capabilities. By calling ADVAPI32 APIs like AdjustTokenPrivileges, LookupPrivilegeValue, and OpenProcessToken, the malware can elevate its privileges to access protected credential stores and system resources that would otherwise be restricted.
The dropped executables pattern:
The IXP*.TMP directory naming is deterministic for WExtract-based droppers — a forensic artifact to hunt for on potentially compromised hosts. If you find directories matching IXP\d{3}\.TMP in AppData\Local\Temp, there is a high probability of a WExtract-packaged payload having been executed. The four staged executables eventually culminate in 1zn59od7.exe — the actual RedLine Stealer payload.
Threat Hunting Tip:
Search your EDR telemetry for processes loadingADVAPI32.dllimmediately followed by network connections to non-Microsoft IPs. This combination — Windows privilege API usage + outbound C2 connectivity from a non-system process — is a high-fidelity indicator of credential stealer activity.
Answer Q9:
ADVAPI32.dll
10. Full Attack Chain Summary
| Phase | Kill Chain Stage | Technique | Evidence |
|---|---|---|---|
| 1 | Delivery | Unknown (lab-provided sample) | Sample found on colleague’s machine |
| 2 | Execution | WExtract self-extracting dropper | WEXTRACT.EXE unpacks staged payloads to IXP*.TMP |
| 3 | Defense Evasion | Masquerades as AppLaunch.exe | Microsoft ClickOnce launcher impersonation |
| 4 | Privilege Escalation | ADVAPI32.dll API abuse | Token manipulation for elevated access |
| 5 | Discovery | Registry, Process, System info queries | 13+ system information discovery events |
| 6 | Collection | Browser credential/cookie harvesting | T1005 — Data from Local System |
| 7 | C2 Communication | Raw TCP to 77.91.124.55:19071 | XOR key: Soumings, Botnet: frant |
| 8 | Impact | Service Stop / Reboot capability | T1489, T1529 present in ATT&CK matrix |
11. Remediation & Mitigation Recommendations
Immediate Response
- Isolate the affected workstation immediately — dropper+stealer combination means additional payloads may still be active
- Block
77.91.124.55at the perimeter firewall (all ports) and specifically port19071 - Search all IXP*.TMP directories across the enterprise for WExtract extraction artifacts
- Search EDR for any
AppLaunch.exeprocess making outbound TCP connections to non-Microsoft IPs - Force password resets for all accounts logged into the compromised workstation
- Revoke browser sessions — particularly Facebook, Google, and OAuth-linked accounts
Detection Rules
- Alert on
WEXTRACT.EXEexecuting from user-accessible directories (legitimate WExtract runs from%SystemRoot%\System32) - Alert on creation of
IXP*.TMPdirectories in%TEMP%followed by.exeextraction - Alert on
AppLaunch.exemaking outbound connections to non-Microsoft IPs - Alert on TCP connections to port 19071 from workstations
- Deploy
detect_Redline_StealerYARA rule to endpoint security platforms
Long-Term Hardening
- Application Control: Block execution from
%TEMP%\IXP*.TMP\via AppLocker/WDAC - Egress Filtering: Block all non-standard outbound ports from workstations and alert on non-approved ports
- MFA on all critical accounts: Browser-stolen session cookies bypass passwords; hardware MFA tokens are much harder to steal
12. Conclusion
Red Stealer / RedLine demonstrates why commodity malware remains so dangerous: it doesn’t need to be sophisticated. It leverages legitimate Windows tools (WExtract), abuses trusted processes (AppLaunch.exe), uses simple encryption (XOR with Soumings), and communicates on non-standard ports — all techniques proven effective against standard enterprise security controls.
The multi-platform intelligence approach — hash → VirusTotal → ANY.RUN → MalwareBazaar → ThreatFox — built a complete threat profile without ever executing the sample locally:
- VirusTotal: Threat category (Trojan), filename (Wextract), first submission timestamp, MITRE ATT&CK mapping (T1005), DNS-resolved social media domains (facebook.com)
- ANY.RUN: C2 configuration (77.91.124.55:19071), runtime modules, privilege escalation DLL (ADVAPI32.dll)
- MalwareBazaar: YARA rule for hunting similar samples (
detect_Redline_Stealerby Varp0s) - ThreatFox: C2 infrastructure attribution, malware alias (RECORDSTEALER), country/ASN intelligence
Key Takeaways for the SOC:
- Threat categories matter. A “Trojan + Dropper” classification means there are additional payloads to find. Don’t stop at the first malicious file.
- Non-standard ports are red flags. Port 19071 should generate an immediate alert. Implement egress filtering blocking all non-approved outbound ports from workstations.
AppLaunch.exeis not immune. Legitimate Microsoft tools get abused constantly. Build behavioral baselines and alert on deviations, not just on process names.
Analysis Date: April 5, 2026
Analyst: El OMARI Zakaria