MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3db2217ad77f7ab6e9c494bf2a4ef5607a17fa4e6920aa716906e85252cd51ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3db2217ad77f7ab6e9c494bf2a4ef5607a17fa4e6920aa716906e85252cd51ea
SHA3-384 hash: 7534719b3ba157f8ed0ca6de08b15fa41a0b475608c0cd2338c17f1ff19e3affb9073f7e93d51883546522f82bab58da
SHA1 hash: 711a49a73d10aa32c0f84c1545e682a8aa221114
MD5 hash: 417fe1a952fd9ff75a6a5a8901f1e39c
humanhash: pizza-winter-football-washington
File name:WEXTRACT.EXE
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'539'392 bytes
First seen:2024-01-15 05:11:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:VQo+M1JyQR1NR1M6Wq2TN58wq1u50ADAj/BrSwUZuQJX:BtJdR1TK6Z2TN58AlUrStDJ
TLSH T1FC263322DBDA8155EE3D1F7908F60F630A753CA3646817EE3396E8864E64BC5490237F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RedLineStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470858/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin masquerade obfuscated packed redcap rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65a4bea499da41ccd7d3edc8/reports/9c85c057-36e9-4ac3-906d-608f7091a758/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/3db2217ad77f7ab6e9c494bf2a4ef5607a17fa4e6920aa716906e85252cd51ea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3ef3db0-3065-4b5c-bebb-fa9ad6a01f99
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374593
Signature
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374593 Sample: WEXTRACT.EXE.exe Startdate: 15/01/2024 Architecture: WINDOWS Score: 100 98 telemetry-incoming.r53-2.services.mozilla.com 2->98 100 services.addons.mozilla.org 2->100 102 11 other IPs or domains 2->102 138 Antivirus / Scanner detection for submitted sample 2->138 140 Multi AV Scanner detection for dropped file 2->140 142 Multi AV Scanner detection for submitted file 2->142 144 4 other signatures 2->144 11 WEXTRACT.EXE.exe 1 4 2->11         started        14 msedge.exe 58 406 2->14         started        16 firefox.exe 1 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 86 C:\Users\user\AppData\Local\...\wi4yt48.exe, PE32 11->86 dropped 88 C:\Users\user\AppData\Local\...\5cu0ZI4.exe, PE32 11->88 dropped 20 wi4yt48.exe 1 4 11->20         started        90 C:\Users\user\...\page_embed_script.js, ASCII 14->90 dropped 92 C:\Users\user\...\eventpage_bin_prod.js, ASCII 14->92 dropped 94 C:\Users\user\AppData\...\content_new.js, Unicode 14->94 dropped 96 C:\Users\user\AppData\Local\...\content.js, Unicode 14->96 dropped 24 msedge.exe 14->24         started        27 msedge.exe 14->27         started        29 msedge.exe 14->29         started        33 4 other processes 14->33 31 firefox.exe 16->31         started        process6 dnsIp7 78 C:\Users\user\AppData\Local\...\jI0xr02.exe, PE32 20->78 dropped 80 C:\Users\user\AppData\Local\...\4vU587cA.exe, PE32 20->80 dropped 150 Multi AV Scanner detection for dropped file 20->150 35 jI0xr02.exe 1 4 20->35         started        39 4vU587cA.exe 20->39         started        108 13.107.246.40, 443, 49772, 49773 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->108 110 ssl.bingadsedgeextension-prod.azurewebsites.net 138.91.254.96, 443, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->110 116 13 other IPs or domains 24->116 112 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49743, 49749, 49838 GOOGLEUS United States 31->112 114 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123, 443, 49852, 49853 GOOGLEUS United States 31->114 118 4 other IPs or domains 31->118 82 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 31->82 dropped 84 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 31->84 dropped 41 firefox.exe 31->41         started        43 firefox.exe 31->43         started        45 firefox.exe 31->45         started        47 4 other processes 31->47 file8 signatures9 process10 file11 74 C:\Users\user\AppData\Local\...\2iX6200.exe, PE32 35->74 dropped 76 C:\Users\user\AppData\Local\...\1dh47mq5.exe, PE32 35->76 dropped 146 Multi AV Scanner detection for dropped file 35->146 148 Binary is likely a compiled AutoIt script file 35->148 49 2iX6200.exe 10 2 35->49         started        52 1dh47mq5.exe 13 35->52         started        signatures12 process13 signatures14 126 Multi AV Scanner detection for dropped file 49->126 128 Detected unpacking (changes PE section rights) 49->128 130 Detected unpacking (overwrites its own PE header) 49->130 136 6 other signatures 49->136 132 Binary is likely a compiled AutoIt script file 52->132 134 Found API chain indicative of sandbox detection 52->134 54 chrome.exe 9 52->54         started        57 msedge.exe 10 52->57         started        59 chrome.exe 52->59         started        61 firefox.exe 1 52->61         started        process15 dnsIp16 104 192.168.2.5, 443, 49167, 49596 unknown unknown 54->104 106 239.255.255.250 unknown Reserved 54->106 63 chrome.exe 54->63         started        66 chrome.exe 54->66         started        68 chrome.exe 54->68         started        70 msedge.exe 57->70         started        72 chrome.exe 59->72         started        process17 dnsIp18 120 142.251.16.100, 443, 49859 GOOGLEUS United States 63->120 122 142.251.16.101, 443, 49830, 49832 GOOGLEUS United States 63->122 124 9 other IPs or domains 63->124
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3db2217ad77f7ab6e9c494bf2a4ef5607a17fa4e6920aa716906e85252cd51ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3db2217ad77f7ab6e9c494bf2a4ef5607a17fa4e6920aa716906e85252cd51ea/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2024-01-14 21:59:39 UTC
File Type:
PE (Exe)
Extracted files:
142
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwzcc6wxp55ln2oess7sutxvmb5bp6soneqku4lja3ufeuwnkhva._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google evasion persistence phishing trojan
Link:
https://tria.ge/reports/240115-fvt33sahf7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
6f84abac863af87a2b03ec83a4a814d0ae9758952a047485d2ae96e14082d777
MD5 hash:
ac29d06ee3c7d2e4e0acedd88613f7ea
SHA1 hash:
065e4531edfbdc7262a6c079b482b2f222fda554
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/a41b057f-e18c-48eb-b21a-36e082df12ad/
SH256 hash:
3db2217ad77f7ab6e9c494bf2a4ef5607a17fa4e6920aa716906e85252cd51ea
MD5 hash:
417fe1a952fd9ff75a6a5a8901f1e39c
SHA1 hash:
711a49a73d10aa32c0f84c1545e682a8aa221114
Link:
https://www.unpac.me/results/a41b057f-e18c-48eb-b21a-36e082df12ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3db2217ad77f7ab6e9c494bf2a4ef5607a17fa4e6920aa716906e85252cd51ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/470858/

Comments