MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 644f889c72e122951a1aa1961f390fed9eb1fcbf2fee43f67b7151c411da6b13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 644f889c72e122951a1aa1961f390fed9eb1fcbf2fee43f67b7151c411da6b13
SHA3-384 hash: 978347e35803320391b5206d0a098dd7d5e7c8862e23291589fe8e69fc6e17b836699c4f5e4aa5e5ab5d2c10bb4097f9
SHA1 hash: f1da859228b828a84984afbe1777840aa520f4d6
MD5 hash: 8fee55294b6ce710ba882421a1e282a1
humanhash: bulldog-whiskey-blue-connecticut
File name:same.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'932'992 bytes
First seen:2025-01-03 14:19:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:Ews34wkL3ZF2eHZz14dNtDoyVMbFRUHkWaAm11FjCyhWpypQCJSBRmecn4jMlmj7:oo3z14droyqFuE/h1yy16FzjMlsIC9J
TLSH T1E16633172BF4A11AC4F85B7815F313971E343A52AA38C3ED57C6EDA20C93990B776C26
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Joker
Tags:exe malware RedLineStealer trojan

Intelligence

File Origin
# of uploads :
1
# of downloads :
515
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
same.exe
Verdict:
Malicious activity
Analysis date:
2025-01-03 14:21:29 UTC
Tags:
lumma stealer amadey botnet loader stealc gcleaner autoit cryptbot auto generic themida credentialflusher github xworm
Link:
https://app.any.run/tasks/5a005f0b-db07-4f50-b1a6-b41520597658

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Amadey-9986882-0
Create hunting rule

Win.Downloader.Amadey-9986883-0
Create hunting rule

Win.Downloader.Amadey-9987078-0
Create hunting rule

Win.Downloader.Amadey-9987097-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6777f2e51ada707798259a36
Tags:
autorun cobalt spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Launching a service
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Disabling the operating system update service
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm CAB installer microsoft_visual_cc packed packed packer_detected sfx
Link:
https://www.filescan.io/uploads/6777f2166443af9e2d66f3f9/reports/8548b8ae-d1ce-4f97-a69d-39836f0ae766/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/644f889c72e122951a1aa1961f390fed9eb1fcbf2fee43f67b7151c411da6b13
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43fa30a6-c8ce-46c4-bf69-ddcb343824a6
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Stealc,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1583786
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583786 Sample: same.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 144 rentry.co 2->144 146 get.craca.ru 2->146 148 3 other IPs or domains 2->148 190 Suricata IDS alerts for network traffic 2->190 192 Found malware configuration 2->192 194 Malicious sample detected (through community Yara rule) 2->194 198 20 other signatures 2->198 12 same.exe 1 4 2->12         started        15 skotes.exe 2->15         started        19 msedge.exe 2->19         started        21 3 other processes 2->21 signatures3 196 Connects to a pastebin service (likely for C&C) 144->196 process4 dnsIp5 122 C:\Users\user\AppData\Local\...1224H84.exe, PE32 12->122 dropped 124 C:\Users\user\AppData\Local\...\4O211C.exe, PE32 12->124 dropped 23 N4H84.exe 1 4 12->23         started        164 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 15->164 166 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 15->166 126 C:\Users\user\AppData\...\e41e5204d9.exe, PE32+ 15->126 dropped 128 C:\Users\user\AppData\...\531581880b.exe, PE32 15->128 dropped 130 C:\Users\user\AppData\...\bf9240674a.exe, PE32 15->130 dropped 132 7 other malicious files 15->132 dropped 168 Hides threads from debuggers 15->168 170 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->170 172 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->172 27 bf9240674a.exe 15->27         started        29 f7eded9312.exe 15->29         started        32 abu7zly.exe 15->32         started        36 2 other processes 15->36 34 msedge.exe 19->34         started        file6 signatures7 process8 dnsIp9 96 C:\Users\user\AppData\Local\...\h0i46.exe, PE32 23->96 dropped 98 C:\Users\user\AppData\Local\...\3r66R.exe, PE32 23->98 dropped 210 Multi AV Scanner detection for dropped file 23->210 38 h0i46.exe 1 4 23->38         started        100 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32 27->100 dropped 102 C:\Users\user\AppData\...\win32trace.pyd, PE32 27->102 dropped 104 C:\Users\user\AppData\...\win32process.pyd, PE32 27->104 dropped 110 24 other files (17 malicious) 27->110 dropped 212 Found pyInstaller with non standard icon 27->212 42 bf9240674a.exe 27->42         started        158 rentry.co 104.26.3.16 CLOUDFLARENETUS United States 29->158 160 fallyjustif.click 188.114.96.3 CLOUDFLARENETUS European Union 29->160 106 C:\...\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1, HTML 29->106 dropped 214 Antivirus detection for dropped file 29->214 216 Detected unpacking (changes PE section rights) 29->216 218 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->218 232 7 other signatures 29->232 44 powershell.exe 29->44         started        162 get.craca.ru 80.76.51.73 CLOUDCOMPUTINGDE Bulgaria 32->162 220 Protects its processes via BreakOnTermination flag 32->220 222 Machine Learning detection for dropped file 32->222 224 Tries to evade debugger and weak emulator (self modifying code) 32->224 108 C:\Users\user\AppData\...\AutoIt3_x64.exe, PE32+ 36->108 dropped 112 2 other files (none is malicious) 36->112 dropped 226 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->226 228 Hides threads from debuggers 36->228 230 Tries to detect sandboxes / dynamic malware analysis system (registry check) 36->230 46 AutoIt3_x64.exe 36->46         started        file10 signatures11 process12 file13 92 C:\Users\user\AppData\Local\...\2z8320.exe, PE32 38->92 dropped 94 C:\Users\user\AppData\Local\...\1C05b9.exe, PE32 38->94 dropped 200 Multi AV Scanner detection for dropped file 38->200 48 2z8320.exe 2 38->48         started        53 1C05b9.exe 4 38->53         started        55 conhost.exe 44->55         started        signatures14 process15 dnsIp16 134 185.215.113.16, 49829, 80 WHOLESALECONNECTIONSNL Portugal 48->134 136 fancywaxxers.shop 104.21.112.1, 443, 49747, 49753 CLOUDFLARENETUS United States 48->136 86 C:\Users\...\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, PE32 48->86 dropped 88 C:\...\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, PE32 48->88 dropped 174 Multi AV Scanner detection for dropped file 48->174 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->176 178 Query firmware table information (likely to detect VMs) 48->178 188 4 other signatures 48->188 57 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe 36 48->57         started        62 S0E9GDU0ZDFIFFW6VFPUPGQZ.exe 48->62         started        90 C:\Users\user\AppData\Local\...\skotes.exe, PE32 53->90 dropped 180 Detected unpacking (changes PE section rights) 53->180 182 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 53->182 184 Tries to evade debugger and weak emulator (self modifying code) 53->184 186 Tries to detect virtualization through RDTSC time measurements 53->186 64 skotes.exe 53->64         started        file17 signatures18 process19 dnsIp20 154 185.215.113.206, 49873, 49965, 50021 WHOLESALECONNECTIONSNL Portugal 57->154 156 127.0.0.1 unknown unknown 57->156 114 C:\Users\user\DocumentsbehaviorgraphIJEGDAKEH.exe, PE32 57->114 dropped 116 C:\Users\user\AppData\...\softokn3[1].dll, PE32 57->116 dropped 118 C:\Users\user\AppData\Local\...\random[1].exe, PE32 57->118 dropped 120 11 other files (7 malicious) 57->120 dropped 234 Multi AV Scanner detection for dropped file 57->234 236 Detected unpacking (changes PE section rights) 57->236 238 Attempt to bypass Chrome Application-Bound Encryption 57->238 250 7 other signatures 57->250 66 cmd.exe 57->66         started        68 chrome.exe 57->68         started        71 msedge.exe 57->71         started        240 Tries to evade debugger and weak emulator (self modifying code) 62->240 242 Hides threads from debuggers 62->242 244 Tries to detect sandboxes / dynamic malware analysis system (registry check) 62->244 74 skotes.exe 62->74         started        246 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 64->246 248 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 64->248 file21 signatures22 process23 dnsIp24 76 GIJEGDAKEH.exe 66->76         started        79 conhost.exe 66->79         started        150 192.168.2.6, 443, 49708, 49709 unknown unknown 68->150 152 239.255.255.250 unknown Reserved 68->152 81 chrome.exe 68->81         started        202 Monitors registry run keys for changes 71->202 84 msedge.exe 71->84         started        204 Hides threads from debuggers 74->204 206 Tries to detect sandboxes / dynamic malware analysis system (registry check) 74->206 208 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 74->208 signatures25 process26 dnsIp27 252 Multi AV Scanner detection for dropped file 76->252 254 Detected unpacking (changes PE section rights) 76->254 256 Tries to evade debugger and weak emulator (self modifying code) 76->256 258 3 other signatures 76->258 138 apis.google.com 81->138 140 plus.l.google.com 172.217.23.110, 443, 49947 GOOGLEUS United States 81->140 142 2 other IPs or domains 81->142 signatures28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/644f889c72e122951a1aa1961f390fed9eb1fcbf2fee43f67b7151c411da6b13
Detection:
xworm
Create hunting rule
Link:
https://mwdb.cert.pl/sample/644f889c72e122951a1aa1961f390fed9eb1fcbf2fee43f67b7151c411da6b13/
Threat name:
Win32.Exploit.StealC
Create hunting rule
Status:
Malicious
First seen:
2025-01-03 14:20:07 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mrhyrhds4erjkgq2uglb6oip5wpld7f7f7xeh5t3ofi4ieo2nmjq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
RedLineStealer
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc botnet:9c9aa5 botnet:stok discovery evasion persistence stealer trojan
Link:
https://tria.ge/reports/250103-rnd9tsykfx/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Windows security modification
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.43
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fancywaxxers.shop/api
http://185.215.113.206
Verdict:
Malicious
Tags:
stealer redline Win.Downloader.Amadey-9986882-0
YARA:
detect_Redline_Stealer win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/183b2b74-e653-417d-ba43-a9c332efba9a
Unpacked files
SH256 hash:
d8ad2634c0f1e99dcd5d0db58a57810ed39bdf5f68e3e8a4fddd6727b66ccae4
MD5 hash:
c10552e6670650e273e4d8688d186e30
SHA1 hash:
b11338aff97507be3268bd2eb1fc5a67bda0f4b5
Link:
https://www.unpac.me/results/e997f67d-df5a-48fc-bf0b-a3b0114d9e78/
SH256 hash:
d3f6e303233aa32d6db0a98e15b12c7479e851161e47d6beba528d2f28ad61bd
MD5 hash:
d9b9048bf135f96587b038a1aaf7fd9b
SHA1 hash:
ffa7af429d9604901bc922c6a82aee6e311c41bf
Link:
https://www.unpac.me/results/e997f67d-df5a-48fc-bf0b-a3b0114d9e78/
SH256 hash:
69ebe455f76af6a8611d7097b240574865458d9de0aeddcc94935958f65334ba
MD5 hash:
46b9970ed9e0b2f9ea3daa8d0bafd525
SHA1 hash:
a205ec1a757a4c4885c506e82e5a7d559aa301d2
Link:
https://www.unpac.me/results/e997f67d-df5a-48fc-bf0b-a3b0114d9e78/
SH256 hash:
569cb514f2b13dbea223f2df9fea9cf8c8a66f36d292bb579de772b2473d7c7d
MD5 hash:
c96f81336ad8bdaae4add552570d9018
SHA1 hash:
57a1520f41dbea5bd734426b97a85306157f98a6
Link:
https://www.unpac.me/results/e997f67d-df5a-48fc-bf0b-a3b0114d9e78/
SH256 hash:
ebde115fdbb9660ec5bda11cf5808408dd18f1ac0121078aa31a21502baf7360
MD5 hash:
c343e2457a4be0155aee62f734ae1732
SHA1 hash:
79733912410f253ce225784fa8b272f0833a4678
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/e997f67d-df5a-48fc-bf0b-a3b0114d9e78/
SH256 hash:
94a3ca3b515b0eb826d88a951cdfcd03d156c8d92ff739a40a51a414ead4089b
MD5 hash:
edba1d9d0b640f389e4666989661e6dc
SHA1 hash:
55ccdfb7aa8a0d968680f97d53f8e507fcd893a8
Link:
https://www.unpac.me/results/e997f67d-df5a-48fc-bf0b-a3b0114d9e78/
SH256 hash:
5daee6abebf71bd3fbf1a9850cf42c690980587ec99a58bd03e37d068561e74b
MD5 hash:
46863d0d7e9b01d3163b55846b5c9baf
SHA1 hash:
edfd1bbced0fa8244c7d41b2a7f73710bb2c745d
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/e997f67d-df5a-48fc-bf0b-a3b0114d9e78/
SH256 hash:
644f889c72e122951a1aa1961f390fed9eb1fcbf2fee43f67b7151c411da6b13
MD5 hash:
8fee55294b6ce710ba882421a1e282a1
SHA1 hash:
f1da859228b828a84984afbe1777840aa520f4d6
Link:
https://www.unpac.me/results/e997f67d-df5a-48fc-bf0b-a3b0114d9e78/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/644f889c72e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/644f889c72e122951a1aa1961f390fed9eb1fcbf2fee43f67b7151c411da6b13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:malware_Stealc_str
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:Stealc infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Stealc
Create hunting rule
Author:kevoreilly
Description:Stealc Payload
Rule name:Stealer_Stealc
Create hunting rule
Author:Still
Description:attempts to match instructions/strings found in Stealc
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_2bba6bae
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments