MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 779645914bf2b4b7d085520366334ca0c2b3467e078ba4a67a350ee51b14249d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 779645914bf2b4b7d085520366334ca0c2b3467e078ba4a67a350ee51b14249d
SHA3-384 hash: f6aec3e7d58fdbc2dc3f80b59b16ede29e2c237cef202e679c7cce8c75daef83758b692b2f52971372d806b55700b39a
SHA1 hash: 1cc412a3ff8d1cae4a49bcf73955c90c6edebbd2
MD5 hash: 375d27546ead4912dbc521a80fdb6667
humanhash: mobile-rugby-sink-batman
File name:WEXTRACT.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'908'096 bytes
First seen:2024-01-06 02:52:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'854 x Amadey, 290 x Smoke Loader)
ssdeep 98304:r78aFxy7nmvsL3c6J3oAlYpSy+/rHKngEb7HUv6xb:r7X+mvLcV8SL+ng8Ph
TLSH T193063311A9E4D5F2DEA657B416B203CB0525FF31AE781B367350FA502CA20F4A635B2F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RedLineStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469697/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Trojanx-10014043-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Сreating synchronization primitives
Searching for the browser window
DNS request
Setting a single autorun event
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack amadey anti-vm CAB control explorer greyware installer installer lolbin mikey packed redcap rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6598c08e99da41ccd7c6d267/reports/dba06c71-d346-414f-a2bd-41d5f7b7d4f5/overview
Verdict:
Malicious
Labled as:
TR/Redcap.togou
Link:
https://www.hybrid-analysis.com/sample/779645914bf2b4b7d085520366334ca0c2b3467e078ba4a67a350ee51b14249d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c94274d9-3d49-4841-b94b-5f88421a51a2
Result
Threat name:
Amadey, RHADAMANTHYS, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370681
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected RHADAMANTHYS Stealer
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1370681 Sample: WEXTRACT.exe Startdate: 06/01/2024 Architecture: WINDOWS Score: 100 140 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 2->140 142 rr5.sn-p5qddn7d.googlevideo.com 2->142 144 5 other IPs or domains 2->144 156 Snort IDS alert for network traffic 2->156 158 Found malware configuration 2->158 160 Antivirus detection for URL or domain 2->160 162 14 other signatures 2->162 11 WEXTRACT.exe 1 4 2->11         started        14 OfficeTrackerNMP131.exe 2->14         started        17 MaxLoonaFest131.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 122 C:\Users\user\AppData\Local\...\IH7Hc16.exe, PE32 11->122 dropped 124 C:\Users\user\AppData\Local\...\7YN5ZK62.exe, PE32 11->124 dropped 21 IH7Hc16.exe 1 4 11->21         started        184 Antivirus detection for dropped file 14->184 186 Multi AV Scanner detection for dropped file 14->186 188 Machine Learning detection for dropped file 14->188 25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        37 11 other processes 14->37 126 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->126 dropped 190 Detected unpacking (changes PE section rights) 17->190 192 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 17->192 194 Hides threads from debuggers 17->194 29 conhost.exe 17->29         started        128 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->128 dropped 130 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->130 dropped 132 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->132 dropped 196 Modifies Windows Defender protection settings 19->196 31 powershell.exe 19->31         started        33 powershell.exe 19->33         started        35 powershell.exe 19->35         started        39 12 other processes 19->39 signatures6 process7 file8 106 C:\Users\user\AppData\Local\...\tN4gc10.exe, PE32 21->106 dropped 108 C:\Users\user\AppData\Local\...\3Xs29xj.exe, PE32 21->108 dropped 164 Antivirus detection for dropped file 21->164 166 Multi AV Scanner detection for dropped file 21->166 168 Machine Learning detection for dropped file 21->168 41 3Xs29xj.exe 21 16 21->41         started        46 tN4gc10.exe 1 4 21->46         started        48 conhost.exe 25->48         started        50 conhost.exe 27->50         started        52 conhost.exe 31->52         started        54 conhost.exe 33->54         started        56 conhost.exe 35->56         started        58 10 other processes 37->58 60 9 other processes 39->60 signatures9 process10 dnsIp11 146 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 41->146 148 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 41->148 110 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 41->110 dropped 112 C:\Users\user\AppData\...\FANBooster131.exe, PE32 41->112 dropped 114 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 41->114 dropped 116 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 41->116 dropped 172 Antivirus detection for dropped file 41->172 174 Multi AV Scanner detection for dropped file 41->174 176 Detected unpacking (changes PE section rights) 41->176 182 7 other signatures 41->182 62 powershell.exe 41->62         started        65 cmd.exe 41->65         started        67 powershell.exe 41->67         started        73 12 other processes 41->73 118 C:\Users\user\AppData\Local\...\2Wi0464.exe, PE32 46->118 dropped 120 C:\Users\user\AppData\Local\...\1dB01nX9.exe, PE32 46->120 dropped 178 Binary is likely a compiled AutoIt script file 46->178 180 Machine Learning detection for dropped file 46->180 69 1dB01nX9.exe 12 46->69         started        71 2Wi0464.exe 1 46->71         started        file12 signatures13 process14 signatures15 198 Found many strings related to Crypto-Wallets (likely being stolen) 62->198 75 conhost.exe 62->75         started        200 Uses schtasks.exe or at.exe to add and modify task schedules 65->200 77 schtasks.exe 65->77         started        79 conhost.exe 67->79         started        202 Multi AV Scanner detection for dropped file 69->202 204 Binary is likely a compiled AutoIt script file 69->204 206 Machine Learning detection for dropped file 69->206 214 2 other signatures 69->214 81 chrome.exe 1 69->81         started        84 chrome.exe 69->84         started        86 chrome.exe 69->86         started        208 Antivirus detection for dropped file 71->208 210 Detected unpacking (changes PE section rights) 71->210 212 Hides threads from debuggers 71->212 88 dialer.exe 71->88         started        91 conhost.exe 73->91         started        93 10 other processes 73->93 process16 dnsIp17 134 192.168.2.4 unknown unknown 81->134 136 239.255.255.250 unknown Reserved 81->136 95 chrome.exe 81->95         started        98 chrome.exe 81->98         started        100 chrome.exe 6 81->100         started        102 chrome.exe 84->102         started        104 chrome.exe 86->104         started        138 91.92.245.204 THEZONEBG Bulgaria 88->138 170 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 88->170 signatures18 process19 dnsIp20 150 play.google.com 142.250.176.206 GOOGLEUS United States 95->150 152 142.250.176.214 GOOGLEUS United States 95->152 154 50 other IPs or domains 95->154
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/779645914bf2b4b7d085520366334ca0c2b3467e078ba4a67a350ee51b14249d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/779645914bf2b4b7d085520366334ca0c2b3467e078ba4a67a350ee51b14249d/
Threat name:
Win32.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2024-01-06 02:53:07 UTC
File Type:
PE (Exe)
Extracted files:
140
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6lelekl6k2lpuefkibwmm2mudblgrt6a6f2jjt2guhokgyuesoq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240106-ddal1afcfl/
Behaviour
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
7f518f75cc8bd7011d71fc7cf48837cdf286e9cb9817334ba64a25b3ce292cb6
MD5 hash:
d8e7dc01aacdfeea30dbb710a68a4a0a
SHA1 hash:
c0f66e5f29937ffcc8ae8a34ecdfbcffbc3b7eea
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/b46aa433-4f6b-48e2-a405-e6c88ef5d55c/
SH256 hash:
779645914bf2b4b7d085520366334ca0c2b3467e078ba4a67a350ee51b14249d
MD5 hash:
375d27546ead4912dbc521a80fdb6667
SHA1 hash:
1cc412a3ff8d1cae4a49bcf73955c90c6edebbd2
Link:
https://www.unpac.me/results/b46aa433-4f6b-48e2-a405-e6c88ef5d55c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/779645914bf2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/779645914bf2b4b7d085520366334ca0c2b3467e078ba4a67a350ee51b14249d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469697/

Comments