MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cac7ea634c540650c427a4b28bb1cd110f17dddc92ce15c9b7e7d5b118a99386. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cac7ea634c540650c427a4b28bb1cd110f17dddc92ce15c9b7e7d5b118a99386
SHA3-384 hash: c4b40d049100ea6a0a734f7c3f9d7e0fba182f569314f7e7ed023c200d929f5d639848d93be8f8472b81e799d0ad68b7
SHA1 hash: 04631f34a987deaf69fffad68748ae96ec0555df
MD5 hash: 87479f625e25580890e46759f1ea4348
humanhash: skylark-beer-network-mockingbird
File name:wfxre.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'214'208 bytes
First seen:2024-01-12 05:22:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:Q0gm5obnq9pAi9PJgscaSKdHTWuWIYMrsTMHX/jxdk7lPRR78BWwhW8MHYa5Mr3S:Q0DobnaqeRhzHLWMATeLzsv8BQZ50S
TLSH T16436331775E49833DCE2AF70585222F739383CF2562DC19E2615C68E2D236D9B832B97
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RedLineStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470433/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Behavior that indicates a threat
Searching for the browser window
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm CAB control crypto explorer fingerprint greyware installer installer lolbin lolbin monero packed risepro rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65a0ccb7fd5068bbc3d0da1b/reports/12e4c9f2-0772-4e51-bb4f-cbbd6edcad6f/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/cac7ea634c540650c427a4b28bb1cd110f17dddc92ce15c9b7e7d5b118a99386
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b7984c8-a9cc-47ff-b2c9-61fb26cd392a
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1373505
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1373505 Sample: wfxre.exe Startdate: 12/01/2024 Architecture: WINDOWS Score: 100 90 stun.l.google.com 2->90 96 Antivirus detection for dropped file 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 5 other signatures 2->102 12 wfxre.exe 1 4 2->12         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 file5 76 C:\Users\user\AppData\Local\...\XF8Cf00.exe, PE32 12->76 dropped 78 C:\Users\user\AppData\Local\...\5dt1xo9.exe, PE32 12->78 dropped 21 XF8Cf00.exe 1 4 12->21         started        process6 file7 68 C:\Users\user\AppData\Local\...\Jl8CW46.exe, PE32 21->68 dropped 70 C:\Users\user\AppData\Local\...\4RM017gt.exe, PE32 21->70 dropped 118 Antivirus detection for dropped file 21->118 120 Multi AV Scanner detection for dropped file 21->120 122 Machine Learning detection for dropped file 21->122 25 Jl8CW46.exe 1 4 21->25         started        signatures8 process9 file10 72 C:\Users\user\AppData\Local\...\Il7yr66.exe, PE32 25->72 dropped 74 C:\Users\user\AppData\Local\...\3Lq33RS.exe, PE32 25->74 dropped 124 Antivirus detection for dropped file 25->124 126 Machine Learning detection for dropped file 25->126 29 Il7yr66.exe 1 4 25->29         started        33 3Lq33RS.exe 25->33         started        signatures11 process12 file13 80 C:\Users\user\AppData\Local\...\2qn4566.exe, PE32 29->80 dropped 82 C:\Users\user\AppData\Local\...\1Mc62VO9.exe, PE32 29->82 dropped 128 Antivirus detection for dropped file 29->128 130 Binary is likely a compiled AutoIt script file 29->130 132 Machine Learning detection for dropped file 29->132 35 2qn4566.exe 10 2 29->35         started        38 1Mc62VO9.exe 12 29->38         started        signatures14 process15 signatures16 104 Antivirus detection for dropped file 35->104 106 Multi AV Scanner detection for dropped file 35->106 108 Detected unpacking (changes PE section rights) 35->108 116 7 other signatures 35->116 110 Binary is likely a compiled AutoIt script file 38->110 112 Machine Learning detection for dropped file 38->112 114 Found API chain indicative of sandbox detection 38->114 40 chrome.exe 9 38->40         started        43 chrome.exe 38->43         started        45 chrome.exe 38->45         started        47 7 other processes 38->47 process17 dnsIp18 92 192.168.2.8 unknown unknown 40->92 94 239.255.255.250 unknown Reserved 40->94 49 chrome.exe 40->49         started        52 chrome.exe 40->52         started        54 chrome.exe 6 40->54         started        56 chrome.exe 43->56         started        58 chrome.exe 45->58         started        60 chrome.exe 47->60         started        62 chrome.exe 47->62         started        64 chrome.exe 47->64         started        66 4 other processes 47->66 process19 dnsIp20 84 tpop-api.x.com 104.244.42.130 TWITTERUS United States 49->84 86 tpop-api.twitter.com 104.244.42.194 TWITTERUS United States 49->86 88 122 other IPs or domains 49->88
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cac7ea634c540650c427a4b28bb1cd110f17dddc92ce15c9b7e7d5b118a99386
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cac7ea634c540650c427a4b28bb1cd110f17dddc92ce15c9b7e7d5b118a99386/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2024-01-12 05:23:08 UTC
File Type:
PE (Exe)
Extracted files:
182
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zld6uy2mkqdfbrbhuszixmoncehrpxo4slhblsnx47k3cgfjsoda._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/240112-f25hdsfccj/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Windows security modification
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
2c541630836c11354da631ebf759056b68bbb6ce3dfb9223270276b8806c58cf
MD5 hash:
ff478fd67e943b3f5c32e69789358647
SHA1 hash:
0eb79efbfa5cd130c53f2cfdd6a7cc97dd00a3cf
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/28ae7243-7fb2-4f83-bb8d-39232fc4b77a/
SH256 hash:
cac7ea634c540650c427a4b28bb1cd110f17dddc92ce15c9b7e7d5b118a99386
MD5 hash:
87479f625e25580890e46759f1ea4348
SHA1 hash:
04631f34a987deaf69fffad68748ae96ec0555df
Link:
https://www.unpac.me/results/28ae7243-7fb2-4f83-bb8d-39232fc4b77a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cac7ea634c540650c427a4b28bb1cd110f17dddc92ce15c9b7e7d5b118a99386

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cac7ea634c540650c427a4b28bb1cd110f17dddc92ce15c9b7e7d5b118a99386

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2748137/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/470433/

Comments