MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
SHA3-384 hash: a4689aa41d6ac6cb7a7789cf4290265e14b87768de7c079ef1ae0cbb19f5623048c29b32b0f99f4ddd05dfb166e65fdb
SHA1 hash: a417891ff709302b46eeca7c054b8f1415193c41
MD5 hash: 6d7d9a229c1fe6594966226f8f2321d3
humanhash: colorado-avocado-kansas-fanta
File name:WEXTRACT.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'387'520 bytes
First seen:2023-10-29 19:47:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:5yHVmUvhWb3BsUsPv/O64nLWWBG4DfyG3RZP6HeUpnqXB1Rcsok0O76nA40X+/q:sHVMb3KPv/OM81a6RZPerF61Rck6nNa6
Threatray 2'317 similar samples on MalwareBazaar
TLSH T14B55232386D99876ECB7637014FA02D70E76BD608938D39F3F546E284D72198B53633A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:Amadey exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WEXTRACT.bin.zip
Verdict:
Malicious activity
Analysis date:
2023-10-30 02:10:08 UTC
Tags:
sinkhole stealc stealer
Link:
https://app.any.run/tasks/3bf545e2-8431-4f0f-942c-8447b06cc892

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456948/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching cmd.exe command interpreter
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Setting a single autorun event
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer installer lolbin mokes packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/653eb6f334de31f579cd857e/reports/2928df96-dc9e-471f-8cdf-e394d5bb9cd7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1970da4b-10f4-470f-abf5-d7f47b72d081
Result
Threat name:
Amadey, Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333915
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1333915 Sample: WEXTRACT.exe Startdate: 29/10/2023 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 14 other signatures 2->70 10 WEXTRACT.exe 1 4 2->10         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 file4 52 C:\Users\user\AppData\Local\...\CF5Uc9wK.exe, PE32 10->52 dropped 54 C:\Users\user\AppData\Local\...\5dV41Kf.exe, PE32 10->54 dropped 19 CF5Uc9wK.exe 1 4 10->19         started        process5 file6 44 C:\Users\user\AppData\Local\...\Fl3Yx9SP.exe, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\...\4EP573RE.exe, PE32 19->46 dropped 88 Antivirus detection for dropped file 19->88 90 Multi AV Scanner detection for dropped file 19->90 92 Machine Learning detection for dropped file 19->92 23 Fl3Yx9SP.exe 1 4 19->23         started        signatures7 process8 file9 48 C:\Users\user\AppData\Local\...\qq5jl9ZL.exe, PE32 23->48 dropped 50 C:\Users\user\AppData\Local\...\3Hf5mn36.exe, PE32 23->50 dropped 94 Antivirus detection for dropped file 23->94 96 Multi AV Scanner detection for dropped file 23->96 98 Machine Learning detection for dropped file 23->98 27 qq5jl9ZL.exe 1 4 23->27         started        31 3Hf5mn36.exe 12 23->31         started        signatures10 process11 file12 56 C:\Users\user\AppData\Local\...\2DG696XD.exe, PE32 27->56 dropped 58 C:\Users\user\AppData\Local\...\1UZ23rn3.exe, PE32 27->58 dropped 100 Antivirus detection for dropped file 27->100 102 Multi AV Scanner detection for dropped file 27->102 104 Machine Learning detection for dropped file 27->104 33 2DG696XD.exe 4 27->33         started        37 1UZ23rn3.exe 27->37         started        signatures13 process14 dnsIp15 60 77.91.124.86, 19084, 49737 ECOTEL-ASRU Russian Federation 33->60 72 Antivirus detection for dropped file 33->72 74 Multi AV Scanner detection for dropped file 33->74 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->76 84 2 other signatures 33->84 78 Machine Learning detection for dropped file 37->78 80 Contains functionality to inject code into remote processes 37->80 82 Writes to foreign memory regions 37->82 86 2 other signatures 37->86 39 AppLaunch.exe 12 37->39         started        42 AppLaunch.exe 37->42         started        signatures16 process17 dnsIp18 62 193.233.255.73, 49736, 49739, 80 FREE-NET-ASFREEnetEU Russian Federation 39->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-10-29 09:07:15 UTC
File Type:
PE (Exe)
Extracted files:
154
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7q6u5zotvsnklxg2qzp7gdriawtgaz4ua4hwgmjjrrs5ioilhrma._file
Verdict:
malicious
Similar samples:
15cba6399670fb23e90939e012db772adc6922cd160d5dddcf6f4eed2c888d43
RedLineStealer
1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
RedLineStealer
34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
RedLineStealer
488b9084451ceb07b7b18b45ac27ba066d76d81aad5c484c5c13a692345c7bf6
RedLineStealer
68c52b5d06a02d8382c159de27eceb800d1c5f8ca21c03b00f17a9af11ee250d
RedLineStealer
6d9b4a93f740f8bfcb75f34163e4a8e5eba03c0a61b187c356011f7f367246d4
RedLineStealer
6ecf835556c666d9c17c11473060876684c92536382867c591c66110ff225f7c
RedLineStealer
ba3ca45f59a351649b82a187dab6af4b79462528d2d5355dd85ff107a726e76c
RedLineStealer
f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7
RedLineStealer
fcf8b3334a4c5863aa1006ca4674c344f1f39c2ca19a010722671494c14e985b
RedLineStealer
+ 2'307 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kinza infostealer persistence
Link:
https://tria.ge/reports/231029-yh4e4aah66/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.86:19084
Unpacked files
SH256 hash:
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
MD5 hash:
e561df80d8920ae9b152ddddefd13c7c
SHA1 hash:
0d020453f62d2188f7a0e55442af5d75e16e7caf
Link:
https://www.unpac.me/results/b99f4c1b-e16b-4b8c-bf4e-f84b0f562c18/
SH256 hash:
cd14bec25b6eac99fe3d267f49ade1a01d21544d55a1e8431bc4b9b68fb69192
MD5 hash:
94fdcaea5fd5e8a0980de19f57fd0ccc
SHA1 hash:
63364c575cd95c948e5961a133ed1e3aed0eed86
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/b99f4c1b-e16b-4b8c-bf4e-f84b0f562c18/
Parent samples :
fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
e8c42701da92bb0174aaec5a3236695bc6c4c800389dc0800871d9b7177d2bdd
9a2c37acab79076d98161a87c94c3c0ff08ab04313692591bf49cab9490d316f
SH256 hash:
9980182e2cefcbda499c3b72b1432ca9ce1c6cd8e0b2148cafebd3c69442fb15
MD5 hash:
ec29f052ad8afde0a32fa75c77411189
SHA1 hash:
3548ca6a3981522c9da16a9a8ee48f0b835d022b
Link:
https://www.unpac.me/results/b99f4c1b-e16b-4b8c-bf4e-f84b0f562c18/
SH256 hash:
9cfaaac5c576bde04fb441fa6a229faf0313ce10b18c526105d9df4f8a862e23
MD5 hash:
e3d22298a04edca94e736ff7ff535da1
SHA1 hash:
43c2a026d142f9459bc86a0c383c804321622e4c
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/b99f4c1b-e16b-4b8c-bf4e-f84b0f562c18/
Parent samples :
e1538f04482893bab777c4a7dd075f5852105724eb1cb0a0947fab5590924f3b
8910c865cc2f368e2272f48b55656bf12ca421d7c6d25aabf51a0c09925f4232
fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
SH256 hash:
fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
MD5 hash:
6d7d9a229c1fe6594966226f8f2321d3
SHA1 hash:
a417891ff709302b46eeca7c054b8f1415193c41
Link:
https://www.unpac.me/results/b99f4c1b-e16b-4b8c-bf4e-f84b0f562c18/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc3d4ee5d3ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/29b7f8b6-cf9b-4d0b-adb4-a32baee9c01a
Cape
Cape
https://www.capesandbox.com/analysis/456948/

Comments