Managed XDR

wextract.exe-.mui (Amadey, RedLine Stealer) — malware analysis report

File info

Filename: wextract.exe-.mui
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 2.5 MB
First seen: 2026-03-05 19:59
Last seen: 2026-03-05 19:59

Environment

w10/x64 en

Hashes

SHA1: 899e9d0e28f0b799f8c2222407ad5dba6b3556d2
SHA256: a9bbd3fe8768a89ffbd672a5c0847dc039d34d65a282b7aa827c0d76da6d2ac2
MD5: 447b868c62ee1c7beb8a3cdbeefe4327

Malwares

Amadey
RedLine Stealer

Signatures

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562.001 disables_security: Disables Windows Security options

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1112 wu_server: Sets or changes an update server used by Windows Update

T1562.001 disables_windowsupdate: Disables Windows Auto Updates

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Impact

T1489 stops_service: Stops Windows services

T1489 change_service_config: Stops services via ChangeServiceConfig

T1489 service_control_stop: Stops services via ControlService

Other

yara_rules: Static rules

creates_exe: Creates executable files in the file system

dead_host: Connects to IP addresses that do not respond to requests

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay

open_winlogon_process: Trying to open winlogon process

executes_dropped_exe: Executes dropped exe files

Related reports

Managed XDR