Authored by By Yashvi Shah
McAfee Labs have recognized a rise in Wextract.exe samples, that drop a malware payload at a number of phases.
Wextract.exe is a Windows executable file that’s used to extract recordsdata from a cupboard (.cab) file. Cabinet recordsdata are compressed archives which can be used to package deal and distribute software program, drivers, and different recordsdata. It is a authentic file that’s a part of the Windows working system, and it’s situated within the System32 folder of the Windows listing. However, like different executable recordsdata, it may be susceptible to exploitation by malicious actors who may use it as a disguise for malware.
Some widespread ways in which malicious actors use a faux or modified model of wextract.exe embrace:
- Malware Distribution: Malicious actors can use a faux model of the wextract.exe to ship malware onto a sufferer’s laptop. They can disguise the malware as a authentic file and use the faux wextract.exe to extract and execute the malicious code.
- Information stealing: A faux or modified wextract.exe can be utilized to steal delicate data from a sufferer’s laptop. Malicious actors can modify the code to incorporate keyloggers or different data-stealing methods.
- Remote Access: Malicious actors can use a faux wextract.exe to realize distant entry to a sufferer’s laptop. They can use the modified wextract.exe to create a backdoor or set up a distant connection to the sufferer’s laptop, permitting them to hold out varied malicious actions.
- Ransomware Delivery: Malicious actors can use a faux or modified “wextract.exe” to put in ransomware on a sufferer’s system. For instance, they could create a faux Windows Installer package deal that seems to be a authentic software program replace or utility but additionally features a modified “wextract.exe” that encrypts the sufferer’s recordsdata and demands a ransom cost for his or her decryption.
McAfee Labs collected malicious wextract.exe samples from the wild, and its habits was analyzed.
This weblog gives an in depth technical evaluation of malicious “wextract.exe” that’s used as a supply mechanism for a number of forms of malwares, together with Amadey and Redline Stealer. It additionally gives detailed data on the methods utilized by the malware to evade detection by safety software program and execute its payload. Once the malware payloads are executed on the system, they set up communication with a Command and Control (C2) server managed by the attacker. This communication permits the attacker to exfiltrate information from the sufferer’s system, together with delicate data comparable to login credentials, monetary information, and different private data.
Figure 1: Characteristic of the file
The file is a 32-bit Portable Executable file, which is 631.50 Kb in dimension. The unique identify of the file is WEXTRACT.EXE.MUI. The file description is “Самоизвлечение CAB-файлов Win32”, written in Russian, and means “Self-Extracting Win32 CAB Files”. The authorized copyright mentions Microsoft Corporation. Quite a lot of static strings of this file had been discovered to be written in Russian.
Normally, the useful resource part (.rsrc) incorporates assets utilized by this system, comparable to icons, bitmaps, strings, and dialog packing containers. Attackers leverage the useful resource part of a PE file to enhance the success of their assaults by evading detection, enhancing persistence, and including performance.
The useful resource part of this pattern has multiples recordsdata, out of which CABINET useful resource holds 75.75% of the whole file, which makes the mentioned useful resource suspicious.
Figure 2: Resources within the file
A CAB (Cabinet) file is a compressed archive file format that’s typically used to compress and package deal a number of recordsdata right into a single file for distribution or set up. A CAB file within the useful resource part of a PE file can be utilized for varied functions comparable to storing extra program recordsdata or information, together with language-specific assets, or compressing and storing generally used assets to scale back the scale of the executable.
The CABINET holds two executables, cydn.exe and vona.exe.
Figure 3: CABINET in useful resource part
Likewise, beneath RCDATA, there may be one other attribute known as “RUNPROGRAM”, which begins cydn.exe. RUNPROGRAM within the useful resource part of a malware file usually refers to a useful resource that incorporates directions for the malware to execute a particular program or command. When the malware is executed, it can load the useful resource containing the “RUNPROGRAM” command and try and execute the required program or command. This method is commonly utilized by malware authors to execute extra malicious packages or instructions on the contaminated system. For instance, the “RUNPROGRAM” useful resource could incorporates directions to obtain and execute extra malware, or to launch a malicious script or command that may carry out varied malicious actions comparable to stealing delicate information, creating backdoors, or disabling safety software program.
Figure 4: RUNPROGRAM attribute stating “cydn.exe”
Like RUNPROGRAM, POSTRUNPROGRAM additionally holds the instruction to run the executable after RUNPROGRAM is executed. Hence, as soon as cydn.exe is executed, vona.exe might be executed.
Figure 5: POSTRUNPROGRAM stating “vona.exe”
Once WEXTRACT.exe is executed, each cydn.exe and vona.exe is dropped within the TEMP folder. The TEMP folder is a generally used location for malware to retailer momentary recordsdata and different information, as it’s usually writable by any person account and isn’t often topic to strict safety restrictions. This could make it simpler for the malware to function with out elevating suspicion or triggering safety alerts.
Figure 6: Files dropped in TEMP folder
Stage 2: Analysis of cydn.exe
The file confirmed excessive file ratio of the useful resource part, with the entropy of seven.810. Entropy is a measure of the randomness or unpredictability of the info within the file. It is commonly used as an indicator of whether or not a file is more likely to be malicious or not.
In the case of a PE file, excessive entropy can point out that the file incorporates a big quantity of compressed or encrypted information, or that it has been obfuscated or packed in a method that makes it harder to investigate. This is usually a widespread method utilized by malware authors to evade detection by antivirus software program.
Figure 7: File ratio and entropy of the useful resource part
Like the earlier file, cydn.exe additionally had two executables archived in its useful resource part, named aydx.exe and mika.exe. The “RUNPROGRAM” attribute instructions to run aydx.exe and the “POSTRUNPROGRAM” attribute instructions to execute mika.exe as soon as aydx.exe is executed. These files are additionally dropped in TEMP folder.
Figure 8: aydx.exe and mika.exe packed in useful resource part
Figure 9: Executables dropped in one other TEMP folder
The order of file execution is as follows: First, Wextract.exe and cydn.exe, which have already been mentioned, are adopted by aydx.exe, after which by mika.exe and vona.exe.
Figure 10: Execution circulation
Stage 3: Analysis of aydx.exe
Aydx.exe is a 32-bit Portable Executable file, which is 405Kb and is compiled in C/C++. Once executed, it makes an attempt to make a request to IP deal with: 193.233.20.7.
Figure 11: Malware making an attempt to hook up with IPv4
This IP deal with is linked with Redline Stealer connecting on port quantity 4138.
Analysis of mika.exe
Mika.exe is 32-bit Portable Executable, complied in .NET and is simply 11 KB in dimension. The unique identify of the file is “Healer.exe”. This exe file makes no web exercise however does one thing within the goal machine which assists malwares from additional phases to hold out their execution.
The intent of mika.exe is to show off Windows Defender in all doable methods. Once mika.exe was executed, that is how the Defender settings of the system appeared like:
Figure 12: Real-time safety turned off
This setting was irreversible and couldn’t be turned again to on through settings of Windows. Following this, logs from Procmon had been analyzed and there have been entries concerning Windows defender, comparable to:
Figure 13: Procmon logs
To validate this, Registry was analysed and all of the adjustments had been discovered there. The adjustments in Registry had been discovered to be in actual order as of Procmon logs. In Windows, the registry is a hierarchical database that shops configuration settings and choices for the working system, in addition to for functions and units. It is used to retailer details about the {hardware}, software program, person preferences, and system settings on a Windows laptop. Following keys are added beneath Real-Time Protection:
- DisableBehaviourMonitoring
- DisableIOAVProtection
- DisableOnAccessProtection
- DisableRealtimeMonitoring
- DisableScanOnRealitimeEnable
Figure 14: Keys added in Registry
By doing so malware is proscribing all the conventional customers from turning the Windows Defender on. When attackers disable Windows Defender via the registry, the change is more likely to persist even when the person or administrator tries to re-enable it via the Windows Defender settings. This permits the attacker to take care of management over the system for an extended interval. This helps malwares of additional phases to simply execute themselves with none hinderances. This may be leveraged by all of the malwares, no matter their correspondence to this very marketing campaign.
Stage 4: Analysis of vona.exe
Vona.exe, a variant of the Amadey malware household, is compiled in C/C++ and is 236 KB in dimension. This is the final file to be executed from the present cluster. When executed, a extremely in depth course of tree rapidly appeared.
Figure 15: Process tree of vona.exe
Stage 5: Analysis of mnolyk.exe
An instant little one strategy of vona.exe is mnolyk.exe, one other Amadey element, is dropped in a folder in TEMP folder.
Figure 16: mnolyk.exe dropped in TEMP folder
Mnolyk.exe makes energetic connections to IP addresses 62.204.41.5 and 62.204.41.251
Malicious DLLs are downloaded from 62.204.41.5, that are executed later within the marketing campaign. The goal was made to seek for two completely different DLLs, particularly cred.dll and clip.dll.
Figure 17: Malicious dlls downloaded
From 62.204.41.251, varied exe recordsdata are downloaded to the TEMP folder, and later executed. Exes downloaded are:
fuka.exe
Figure 18: fuka.exe
nikas.exe
Figure 19: nikas.exe
igla.exe
Figure 20: igla.exe
nocr.exe
Figure 21: nocr.exe
lebro.exe
Figure 22: lebro.exe
Following the execution of mnolyk.exe, a sequence of schtasks.exe and cacls.exe had been executed.
The command line for schtasks.exe is “C:WindowsSystem32schtasks.exe” /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR “C:UserstestAppDataLocalTemp5eb6b96734mnolyk.exe” /F
- “/Create” – This is the command to create a brand new scheduled activity.
- “/SC MINUTE” – This parameter units the scheduling interval for the duty to “MINUTE”. The activity will run each minute.
- “/MO 1” – This parameter units the repeat depend to “1”. The activity will run solely as soon as.
- “/TN” – This parameter specifies the identify of the duty. The identify ought to be specified after the “/TN” parameter.
So, all the command line “schtasks.exe /Create /SC MINUTE /MO 1 /TN” would create a scheduled activity that runs as soon as each minute. The identify of the duty specified is the trail to mnolyk.exe.
There had been a number of situations of cacls.exe created. One of them is defined right here together with its parameter. The command line is “CACLS ”mnolyk.exe” /P “test:R” /E”
- “CACLS” – This is the command to alter the ACL of a file.
- “mnolyk.exe” – This is the file for which the ACL might be modified.
- “/P test:R” – This parameter specifies the permission change for a person named “test”. The “:R” on the finish signifies that the “test” person might be granted “Read” permission.
- “/E” – This parameter specifies that the ACL change might be made to the file’s efficient ACL. The efficient ACL is the precise set of permissions which can be utilized to the file.
So, all the command line “CACLS mnolyk.exe /P test:R /E” would grant the “test” person or group “Read” permission to the “mnolyk.exe” file. Hence the person “test” can neither write nor delete this file. If instead of “/P test:R”, “/P test:N” was talked about, which is talked about in one of many command line, it will give “None” permission to the person.
Stage 6: Analyzing fuka.exe, nikas.exe, igla.exe, nocr.exe and lebro.exe
Fuka.exe
Fukka.exe, a variant of the Redline Stealer malware household, is 175 KB and is compiled in .NET. The unique identify of the file is Samarium.exe. It exhibits some community exercise with IP 193.233.20.11.
Figure 23: Network exercise of fuka.exe
Nikas.exe
Nikas.exe is 248 KB executable file compiled in C/C++. It disables computerized updates for Windows and checks the standing of all of the sub-fields of Real-Time Protection that had been beforehand modified by mika.exe. No community exercise was discovered throughout replication.
Igla.exe
Igla.exe is 520 KB file, compiled in C/C++. The unique identify of the file is WEXTRACT.EXE.MUI. Like we noticed in cydn.exe, this PE has additionally two extra exes packed in its useful resource part, bvPf.exe and cmkmka.exe. Once igla.exe is executed, bvPf.exe is executed, adopted by cmkmka.exe.
Figure 24: RUNPROGRAM attribute in igla.exe
Figure 25: POSTRUNPROGRAM attribute in igla.exe
bvPf.exe
bvPf.exe is 306 KB in dimension and is compiled in C/C++. The unique filename is nightskywalker.exe. The file is dropped in a folder in TEMP folder of the system.
The exe has tried connecting to 193.233.20.11, however server didn’t reply, and no communication befell.
cmkmka.exe
cmkmka.exe is 32-bit PE file, 283.5 KB in dimension. It additional launches AppLaunch.exe which communicates to C2.
It communicates to the IP deal with: 176.113.115.17 which is an energetic C2 for Redline Stealer and connects to the port 4132.
Figure 26: Data exfiltration
The blue-colored content material within the information signifies the knowledge being transmitted from the Command and Control (C2) server, which is offering directions to the malware concerning the precise information that must be retrieved together with their corresponding paths. These paths embrace person profiles of various internet browsers, varied crypto pockets paths, and different associated information.
As a response, all the info residing on the specified paths is distributed again to the C2 server of the malware. This consists of all of the profiles of various internet browsers, data associated to crypto wallets, and even user-related information from the Windows working system. This course of permits the C2 server to gather an unlimited quantity of delicate data from the contaminated system, which could possibly be exploited by the attackers for malicious functions.
Nocr.exe
Nocr.exe, a element of Redline Stealer, is a 175 KB .NET binary. The unique identify of the file is Alary.exe. It communicates to the IP deal with 176.113.115.17.
Lebro.exe
Lebro.exe, a element of Amadey, is a 235 KB file, compiled in C/C++. Lebro.exe is liable for executing nbveek.exe, which is a subsequent stage of the malware. The file is once more dropped in TEMP folder.
Figure 27: Dropping one other executable in TEMP folder
Stage 7: Analyzing nbveek.exe
The hashes of lebro.exe and nbveek.exe are identical, they’re the identical binaries, therefore it’s Amadey. It is connecting to IP 62.204.41.88.
Figure 28: Network exercise of nbveek.exe
The goal system executes a php file, and the content material of file consists of the command to obtain one other exe known as setupff.exe. This exe is downloaded to the TEMP folder.
Before setupff.exe is executed, once more the sequence of schtasks.exe and cacls.exe are executed which had been seen beforehand additionally. The identical parameters had been handed for nbveek.exe as they had been for mnolyk.exe.
Setupff.exe
Setupff.exe is compiled in C/C++ and is 795 KB. The file couldn’t execute and threw Windows error.
Stage 8: Final stage
Later, one other occasion of setupff.exe was created which additional invokes a number of situations of rundll32.exe. Here, the 2 dlls downloaded by mnolyk.exe, clip64.dll and cred64.dll, are executed via rundll32.exe. McAfee Labs detects these dlls to be Amadey maware.
The community exercise exhibits the dll to be connecting to 62.204.41.88. This dll once more begins exfiltrating information to C2:
Figure 29:Data exfiltration
To conclude, the risk posed by the multi-stage assault that drops the Amadey botnet, and subsequently Redline Stealer, is critical and requires fixed vigilance from each customers and safety professionals. By utilizing the Amadey botnet as a supply mechanism for different malware, attackers can leverage these identical capabilities to evade detection and preserve persistence on contaminated computer systems. They can use Amadey to drop a variety of malware, comparable to spy ware, ransomware, and trojans, which can be utilized for a wide range of malicious functions, comparable to stealing delicate data, encrypting recordsdata for ransom, or taking management of a pc to be used in a bigger botnet. Our evaluation of assorted samples of this assault has revealed that the Amadey botnet distributes malware from a number of households and isn’t restricted to Redline Stealer alone.
At McAfee, we’re dedicated to offering our prospects with strong and efficient antivirus and anti-malware options that may detect and defend in opposition to threats just like the Amadey botnet and different malware households. Our safety software program makes use of a mixture of signature, machine studying, risk intelligence and behavioral-based detection methods to establish and cease threats earlier than they will trigger injury.
Indicators of Compromise (IOCs):
| File Type | SHA-256 | Product | Detection |
| .exe | 80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376 | Total Protection and LiveSafe | Downloader-FCND Lockbit-FSWW PWS-FDON |
| .exe | d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800 | Total Protection and LiveSafe | PWS-FDON Lockbit-FSWW |
| .exe | 1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5 | Total Protection and LiveSafe | Lockbit-FSWW |
| .exe | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 | Total Protection and LiveSafe | PWS-FDON |
| .exe | 6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116 | Total Protection and LiveSafe | Downloader-FCND |
| .exe | 6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116 | Total Protection and LiveSafe | Downloader-FCND |
| .exe | 8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2 | Total Protection and LiveSafe | AgentTesla-FCYU |
| .exe | 021ae2fadbc8bc4e83013de03902e6e97c2815ab821adaa58037e562a6b2357b | Total Protection and LiveSafe | Lockbit-FSWW |
| .exe | aab1460440bee10e2efec9b5c83ea20ed85e7a17d4ed3b4a19341148255d54b1 | Total Protection and LiveSafe | Lockbit-FSWW |
| .exe | 54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc | Total Protection and LiveSafe | GenericRXVK-HF |
| .exe | 0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f | Total Protection and LiveSafe | AgentTesla-FCYU |
| .exe | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b | Total Protection and LiveSafe | Downloader-FCND |
| .exe | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b | Total Protection and LiveSafe | Downloader-FCND |
| .exe | d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41 | Total Protection and LiveSafe | GenericRXVJ-QP |
| .dll | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 | Total Protection and LiveSafe | PWS-FDOE |
| .dll | 10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8 | Total Protection and LiveSafe | Trojan-FUUW |
| .dll | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 | Total Protection and LiveSafe | Trojan-FUUW |
| IPv4 | 193.233.20.7 | ||
| IPv4 | 62.204.41.5 | ||
| IPv4 | 62.204.41.251 | ||
| IPv4 | 193.233.20.11 | ||
| IPv4 | 176.113.115.17 | ||
| IPv4 | 62.204.41.88 |