MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 079200fa660257be3e28b8b7092b65528b7a568f5e9d10d1be9013e72ba3b1f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


1xxbot


Vendor detections: 9


Intelligence 9 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 079200fa660257be3e28b8b7092b65528b7a568f5e9d10d1be9013e72ba3b1f6
SHA3-384 hash: ec4564dc8161bb9eba4f52455f9778cc05322711b91d1cd33e78f4899e17223b421953705afddee6277142e062499a5b
SHA1 hash: 895cb052f1d76a16f8e13512ea7c9712d0eda5cc
MD5 hash: 8b07390e29498acd8a6994f401ad1922
humanhash: twelve-aspen-colorado-beryllium
File name:8b07390e29498acd8a6994f401ad1922.exe
Download: download sample
Signature 1xxbot
Create hunting rule
File size:345'600 bytes
First seen:2021-10-29 21:35:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 518d84bc9a231f5bb2827b0550b9f86c (8 x RaccoonStealer, 2 x RedLineStealer, 1 x 1xxbot)
ssdeep 6144:VOWoIZBJ0Bfj0MRqxn25LStlJjkcp9kod5t1:VPoIZX0Bfj0Zxn25LSRjkcpZ5t1
Threatray 2'196 similar samples on MalwareBazaar
TLSH T1ED747D00A7A1C435F4B222F849BA93A9B93F7AB16B3454CF12D516EE4774AE0EC31357
File icon (PE):PE icon
dhash icon b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter abuse_ch
Tags:1xxbot exe


Avatar
abuse_ch
1xxbot C2:
http://91.219.236.97/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.97/ https://threatfox.abuse.ch/ioc/239602/
37.1.206.174:228 https://threatfox.abuse.ch/ioc/239640/
37.1.206.174:80 https://threatfox.abuse.ch/ioc/239641/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8b07390e29498acd8a6994f401ad1922.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-29 21:37:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7ffdbb45-03bf-4fd9-9402-2a653a662f4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.18500.27984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b7493b8-3ea8-4fb1-814b-d0536f1715ae
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879629
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Early bird code injection technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Vidar
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512063 Sample: RdCWJ3MAGz.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 74 www.google.com 2->74 76 wrioshtivsio.su 2->76 78 14 other IPs or domains 2->78 112 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->112 114 Multi AV Scanner detection for domain / URL 2->114 116 Antivirus detection for URL or domain 2->116 118 14 other signatures 2->118 12 RdCWJ3MAGz.exe 2->12         started        15 avfuccr 2->15         started        signatures3 process4 signatures5 136 Contains functionality to inject code into remote processes 12->136 138 Injects a PE file into a foreign processes 12->138 17 RdCWJ3MAGz.exe 12->17         started        140 Multi AV Scanner detection for dropped file 15->140 20 avfuccr 15->20         started        process6 signatures7 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->104 106 Maps a DLL or memory area into another process 17->106 108 Checks if the current machine is a virtual machine (disk enumeration) 17->108 110 Creates a thread in another existing process (thread injection) 17->110 22 explorer.exe 14 17->22 injected process8 dnsIp9 82 216.128.137.31, 80 AS-CHOOPAUS United States 22->82 84 sysaheu90.top 185.98.87.159, 49743, 49744, 49745 VM-HOSTINGRU Russian Federation 22->84 86 3 other IPs or domains 22->86 60 C:\Users\user\AppData\Roaming\hgfuccr, PE32 22->60 dropped 62 C:\Users\user\AppData\Roaming\etfuccr, PE32 22->62 dropped 64 C:\Users\user\AppData\Roaming\avfuccr, PE32 22->64 dropped 66 14 other files (9 malicious) 22->66 dropped 120 System process connects to network (likely due to code injection or exploit) 22->120 122 Benign windows process drops PE files 22->122 124 Deletes itself after installation 22->124 126 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->126 27 7655.exe 1 22->27         started        31 57DE.exe 15 3 22->31         started        34 D7B5.exe 22->34         started        36 6 other processes 22->36 file10 signatures11 process12 dnsIp13 68 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 27->68 dropped 142 Multi AV Scanner detection for dropped file 27->142 144 DLL reload attack detected 27->144 146 Detected unpacking (changes PE section rights) 27->146 166 4 other signatures 27->166 94 cdn.discordapp.com 162.159.133.233, 443, 49801, 49802 CLOUDFLARENETUS United States 31->94 96 192.168.2.1 unknown unknown 31->96 148 Machine Learning detection for dropped file 31->148 150 Writes to foreign memory regions 31->150 152 Allocates memory in foreign processes 31->152 154 Sample uses process hollowing technique 31->154 38 aspnet_wp.exe 12 31->38         started        40 jsc.exe 31->40         started        156 Injects a PE file into a foreign processes 34->156 42 D7B5.exe 34->42         started        98 91.219.236.97, 49994, 50056, 80 SERVERASTRA-ASHU Hungary 36->98 100 93.115.20.139, 28978, 49982 MVPShttpswwwmvpsnetEU Romania 36->100 102 3 other IPs or domains 36->102 70 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 36->70 dropped 158 Early bird code injection technique detected 36->158 160 Tries to harvest and steal browser information (history, passwords, etc) 36->160 162 Maps a DLL or memory area into another process 36->162 164 Queues an APC in another process (thread injection) 36->164 45 8366.exe 36->45         started        48 90B5.exe 36->48         started        file14 signatures15 process16 file17 50 chrome.exe 38->50         started        53 chrome.exe 38->53         started        128 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->128 130 Maps a DLL or memory area into another process 42->130 132 Checks if the current machine is a virtual machine (disk enumeration) 42->132 134 Creates a thread in another existing process (thread injection) 42->134 72 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 45->72 dropped signatures18 process19 dnsIp20 80 239.255.255.250 unknown Reserved 50->80 55 chrome.exe 50->55         started        58 chrome.exe 53->58         started        process21 dnsIp22 88 clients.l.google.com 142.250.203.110, 443, 49825 GOOGLEUS United States 55->88 90 googlehosted.l.googleusercontent.com 142.250.203.97, 443, 49983 GOOGLEUS United States 55->90 92 9 other IPs or domains 55->92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/079200fa660257be3e28b8b7092b65528b7a568f5e9d10d1be9013e72ba3b1f6/
Threat name:
Win32.Trojan.Krypter
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 21:36:05 UTC
AV detection:
22 of 44 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6jab6tgajl34prixc3qsk3fkkfxuvupl2orbun6saj6ok5dwh3a._file
Verdict:
malicious
Similar samples:
0c37d974d52e06ddf0b003694f1fe9f18475aa57592e639ae49fd840873646ff
1xxbot
7ccbf3b294594e8217e4ca62fae730624db9a300e388f3215570154cd00617dd
1xxbot
aed2ef2307581edfdc8ebb2342ff7b10e383a91b17512dcb4a2f49d1344af27d
1xxbot
c3f8d6b3e497471cc5e1526d59f7068f0655704f98dca59d79a77b81f1cb7fd5
1xxbot
dd3b7c750d4debae8a008400189657be324b956b23bcc781392b3b8548fe9ef8
1xxbot
f0bf1ff85a29dfb06cf83aeab4093d9bd9edfa5781fbb65fe8a31d32cc14f2bc
1xxbot
+ 2'186 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:68e2d75238f7c69859792d206401b6bde2b2515c botnet:936 botnet:999888988 botnet:9b47742e621d3b0f1b0b79db6ed26e2c33328c05 agilenet backdoor collection discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211029-1fwzcaebd9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
93.115.20.139:28978
https://mas.to/@lilocc
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/263d51c2-810f-4a70-892c-c06777b3268b/
SH256 hash:
079200fa660257be3e28b8b7092b65528b7a568f5e9d10d1be9013e72ba3b1f6
MD5 hash:
8b07390e29498acd8a6994f401ad1922
SHA1 hash:
895cb052f1d76a16f8e13512ea7c9712d0eda5cc
Link:
https://www.unpac.me/results/263d51c2-810f-4a70-892c-c06777b3268b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/079200fa660257be3e28b8b7092b65528b7a568f5e9d10d1be9013e72ba3b1f6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

1xxbot

Executable exe 079200fa660257be3e28b8b7092b65528b7a568f5e9d10d1be9013e72ba3b1f6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download

Comments