MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2
SHA3-384 hash: 2737df0ad89f95e2de83056c72c4f40acfef1c01ffe52163cfb7fdfd3960fff19740c8d94b40e7c6773b4fe4c130bb71
SHA1 hash: 9089048df419b2950753e6630d5c83cf9621bba7
MD5 hash: 03b0fc56e7667c711bb4a2c7640b6417
humanhash: double-sink-asparagus-yankee
File name:03b0fc56e7667c711bb4a2c7640b6417.exe
Download: download sample
File size:3'669'654 bytes
First seen:2021-06-23 06:49:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:8bA3lAfLpZ+Bq/hIJF/7HNk3ryajUx0yne2anrM4RfOH3uuVq6cO85EYRFfCf+qE:8b7FZIrb/LqkLyrM4Re3nVcOnAfK+qFW
Threatray 546 similar samples on MalwareBazaar
TLSH 16063302BD40AD70D17288350B79FBA0607CBE612F1159B763DD6B1DE1B02E1EB2676B
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
03b0fc56e7667c711bb4a2c7640b6417.exe
Verdict:
Malicious activity
Analysis date:
2021-06-23 06:50:48 UTC
Tags:
evasion stealer trojan
Link:
https://app.any.run/tasks/bea71a15-ce4d-4930-89c9-2e037393b35a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167752/
Detection(s):
Win.Malware.Generic-9872030-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/acf91f7c-e99a-49b6-af89-d22b89688c0a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/806417
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438824 Sample: 9EwOfzqVLA.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 88 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Machine Learning detection for sample 2->46 48 Found many strings related to Crypto-Wallets (likely being stolen) 2->48 7 9EwOfzqVLA.exe 35 2->7         started        process3 file4 18 C:\Users\user\AppData\Local\...\Svc_host.exe, PE32 7->18 dropped 20 C:\Users\user\AppData\...\Svc_host.exe.config, XML 7->20 dropped 22 C:\Users\user\AppData\...\SQLite.Interop.dll, PE32 7->22 dropped 24 9 other files (none is malicious) 7->24 dropped 10 Svc_host.exe 14 22 7->10         started        process5 dnsIp6 34 checkip.dyndns.org 10->34 36 178.47.141.153, 49731, 80 ROSTELECOM-ASRU Russian Federation 10->36 38 2 other IPs or domains 10->38 26 C:\Users\user\AppData\...\SUAVTZKNFL.docx, ASCII 10->26 dropped 28 C:\Users\user\AppData\...\PWCCAWLGRE.docx, ASCII 10->28 dropped 30 C:\Users\user\AppData\...\PIVFAGEAAV.docx, ASCII 10->30 dropped 32 C:\Users\user\AppData\...\BNAGMGSPLO.docx, ASCII 10->32 dropped 50 Multi AV Scanner detection for dropped file 10->50 52 May check the online IP address of the machine 10->52 54 Machine Learning detection for dropped file 10->54 56 2 other signatures 10->56 15 WerFault.exe 20 9 10->15         started        file7 signatures8 process9 dnsIp10 40 192.168.2.1 unknown unknown 15->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 02:04:48 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8
504229eb947e4ae07f6cb408da3dde9ae2ae2996b4df208ab9d06558f39d2cf5
6bbbe63faf9184516d51c5855240541037a3c5e8b3365e1cc7890e19fd3651c7
6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4
8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
91b886840c7f674d17b48e5d2264228a55fe0f28e32e102c84dad5cca49ed807
9c2be0c1c80a7f7c5de355be5d52ea7f1b023ca29fcf33a753c41c13bbdb8ef9
a408e65fa77a4eded318a05af68fe27f522ec61b0c3e30aa34a5703b06fe2cf8
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
+ 536 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210623-4eshre5tda/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2
MD5 hash:
03b0fc56e7667c711bb4a2c7640b6417
SHA1 hash:
9089048df419b2950753e6630d5c83cf9621bba7
Link:
https://www.unpac.me/results/3e04684d-cac3-4302-a295-f5a332366292/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1289971/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167752/

Comments