MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3
SHA3-384 hash:	ad0a3703f47ba058769a74d1eb4b5b60169e22b9a1a9d37a563fdd283cdbe1bed9ed07d4b0f1c180b75b06abeebb36c9
SHA1 hash:	48a23b6c768a4a4f8ba2864159f959c0e025f08a
MD5 hash:	c6fea3621cca858371f2d596c9723891
humanhash:	massachusetts-table-nineteen-mike
File name:	gookcom.exe
Download:	download sample
File size:	787'496 bytes
First seen:	2023-05-22 20:37:56 UTC
Last seen:	2024-02-19 09:16:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:9ZZYXK0z6bPETqd/a0hQ6o0No0mo09dCAMdCAHdCAwrH/cfwwGHCfu1eUgzpCGKD:9cXKp2b0y6fgli7vwPifu1d0yQ314
Threatray	5 similar samples on MalwareBazaar
TLSH	T12DF4E1E0775CA005E8395C31C8C596B416B1FA25BD1DDD2738B8F9818BB2242FED668F
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	a8e8b593e6cadaf2
Reporter	ULTRAFRAUD
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

gookcom.exe

Verdict:

Malicious activity

Analysis date:

2023-05-14 08:49:34 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/aba5096c-fa1b-4d28-aa4b-7fd215d33067

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.66562991.315.28332.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Connecting to a non-recommended domain

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

installer overlay packed

Link:

https://www.filescan.io/uploads/646bd2aa64d9cda2196ee509/reports/1cc74198-2784-42bf-a979-ba5634a5968f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e7584bb0-67e6-4321-b2e3-27dc26c7412b

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1240063

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-04-22 00:23:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bjgx5ubxtdssk6rbv7dwku7fhbeggfrytpkuzg43zqbwtgxcdtjq._file

Verdict:

malicious

83ded684d8501ecbb679d59ec349c702930aba7e3aea673ef92894e23b615d5e

8bad05c9f2e4195e80bd90d02d6a08a398b8d93a475b6eb3ef950f4d1380f73c

d13297572805b9344d4064c3263ae84360e45b3eb258aba01bcfed5ef159e45a

e753d757d44da6574603ca2940623935afa225d8b8dc982ad2c00bd8f72bb44a

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:newport infostealer

Link:

https://tria.ge/reports/230522-zepm7sce66/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks computer location settings

Blocklisted process makes network request

RedLine

Malware Config

C2 Extraction:

82.115.223.91:82

Unpacked files

SH256 hash:

0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3

MD5 hash:

c6fea3621cca858371f2d596c9723891

SHA1 hash:

48a23b6c768a4a4f8ba2864159f959c0e025f08a

Link:

https://www.unpac.me/results/c6825bc9-e643-40e2-9685-ccbee706b11c/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0a4d7ed03798/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample