MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166
SHA3-384 hash: de8427a736350298a494d6e19d26d4a886dcd989c3009ed0a07fe0072136be66568d7852f0b73bcf6400cb9b99d2d24b
SHA1 hash: 96826340af3f4708b16f8f0e3eb29ad0ce5bb6f8
MD5 hash: 2796bf32abbebdd11a35603f3453214d
humanhash: kentucky-freddie-beryllium-nebraska
File name:2796bf32abbebdd11a35603f3453214d
Download: download sample
File size:3'697'248 bytes
First seen:2023-07-08 03:51:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bed9633b96201805297d3db544466c09 (3 x RedLineStealer, 1 x Stealc)
ssdeep 98304:dK7rmuwY9IEUOJaMpTW0IX0WV2GnusfXd7FlwffC:g3muJ6IIEEt7Fl
Threatray 51 similar samples on MalwareBazaar
TLSH T1FA0639E065605B12F1D69E34C548ED249E6C2AADCF078BCF8E33C6D395722D12A71B87
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2796bf32abbebdd11a35603f3453214d
Verdict:
Suspicious activity
Analysis date:
2023-07-08 03:53:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbdda461-fbc6-4b17-8f75-0a21ba31722d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/411386/
Detection(s):
SecuriteInfo.com.Trojan.Heur2.HRY@IjvCzRi.26757.8426.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96490/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/64a8dd632333b198b2395d4e/reports/300bc268-2953-4928-a482-4f700e728134/overview
Verdict:
Malicious
Labled as:
Trojan.Heur2.Generic
Link:
https://www.hybrid-analysis.com/sample/0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f3124ab-0058-44ef-a7cb-82982f7ece55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-08 00:39:23 UTC
File Type:
PE (Exe)
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3og3lt65bel6rs34nhn7reto635umchtbcfnbpeu7kf2smd6fta._file
Verdict:
malicious
Similar samples:
0e59fafb2de30f5fa5b6cce425f40115180b373592e1a201702742a6e8f21cc9
43f7dfd100d1188143e4ab71a4f513c85568e2b1a9999690618e3f3eaebd4099
75ae798473d4f1a4025f1a07e44fa307a0a317903a42b7e93a9a63b543efa255
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
99140bcea0df5df002662cbbbbf8de1369bad231868368015a29e57c5cd9b80f
acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8
d0873782fa5d4851ddd95e98767467d177e1b42a684b202cd681968ea2ece832
dcbc00932f5016baaa92523df27c27a836f674381bb8a392f4f58781a483adbc
f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230708-ee283scg49/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
44b8cf43d66b9d519f5aa471155bbc28ce465f202a766b77903989c6f28dbf3a
MD5 hash:
1816ed98592922c3d3c3279c13f80427
SHA1 hash:
351fc367faa0c77aedd67751691bf811a09a75e9
Link:
https://www.unpac.me/results/5770e96f-b095-493b-bfba-0693b404f0d1/
SH256 hash:
0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166
MD5 hash:
2796bf32abbebdd11a35603f3453214d
SHA1 hash:
96826340af3f4708b16f8f0e3eb29ad0ce5bb6f8
Link:
https://www.unpac.me/results/5770e96f-b095-493b-bfba-0693b404f0d1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0edc6dae7ee8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nullmixer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.nullmixer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2678475/
Cape
Cape
https://www.capesandbox.com/analysis/411386/

Comments


Avatar
zbet commented on 2023-07-08 03:51:29 UTC

url : hxxps://bloom-artists.com/wp-includes/class-wp-image-editors.php?filename=winx32apideftype.exe