MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1133f789dd9b63a17b309abf65affdd4ff2ed13795cd9f48371e89cf9a4e24ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1133f789dd9b63a17b309abf65affdd4ff2ed13795cd9f48371e89cf9a4e24ba
SHA3-384 hash: 9053e62a6839a5e43669148f4a77dd82d8fd190f8592597169f24ff6efa4690e4f04554b4a88ae2d27876d7a7615d11d
SHA1 hash: 04f5382345f6dc835229e30b334f4ad75ae46f5e
MD5 hash: 2e9eb71522d062f5761796cb51ef2f5b
humanhash: table-mississippi-red-charlie
File name:JrBeso.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:360'448 bytes
First seen:2024-09-24 12:02:32 UTC
Last seen:2024-09-24 12:19:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 6144:UeR7eammPp0yN90QEgZ0dUEi40aP95qFfBJOAfZ3Z6iLY:UeRtB6y90U0mQ0qjqFXZhLY
TLSH T1A574D0061BDDA0F7E0B64370C5F242935635BC926BF592BF5388843B0E727D4A932B66
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JAMESWT_WT
Tags:b3ss0-work-gd bitbucket-org--xyz491 exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
419
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JrBeso.exe
Verdict:
Malicious activity
Analysis date:
2024-09-24 12:16:24 UTC
Tags:
telegram xworm remote
Link:
https://app.any.run/tasks/cbd38da8-788e-432d-879d-c7688762f7b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Batch.30276.12893.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f2aa7c5346c7b922ada27c
Tags:
Execution Generic Network Static Stealth Exploit Gumen Sage Tori
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
89%
Tags:
advpack anti-vm CAB cmd cscript evasive explorer findstr installer lolbin microsoft_visual_cc mshta overlay packed powershell rundll32 setupapi sfx shell32 timeout wmic wscript
Link:
https://www.filescan.io/uploads/66f2aa811af82717be6cc7ad/reports/ab8dd0f9-e849-4761-a3e4-0eaf068f90f6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1133f789dd9b63a17b309abf65affdd4ff2ed13795cd9f48371e89cf9a4e24ba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c05674ea-38ee-42c7-b4a6-8de4a26fc039
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
evad.troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1516656
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Found malware configuration
Found suspicious ZIP file
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious javascript / visual basic script found (invalid extension)
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516656 Sample: JrBeso.exe Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 76 api.telegram.org 2->76 78 b3ss0.work.gd 2->78 80 api.ipify.org 2->80 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 98 11 other signatures 2->98 12 JrBeso.exe 1 3 2->12         started        15 wscript.exe 2->15         started        18 rundll32.exe 2->18         started        signatures3 96 Uses the Telegram API (likely for C&C communication) 76->96 process4 file5 72 C:\Users\user\AppData\Local\...\JrBeso.bat, Unicode 12->72 dropped 20 cmd.exe 2 12->20         started        138 Wscript starts Powershell (via cmd or directly) 15->138 140 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->140 24 cmd.exe 15->24         started        signatures6 process7 file8 70 C:\Users\user\AppData\Local\Temp\...\temp.vbs, ASCII 20->70 dropped 108 Suspicious powershell command line found 20->108 110 Wscript starts Powershell (via cmd or directly) 20->110 112 Command shell drops VBS files 20->112 114 4 other signatures 20->114 26 cscript.exe 2 20->26         started        28 conhost.exe 20->28         started        30 cmd.exe 24->30         started        33 conhost.exe 24->33         started        signatures9 process10 signatures11 35 cmd.exe 7 26->35         started        134 Suspicious powershell command line found 30->134 136 Wscript starts Powershell (via cmd or directly) 30->136 38 powershell.exe 30->38         started        process12 signatures13 100 Wscript starts Powershell (via cmd or directly) 35->100 40 cmd.exe 35->40         started        42 powershell.exe 7 35->42         started        45 powershell.exe 35->45         started        51 25 other processes 35->51 102 Writes to foreign memory regions 38->102 104 Injects a PE file into a foreign processes 38->104 49 RegSvcs.exe 38->49         started        process14 dnsIp15 53 cmd.exe 40->53         started        56 conhost.exe 40->56         started        122 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 42->122 124 Queries memory information (via WMI often done to detect virtual machines) 42->124 58 WMIC.exe 1 42->58         started        86 91.92.251.38, 21, 49746, 49747 THEZONEBG Bulgaria 45->86 74 C:\ProgramData\office.zip, Zip 45->74 dropped 126 Loading BitLocker PowerShell Module 45->126 60 conhost.exe 45->60         started        88 b3ss0.work.gd 157.254.237.108, 49750, 7000 BEANFIELDCA United States 49->88 128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->128 130 Wscript starts Powershell (via cmd or directly) 51->130 132 Suspicious execution chain found 51->132 62 WMIC.exe 1 51->62         started        64 WMIC.exe 51->64         started        file16 signatures17 process18 signatures19 116 Suspicious powershell command line found 53->116 118 Wscript starts Powershell (via cmd or directly) 53->118 66 powershell.exe 53->66         started        120 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->120 process20 dnsIp21 82 api.telegram.org 149.154.167.220, 443, 49749 TELEGRAMRU United Kingdom 66->82 84 api.ipify.org 104.26.13.205, 443, 49748 CLOUDFLARENETUS United States 66->84 106 Loading BitLocker PowerShell Module 66->106 signatures22
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1133f789dd9b63a17b309abf65affdd4ff2ed13795cd9f48371e89cf9a4e24ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1133f789dd9b63a17b309abf65affdd4ff2ed13795cd9f48371e89cf9a4e24ba/
Threat name:
Win64.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2024-09-24 11:56:28 UTC
File Type:
PE+ (Exe)
Extracted files:
36
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cez7pco5tnr2c6zqtk7wll752t7s5ujxsxgz6sbxd2e47gsoes5a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion persistence
Link:
https://tria.ge/reports/240924-n7116atgjl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Hide Artifacts: Ignore Process Interrupts
Adds Run key to start application
Checks computer location settings
Verdict:
Malicious
Tags:
stealer redline
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/d996c0e3-f6f8-4915-a89b-fd69c143646c
Unpacked files
SH256 hash:
1133f789dd9b63a17b309abf65affdd4ff2ed13795cd9f48371e89cf9a4e24ba
MD5 hash:
2e9eb71522d062f5761796cb51ef2f5b
SHA1 hash:
04f5382345f6dc835229e30b334f4ad75ae46f5e
Link:
https://www.unpac.me/results/d34098f7-ad7e-4196-b61b-0ef3f85e467c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1133f789dd9b63a17b309abf65affdd4ff2ed13795cd9f48371e89cf9a4e24ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments