MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 160ce30c3733a5d4fb1647d727a0a90147f795779d5b5ae153890adf7c515588. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 160ce30c3733a5d4fb1647d727a0a90147f795779d5b5ae153890adf7c515588
SHA3-384 hash: fbb283dc8244d6eff1ef1e6bf13883a8c836f4dff39453f821ff60a0e24ade9e77e6fc8dc61be9142634d21aba434e89
SHA1 hash: 83ed7612dd9b7c7a5144b2d9d5d91278a3c84ab4
MD5 hash: a7221cf05ec4add1d531b242c1faace7
humanhash: magnesium-gee-dakota-zulu
File name:a7221cf05ec4add1d531b242c1faace7
Download: download sample
File size:3'147'776 bytes
First seen:2024-07-29 05:35:47 UTC
Last seen:2024-07-29 06:22:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 72 x LummaStealer, 62 x Rhadamanthys)
ssdeep 49152:rjhcmVpwbjDz06zuHBg6S8WCpppQE4+8OWaSErYhKkZ8P8xO3e6s6PbZGfE8K:xcqpwbjD+hzS8WqQtE6KGJxOOeWE8K
Threatray 1'102 similar samples on MalwareBazaar
TLSH T16DE533069BE45462F4BB5335A4F302875D3239D67BB8368F12F151294E33BE06E3672A
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:64 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
346
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7221cf05ec4add1d531b242c1faace7
Verdict:
Suspicious activity
Analysis date:
2024-07-29 08:45:07 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/68488e21-8d14-47b1-af38-65e2b46d09d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a72a483ee5253b89e5dbd3
Tags:
Generic Static Stealth Trojan Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5101a51d-423b-4769-98ae-f9bae8c23eb7
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1483817
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483817 Sample: vTvVBCXIft.exe Startdate: 29/07/2024 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AntiVM3 2->53 55 4 other signatures 2->55 7 vTvVBCXIft.exe 1 3 2->7         started        11 cvchost.exe 3 2->11         started        13 cvchost.exe 2 2->13         started        15 rundll32.exe 2->15         started        process3 file4 47 C:\Users\user\AppData\...\propertysite.exe, PE32 7->47 dropped 65 Creates multiple autostart registry keys 7->65 17 propertysite.exe 1 4 7->17         started        67 Antivirus detection for dropped file 11->67 69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 21 MSBuild.exe 11->21         started        23 MSBuild.exe 11->23         started        25 MSBuild.exe 11->25         started        33 7 other processes 11->33 73 Writes to foreign memory regions 13->73 75 Injects a PE file into a foreign processes 13->75 27 MSBuild.exe 13->27         started        29 MSBuild.exe 13->29         started        31 MSBuild.exe 13->31         started        35 7 other processes 13->35 signatures5 process6 file7 45 C:\Users\user\AppData\Local\cvchost.exe, PE32 17->45 dropped 57 Antivirus detection for dropped file 17->57 59 Multi AV Scanner detection for dropped file 17->59 61 Machine Learning detection for dropped file 17->61 63 4 other signatures 17->63 37 MSBuild.exe 17->37         started        39 MSBuild.exe 17->39         started        41 MSBuild.exe 17->41         started        43 7 other processes 17->43 signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/160ce30c3733a5d4fb1647d727a0a90147f795779d5b5ae153890adf7c515588
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/160ce30c3733a5d4fb1647d727a0a90147f795779d5b5ae153890adf7c515588/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-19 04:26:03 UTC
File Type:
PE+ (Exe)
Extracted files:
42
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cygogdbxgos5j6ywi7lspifjafd7pflxtvnvvyktrefn67crkwea._file
Verdict:
malicious
Similar samples:
0148dc89fde5feaf2b6378bc03fa0404da0d9d6c06dc27007b5814748e0c2352
160ce30c3733a5d4fb1647d727a0a90147f795779d5b5ae153890adf7c515588
221e7f2bf537ab5210e9dd309ac922c988eb6121a67e0a8e063a677f38619a02
2a0a0b2f7b3f3f71e7056e7352e7e923885b663dbf06ba92f175252262aad33c
361bd53fc8dc779d93b521c5387287dd10e14eb65f3c2838773789fdd5d2c41a
4ec050b4dfd931ed6d30256b3ed1d042f313860da23e7ca064aaf95ad83e257e
584c91693287a0d6c66f27a8c0f1841aad3368bc48b9d36b1088548f9f370032
697444c2cb0a7bd6fde35bd250870e7a9aa4a2b49beb0ff2c795f8c507bb5c15
767ad6a683c15dc908cd12b10e115c9b3dd1de419ac8f84ce80ccbfd7c0a564a
9387f4d0d04d48e9bdb9cbcb6edd9b2567fc50b0b5752c05b507c6953b33c742
+ 1'092 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240729-gakjkszapb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/491f2ed8-eb8c-4cc4-abdf-8fdd02a4ccea
Unpacked files
SH256 hash:
696d8cc6bd7e1b5169a36e00937291e91dca16809893b83a1a4a0c5822798fa2
MD5 hash:
6f841cfc75d5da0ea1c59a7c40c6db38
SHA1 hash:
6c1d20a827d7d469a59b21697c09e02ebf862398
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8377228f-2cc5-4375-8d1c-8a13f63c41e8/
SH256 hash:
160ce30c3733a5d4fb1647d727a0a90147f795779d5b5ae153890adf7c515588
MD5 hash:
a7221cf05ec4add1d531b242c1faace7
SHA1 hash:
83ed7612dd9b7c7a5144b2d9d5d91278a3c84ab4
Link:
https://www.unpac.me/results/8377228f-2cc5-4375-8d1c-8a13f63c41e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/160ce30c3733a5d4fb1647d727a0a90147f795779d5b5ae153890adf7c515588

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 160ce30c3733a5d4fb1647d727a0a90147f795779d5b5ae153890adf7c515588

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3076579/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments


Avatar
zbet commented on 2024-07-29 05:35:48 UTC

url : hxxp://193.233.203.218/creative/propertysitepro.exe