MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
SHA3-384 hash: 68c5079a2a28be19df45d9c9e3da0e18b8fb7ad8fad71d3a5a0288b9ea90ba946bf793b981d655b2c54af99c6650eae7
SHA1 hash: 5824b137ecf83e2bcf517dbdbbfa1574f706babe
MD5 hash: 99a5a29c95597fef93d118f82cc445b3
humanhash: winner-uranus-idaho-double
File name:20E1BC5813941642186774CD0AA40989C3D119D7A70B7.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:3'386'990 bytes
First seen:2023-01-15 16:40:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JpZ8EIo0stDjwrDZfmOuqNmdv2fOtvKqee6kFoaD:JpPDttDM3Znuq6veCvmQ
TLSH T125F5331C1CA81324D17509F10EFC99AE2D9B81055BB0E529B72D8B3EB8D4CEAE377917
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://45.15.156.209/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
20E1BC5813941642186774CD0AA40989C3D119D7A70B7.exe
Verdict:
Malicious activity
Analysis date:
2023-01-15 16:43:02 UTC
Tags:
evasion trojan socelars stealer loader amadey rat redline smoke
Link:
https://app.any.run/tasks/1c7c1cb0-0ab0-4e1a-bd79-231989c79005

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353159/
Detection(s):
Win.Dropper.Pswtool-9857488-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Barys-9859550-0
Create hunting rule

Win.Trojan.Jaik-9862229-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Trojan.Jaik-9863907-0
Create hunting rule

Win.Trojan.Jaik-9863965-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Trojan.Jaik-9863992-0
Create hunting rule

Win.Trojan.Jaik-9864165-0
Create hunting rule

Win.Trojan.Jaik-9869659-0
Create hunting rule

Win.Trojan.Jaik-9873403-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Packed.SmokeLoader-9880490-1
Create hunting rule

Win.Packed.SmokeLoader-9880491-1
Create hunting rule

Win.Trojan.Malwarex-9882705-0
Create hunting rule

Win.Trojan.Malwarex-9882706-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Searching for the window
Moving a recently created file
Running batch commands
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Launching a process
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60492/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
glupteba lockbit overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c42c9ed392ce333bdfbb6d/reports/d87e79c8-2c37-4e1e-b648-b2e2c98d4e43/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aac6c5f6-c66d-4c2e-889a-69089364bafd
Result
Threat name:
Amadey, Backstage Stealer, Fabookie, Rac
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151975
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Backstage Stealer
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 784707 Sample: 20E1BC5813941642186774CD0AA... Startdate: 15/01/2023 Architecture: WINDOWS Score: 100 162 Snort IDS alert for network traffic 2->162 164 Multi AV Scanner detection for domain / URL 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 23 other signatures 2->168 12 20E1BC5813941642186774CD0AA40989C3D119D7A70B7.exe 10 2->12         started        15 rundll32.exe 2->15         started        process3 file4 126 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->126 dropped 17 setup_installer.exe 16 12->17         started        21 rundll32.exe 15->21         started        process5 file6 88 C:\Users\user\AppData\Local\...\sonia_8.txt, PE32 17->88 dropped 90 C:\Users\user\AppData\Local\...\sonia_7.txt, PE32 17->90 dropped 92 C:\Users\user\AppData\Local\...\sonia_6.txt, PE32 17->92 dropped 94 11 other files (10 malicious) 17->94 dropped 170 Multi AV Scanner detection for dropped file 17->170 23 setup_install.exe 1 17->23         started        172 Writes to foreign memory regions 21->172 174 Allocates memory in foreign processes 21->174 176 Creates a thread in another existing process (thread injection) 21->176 28 svchost.exe 21->28 injected 30 svchost.exe 21->30 injected 32 svchost.exe 21->32 injected 34 8 other processes 21->34 signatures7 process8 dnsIp9 150 sokiran.xyz 23->150 152 127.0.0.1 unknown unknown 23->152 118 C:\Users\user\AppData\...\sonia_8.exe (copy), PE32 23->118 dropped 120 C:\Users\user\AppData\...\sonia_7.exe (copy), PE32 23->120 dropped 122 C:\Users\user\AppData\...\sonia_6.exe (copy), PE32 23->122 dropped 124 5 other malicious files 23->124 dropped 206 Antivirus detection for dropped file 23->206 208 Multi AV Scanner detection for dropped file 23->208 210 Detected unpacking (changes PE section rights) 23->210 218 2 other signatures 23->218 36 cmd.exe 1 23->36         started        38 cmd.exe 1 23->38         started        40 cmd.exe 1 23->40         started        46 7 other processes 23->46 212 System process connects to network (likely due to code injection or exploit) 28->212 214 Sets debug register (to hijack the execution of another thread) 28->214 216 Modifies the context of a thread in another process (thread injection) 28->216 42 svchost.exe 28->42         started        154 23.35.236.109 ZAYO-6461US United States 30->154 156 34.104.35.123 GOOGLEUS United States 30->156 file10 signatures11 process12 dnsIp13 48 sonia_6.exe 36->48         started        53 sonia_2.exe 1 38->53         started        55 sonia_7.exe 40->55         started        158 google.vrthcobj.com 185.116.193.219 HOSTER-KZ Kazakhstan 42->158 220 Query firmware table information (likely to detect VMs) 42->220 57 sonia_3.exe 12 46->57         started        59 sonia_1.exe 2 46->59         started        61 sonia_5.exe 3 46->61         started        63 2 other processes 46->63 signatures14 process15 dnsIp16 128 212.193.30.115 SPD-NETTR Russian Federation 48->128 136 15 other IPs or domains 48->136 96 C:\Users\...\sAh3IuSWrQ2Z_pVBK5u1sGyj.exe, PE32 48->96 dropped 98 C:\Users\...\m3XdtYWmkGEFLXujlQb4ZvNx.exe, PE32 48->98 dropped 100 C:\Users\...\hzwsqiS2PESMRQ2ryNEaUoXj.exe, PE32+ 48->100 dropped 108 12 other malicious files 48->108 dropped 178 Drops PE files to the document folder of the user 48->178 180 May check the online IP address of the machine 48->180 182 Creates HTML files with .exe extension (expired dropper behavior) 48->182 184 Disable Windows Defender real time protection (registry) 48->184 102 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 53->102 dropped 186 DLL reload attack detected 53->186 188 Detected unpacking (changes PE section rights) 53->188 190 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->190 196 4 other signatures 53->196 65 explorer.exe 53->65 injected 130 99.83.154.118 AMAZON-02US United States 55->130 138 3 other IPs or domains 55->138 104 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 55->104 dropped 106 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 55->106 dropped 70 jfiag3g_gg.exe 55->70         started        72 jfiag3g_gg.exe 55->72         started        132 sslamlssa1.tumblr.com 74.114.154.22, 443, 49708 AUTOMATTICUS Canada 57->132 192 Detected unpacking (overwrites its own PE header) 57->192 74 WerFault.exe 57->74         started        194 Creates processes via WMI 59->194 76 sonia_1.exe 59->76         started        134 148.251.234.83 HETZNER-ASDE Germany 61->134 140 2 other IPs or domains 63->140 file17 signatures18 process19 dnsIp20 142 103.224.182.242 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 65->142 144 199.191.50.190 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 65->144 146 188.114.97.3 CLOUDFLARENETUS European Union 65->146 110 C:\Users\user\AppData\Roaming\esdbwcu, PE32 65->110 dropped 198 System process connects to network (likely due to code injection or exploit) 65->198 200 Benign windows process drops PE files 65->200 202 Hides that the sample has been downloaded from the Internet (zone.identifier) 65->202 78 haleng.exe 65->78         started        204 Multi AV Scanner detection for dropped file 70->204 148 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 74->148 112 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 76->112 dropped 114 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 76->114 dropped 116 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 76->116 dropped 82 conhost.exe 76->82         started        file21 signatures22 process23 dnsIp24 160 ip-api.com 78->160 222 Multi AV Scanner detection for dropped file 78->222 224 May check the online IP address of the machine 78->224 84 jfiag3g_gg.exe 78->84         started        86 jfiag3g_gg.exe 78->86         started        signatures25 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 11:11:35 UTC
File Type:
PE (Exe)
Extracted files:
207
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=edq3ywatsqleegdhotgqvjajrhb5cgoxu4fxu27f2pmn6ymfyaqa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:fabookie family:gcleaner family:nullmixer family:privateloader family:raccoon family:redline family:smokeloader family:vidar botnet:64b445f2d85b7aeb3d5c7b23112d6ac3 botnet:933 botnet:gula botnet:logsdiller cloud (tg: @logsdillabot) botnet:medi2 aspackv2 backdoor brand:microsoft discovery dropper evasion infostealer loader persistence phishing rat spyware stealer themida trojan upx vmprotect
Link:
https://tria.ge/reports/230115-t64csada4w/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Unexpected DNS network traffic destination
Uses the VBS compiler for execution
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Amadey
DcRat
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
GCleaner
Modifies Windows Defender Real-time Protection settings
NullMixer
PrivateLoader
Process spawned unexpected child process
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://sokiran.xyz/
https://sslamlssa1.tumblr.com/
62.204.41.104/7gjD0Vs3d/index.php
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
http://45.15.156.209/
51.210.137.6:47909
167.235.156.206:6218
62.204.41.211:4065
Unpacked files
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
07f0bb02ae3cdcc6de42a9821d4df3b631eae163f0d9843442eee8c9e22ed494
MD5 hash:
90056bc4ab28d7dcbc0fed6fc52e6e99
SHA1 hash:
a88b38f226fd164bb265a9cc0f209b482e7a5d7f
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
5865a02b77ee9d29a659941e12e42ba5f33eb8171a9038d23d149ce1f5aa1aed
MD5 hash:
d878ef3a6e894b62852b50d48617fa04
SHA1 hash:
a8099d3e461f2fa783b3ae89adcaf5286fdb63d2
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
85dfffedca6315484c84a1ef051d0b0e43b4986c0cbc8955d11d7a458fee401e
MD5 hash:
aad3087e5758d5f791ddf7db916cd534
SHA1 hash:
7132a03ae1dda79eb940dabc3df8bb513d04a9c3
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
MD5 hash:
6765fe4e4be8c4daf3763706a58f42d0
SHA1 hash:
cebb504bfc3097a95d40016f01123b275c97d58c
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3
MD5 hash:
ee658be7ea7269085f4004d68960e547
SHA1 hash:
979afc4726af14d9079b6cf288686b0e7e4a17e5
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
MD5 hash:
2eb68e495e4eb18c86a443b2754bbab2
SHA1 hash:
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
MD5 hash:
0c3f670f496ffcf516fe77d2a161a6ee
SHA1 hash:
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
Parent samples :
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
SH256 hash:
41b25eac5234d09d70dbcd3830a098c1b25828cfb70990e2938ebf99d31f796f
MD5 hash:
598e9d45522cdf1e3f35740170e9922b
SHA1 hash:
056cffe0507d27bac4789674729b4c2ae548afcb
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
47f581bc1a43c89ce9ce85fcf88921f34a172b55085ce17ce37e6c7443332b96
MD5 hash:
d0ed5e0f4f03d612201cfb8bcad5aff4
SHA1 hash:
9b48122d29dd7a59169207e084e12bef616bf53b
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
fb8dd826265b2ad8dbfc5c268965aa0672e5feb26ecee127c88df0add39db789
MD5 hash:
2b3363fcdeaf1484bf3a86ee0190f55e
SHA1 hash:
49409ead408fadae24f2f5cdc59d080d924bcfa6
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
483ddf7b4042bd5c462101d9b514def21e188beef22469748fb709a095d6b324
MD5 hash:
985c76c51201de07e00bf003b502c1a8
SHA1 hash:
c7c53663e423daa8d690e53b505bf05bf28ce202
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
SH256 hash:
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
MD5 hash:
99a5a29c95597fef93d118f82cc445b3
SHA1 hash:
5824b137ecf83e2bcf517dbdbbfa1574f706babe
Link:
https://www.unpac.me/results/57450f31-1984-41f0-bb06-fd9ffa47d004/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/20e1bc581394/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353159/

Comments