MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 231ef19528c94c50a19d4669f1446fd41117f7e94b6dcd2ac68643ab7b745847. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 231ef19528c94c50a19d4669f1446fd41117f7e94b6dcd2ac68643ab7b745847
SHA3-384 hash: 99961bf60347d5b42280b676604a179a96716ceb6aea0ee5bc4a05d951ae183c254e8199f86553ec47a689e8a4a28cd5
SHA1 hash: 765e819fb15566509e1307605f4ae5d4448a330f
MD5 hash: d9e7186fb49d75774327df10b2df2dfe
humanhash: one-butter-tango-red
File name:SecuriteInfo.com.Trojan.GenericKD.37526377.694.18820
Download: download sample
File size:1'371'136 bytes
First seen:2023-03-09 18:31:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec31b24507a2a533afa2c689005cc167
ssdeep 24576:sQ6c51ZE/sGM/6e/+ctUB9c9axgFOHQd4eQcZsGMMTMZ/f6le2:D6c7PGM/6CUBOMxgIU4FcZTTU/Cl
Threatray 704 similar samples on MalwareBazaar
TLSH T1AA55336BBEAC911FDBA44270E79331B9CB56C8FD4458404FD8E919AB3F9830D6879603
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Vape V4.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 21:48:12 UTC
Tags:
trojan rat redline stealer amadey evasion
Link:
https://app.any.run/tasks/79a43d40-1f8c-4967-a1f2-a4b84392c453

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373097/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.37526377.694.18820.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a window
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
enigma obfuscated packed shell32.dll zpevdo
Link:
https://www.filescan.io/uploads/640a26258b48bcea611fce0c/reports/a939a23b-ada9-4f9c-ae80-1c48066b28b4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_80%
Link:
https://www.hybrid-analysis.com/sample/231ef19528c94c50a19d4669f1446fd41117f7e94b6dcd2ac68643ab7b745847
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/13e621a6-e1db-499c-9cb1-ad37fb6c789f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190647
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823533 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Antivirus detection for dropped file 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 7 other signatures 2->74 9 SecuriteInfo.com.Trojan.GenericKD.37526377.694.18820.exe 32 2->9         started        14 System.exe 29 2->14         started        process3 dnsIp4 64 iplogger.org 148.251.234.83, 443, 49712, 49713 HETZNER-ASDE Germany 9->64 66 bitbucket.org 104.192.141.1, 443, 49714, 49715 AMAZON-02US United States 9->66 60 C:\ProgramData\Microsoft Network\System.exe, PE32 9->60 dropped 62 C:\ProgramData\...\System.exe:Zone.Identifier, ASCII 9->62 dropped 76 Detected unpacking (changes PE section rights) 9->76 78 May check the online IP address of the machine 9->78 80 Hides threads from debuggers 9->80 16 cmd.exe 1 9->16         started        18 cmd.exe 9->18         started        20 cmd.exe 9->20         started        28 40 other processes 9->28 22 cmd.exe 14->22         started        24 cmd.exe 14->24         started        26 cmd.exe 14->26         started        30 24 other processes 14->30 file5 signatures6 process7 process8 36 2 other processes 16->36 38 2 other processes 18->38 40 2 other processes 20->40 32 taskkill.exe 22->32         started        34 conhost.exe 22->34         started        42 2 other processes 24->42 44 2 other processes 26->44 46 51 other processes 28->46 48 29 other processes 30->48 process9 50 taskkill.exe 32->50         started        52 conhost.exe 32->52         started        54 Conhost.exe 46->54         started        56 Conhost.exe 48->56         started        process10 58 conhost.exe 50->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/231ef19528c94c50a19d4669f1446fd41117f7e94b6dcd2ac68643ab7b745847/
Threat name:
Win32.PUA.MiscX
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 00:40:41 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 39 (53.85%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=emppdfjizfgfbim5izu7crdp2qirp57jjnw42kwgqzb2w63ulbdq._file
Verdict:
malicious
Similar samples:
0a9ad1b516536e141fa37603f8dda726720b4c776f033024fb4f7272f641f9e8
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
56144143f531340466f958339038a80288473e4cf073eee82955f0b866b4106b
6ef9b879049e0e8490811b7a90ccd47de82b17ba7e9850485e035780e474ff14
901de515209abfaa11681106d0f7c0697077037fd275ef6963579c7218daf073
91893562af732965ae5f90453a22af6b1d7a49f043730b900df20f6506569633
c2e2580ad4998d50a2235f591dc0cba365288f8e01e3debe014c5bf0c7e2b097
db6aa9267f7151707dcc4e06e90377c64890fc03d7f0d6aece0e874dc15af1a3
+ 694 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230309-w6l5lshf56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Unpacked files
SH256 hash:
231ef19528c94c50a19d4669f1446fd41117f7e94b6dcd2ac68643ab7b745847
MD5 hash:
d9e7186fb49d75774327df10b2df2dfe
SHA1 hash:
765e819fb15566509e1307605f4ae5d4448a330f
Link:
https://www.unpac.me/results/a5b52d6a-93bc-4e35-aff4-bd92a5877b80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/231ef19528c94c50a19d4669f1446fd41117f7e94b6dcd2ac68643ab7b745847

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 231ef19528c94c50a19d4669f1446fd41117f7e94b6dcd2ac68643ab7b745847

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2564257/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/373097/

Comments