MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 243b5b84bb63e98fb3d54e4e1d8592c367540a79f677a464f2c2ea5491f4c90f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 243b5b84bb63e98fb3d54e4e1d8592c367540a79f677a464f2c2ea5491f4c90f
SHA3-384 hash: a3b87f3c1a3ac9e47c2b95d38fd21a560bf6328b02dbe11837e782246a4363aae735bc89078b233f8390a107227fa5b4
SHA1 hash: 04e949d7d92e86c07a1e0bc72ae39cf2f950f0d6
MD5 hash: 4a53c91d743e8f9b6551893011d04966
humanhash: low-pip-alabama-crazy
File name:4a53c91d743e8f9b6551893011d04966.exe
Download: download sample
File size:168'960 bytes
First seen:2021-08-05 05:51:08 UTC
Last seen:2021-08-05 07:21:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 3072:9ahKyd2n3135GWp1icKAArDZz4N9GhbkrNEkbY2rv:9ahO7p0yN90QEw
Threatray 7 similar samples on MalwareBazaar
TLSH T14BF36C0B67F82066E4B5937059F202D359327D615B3982EF13CEA97E1E336E0A631B17
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4a53c91d743e8f9b6551893011d04966.exe
Verdict:
No threats detected
Analysis date:
2021-08-05 05:55:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9123f985-cd8e-42e5-8fd3-b002dafe11d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176518/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Agentb.4c.14041.1881.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/706560f2-7b46-438f-a024-70f81098d196
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/827873
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460303 Sample: a1iSGJUm5M.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 56 20 Antivirus detection for URL or domain 2->20 22 Multi AV Scanner detection for submitted file 2->22 7 a1iSGJUm5M.exe 1 3 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        process5 13 powershell.exe 14 16 11->13         started        16 conhost.exe 11->16         started        dnsIp6 18 qmumdjffuiocstjfmdqt.com 5.63.154.248, 443, 49739 AS-REGRU Russian Federation 13->18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/243b5b84bb63e98fb3d54e4e1d8592c367540a79f677a464f2c2ea5491f4c90f/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-01 12:29:05 UTC
AV detection:
5 of 28 (17.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3d783630a9df4cc2fc3bed2bd696e006c4eb018ca419295fc1fc94010659ecac
3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8
75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b
947b5393f12d2a410be2390fbd37be20705d06a67672af5dc71bd86e8c50a025
bf0b6e7c79d0507e85ebad255973e90fa1ee1b6ae2eb408c4866aeb9322a9e5c
d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210805-sf1hzvvc4e/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
243b5b84bb63e98fb3d54e4e1d8592c367540a79f677a464f2c2ea5491f4c90f
MD5 hash:
4a53c91d743e8f9b6551893011d04966
SHA1 hash:
04e949d7d92e86c07a1e0bc72ae39cf2f950f0d6
Link:
https://www.unpac.me/results/687eb56b-8f29-44a3-8b53-be6b8f2c65bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/243b5b84bb63e98fb3d54e4e1d8592c367540a79f677a464f2c2ea5491f4c90f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176518/

Comments