MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 248ac6a3444944504ec113a6303ae50c327cf3432bf04d02d9e30644f868f93d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TVRat


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 248ac6a3444944504ec113a6303ae50c327cf3432bf04d02d9e30644f868f93d
SHA3-384 hash: d9ad6563b24984f8ff093aeaa9c3819224c094f09a3c29232feaba1abe080a74caed6edfdef02e1f9c03f1201f47d826
SHA1 hash: a376083eb7a39a32bd1aec88a0e9ad5619e98107
MD5 hash: fdec732050d0b59d37e81453b746a5f3
humanhash: spring-tango-jig-connecticut
File name:fdec732050d0b59d37e81453b746a5f3.exe
Download: download sample
Signature TVRat
Create hunting rule
File size:662'352 bytes
First seen:2022-01-13 15:33:36 UTC
Last seen:2022-01-13 18:21:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d123a69e1a76a1d4c228975990208112 (4 x RedLineStealer, 1 x TVRat, 1 x ArkeiStealer)
ssdeep 12288:QCsTvEUCk2v8Bra9UWs/B0d7i+c0m6V8pGgB:Ts4UCPUBrpB0d7igm6WIg
Threatray 2'304 similar samples on MalwareBazaar
TLSH T121E42380A385500BC95103336993D708BF34FF554A73EB43758AF075ACBA6DA8DA94EE
File icon (PE):PE icon
dhash icon b8996869d4dadae0 (1 x TVRat, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:exe TVRat

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fdec732050d0b59d37e81453b746a5f3.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-13 15:41:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f76a74e-f58e-4d68-a0b9-b3cd63877702

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219076/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.10340.28879.19453.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug exploit greyware overlay packed
Link:
https://www.filescan.io/uploads/61e04677f2e8ec86fef8758b/reports/fef88fb2-51c4-4667-8d7c-6dad31a6d1f9/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd6e2ba9-2ae2-4973-a8d8-ea364e2fe365
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/920221
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/248ac6a3444944504ec113a6303ae50c327cf3432bf04d02d9e30644f868f93d/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 15:34:15 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
34 of 43 (79.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=esfmni2ejfcfatwbcotdaoxfbqzhz42dfpye2awz4mdej6di7e6q._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
045480a084a090029c9f86b103e3f23b4e9e3923180c35d61eca933af3802060
TVRat
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
TVRat
2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7
TVRat
33330133ac2e1b2dfcbc12b66276a6a61f4c4572ad4de8675f8afdabfcbb3d43
TVRat
4fe1cb64f16f7fa987407a906a4319520972f5a8f5749e3b071a831825559a45
TVRat
98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb
TVRat
aa3abbd93819a58f0612b60cf1cfcc3a296e10d1b776555b8a3f967608b00f06
TVRat
+ 2'294 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer suricata
Link:
https://tria.ge/reports/220113-szh8labcbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Unpacked files
SH256 hash:
45aa0f3907d2620e01cafccf926182fa017dd04f45b4485fdbcee4e7722dd9b5
MD5 hash:
672992e73c9a4b2a7bf292d37d4eb511
SHA1 hash:
b3928235e4ead38dbd14388c0b1b5fc01f0189b2
Link:
https://www.unpac.me/results/be6b9b95-bfd8-46e9-91f8-b739ea6d6aad/
SH256 hash:
2d961176cd7f31ddc72bb840862bbe099a26e3a1931b06e61ae1da3a5dae57d5
MD5 hash:
16641f734a112a70ddeb8606299d0a3b
SHA1 hash:
9d86348b63f148d26614a57749453a28c5e5bbdd
Link:
https://www.unpac.me/results/be6b9b95-bfd8-46e9-91f8-b739ea6d6aad/
SH256 hash:
f7321a98781ff873d80509941374696344401f06e03188e9ea1b6c4d3e6b6db2
MD5 hash:
8d31c76fa00c638d07f01c46b2cc3912
SHA1 hash:
dc0c287661baa4475f666cf2729c5296471b5488
Link:
https://www.unpac.me/results/be6b9b95-bfd8-46e9-91f8-b739ea6d6aad/
SH256 hash:
248ac6a3444944504ec113a6303ae50c327cf3432bf04d02d9e30644f868f93d
MD5 hash:
fdec732050d0b59d37e81453b746a5f3
SHA1 hash:
a376083eb7a39a32bd1aec88a0e9ad5619e98107
Link:
https://www.unpac.me/results/be6b9b95-bfd8-46e9-91f8-b739ea6d6aad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/248ac6a3444944504ec113a6303ae50c327cf3432bf04d02d9e30644f868f93d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TVRat

Executable exe 248ac6a3444944504ec113a6303ae50c327cf3432bf04d02d9e30644f868f93d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1957293/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219076/

Comments