MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294
SHA3-384 hash: ea56f4b93a62f93c0c7fe1105b056eeffb137665ac375a57bef2ce7f6336f63966ecc1e70d94056f9830d0f5a31c42b6
SHA1 hash: e33c3bd5f56d4152627501f7b8d3db62f7636dcf
MD5 hash: c28cc92a7c78b96bec58fa3e5398074a
humanhash: fourteen-carolina-solar-green
File name:c28cc92a7c78b96bec58fa3e5398074a
Download: download sample
File size:422'328 bytes
First seen:2023-06-05 01:54:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 562d80e80506d670bb0daaf0cbeebb79 (3 x RedLineStealer)
ssdeep 12288:ir0/cxQev8EC1QdxTq+Oii1VUf0aJvb/x:e0/Tevs1QdNNg/Uf0aJvDx
TLSH T12794021130C1C132E66355B2899AC2F6AA7DFC750B21A9D73BC4896C0F6A7E1EB34747
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c28cc92a7c78b96bec58fa3e5398074a
Verdict:
Suspicious activity
Analysis date:
2023-06-05 01:55:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2a9215dd-e40e-47bf-8813-ad14f87ba962

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/395694/
Detection(s):
Win.Packed.Convagent-10003639-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Creating a window
Sending an HTTP GET request
Creating a file in the %temp% directory
Reading critical registry keys
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Changing a file
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89427/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/647d407628dea21383f65c22/reports/18537707-de50-4a10-9f80-8777e03944aa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2701003f-f48e-42c2-9376-73ff986bcd60
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1248532
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 881552 Sample: 6OYe8LzpcJ.exe Startdate: 05/06/2023 Architecture: WINDOWS Score: 84 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 46 Uses known network protocols on non-standard ports 2->46 8 6OYe8LzpcJ.exe 1 2->8         started        process3 signatures4 50 Contains functionality to inject code into remote processes 8->50 52 Writes to foreign memory regions 8->52 54 Allocates memory in foreign processes 8->54 56 Injects a PE file into a foreign processes 8->56 11 AppLaunch.exe 33 8->11         started        16 conhost.exe 8->16         started        process5 dnsIp6 36 dc540.4sync.com 204.155.145.54 WZCOM-US United States 11->36 38 www.4sync.com 204.155.149.140 WZCOM-US United States 11->38 40 5.42.64.41, 1337, 49694 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 11->40 28 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 11->28 dropped 30 C:\Users\user\AppData\Local\...\libcrypto.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\Temp\Chr0me.exe, PE32 11->32 dropped 34 13 other files (2 malicious) 11->34 dropped 58 Tries to harvest and steal browser information (history, passwords, etc) 11->58 60 DLL side loading technique detected 11->60 18 Chr0me.exe 40 11->18         started        22 conhost.exe 11->22         started        file7 signatures8 process9 file10 26 C:\Users\user\AppData\Roaming\...\readme.txt, Unicode 18->26 dropped 48 Tries to steal Crypto Currency Wallets 18->48 24 conhost.exe 18->24         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-05 01:55:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e26jfb7tjptjz3335su6shckj4o6n5mtjwn4mq7y3dphovf5ukka._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/230605-cb4xdsfa5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
dc44e332916841df62c2d92c09cf904f2b31fb8d74a941c3a7124d382c29f6fc
MD5 hash:
bed5beb5fee46d7113172685365e664e
SHA1 hash:
909992933d829f5aa0495d233a290fde06a5a8d7
Link:
https://www.unpac.me/results/721b74dc-e878-48f5-85a2-890e7dda665e/
SH256 hash:
26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294
MD5 hash:
c28cc92a7c78b96bec58fa3e5398074a
SHA1 hash:
e33c3bd5f56d4152627501f7b8d3db62f7636dcf
Link:
https://www.unpac.me/results/721b74dc-e878-48f5-85a2-890e7dda665e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26bc9287f34b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2652432/
Cape
Cape
https://www.capesandbox.com/analysis/395694/

Comments


Avatar
zbet commented on 2023-06-05 01:54:38 UTC

url : hxxps://www.4sync.com/web/directDownload/JVMSC3U5/kB3UdH-l.4954207250abe4372a6c2b263da94592/