MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 323ea92408f9dfb0598cea001209880501388393ed76e9f20974b2819141ca9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Redosdru


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 323ea92408f9dfb0598cea001209880501388393ed76e9f20974b2819141ca9a
SHA3-384 hash: 021fe08e0b66457a3194d2d55f9dec84453e4d5b1725e874cfc3f986e97a2ac57c83258c47e5854c73e647821049cd6a
SHA1 hash: 0a70a88da5ec490db7d6c2e633cc1bc2d43a273d
MD5 hash: ca0bfb0e149468f828793f18cd1db393
humanhash: carbon-oven-oven-solar
File name:ca0bfb0e149468f828793f18cd1db393
Download: download sample
Signature Redosdru
Create hunting rule
File size:385'024 bytes
First seen:2021-08-13 02:28:54 UTC
Last seen:2021-08-13 02:58:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 032ac126bef9dc99c70a99a6b91b16f2 (8 x Nitol, 1 x Redosdru, 1 x Gh0stRAT)
ssdeep 6144:MkyLEbWaR5CcUdoVjOU7i2P2P25rrrrDL:dUaWaR5vUKsUeQQ0rrrrD
Threatray 42 similar samples on MalwareBazaar
TLSH T1ED84D011F741D02AF4D641FAE7B7CBAEA6595F61031020C3A3D866DA1B391D36E3298F
Reporter zbetcheckin
Tags:32 exe Redosdru

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca0bfb0e149468f828793f18cd1db393
Verdict:
Suspicious activity
Analysis date:
2021-08-13 02:30:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2b490e1-2c8f-4f72-aeb3-2a4b16b02f58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nitol
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178810/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.63246.15784.24858.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Connection attempt
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78ae4807-9745-4cf2-9184-01d7d2e0ed1b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832120
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 464551 Sample: uGb9OI1WvG Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for domain / URL 2->46 48 Antivirus detection for URL or domain 2->48 50 Antivirus detection for dropped file 2->50 52 8 other signatures 2->52 7 uGb9OI1WvG.exe 3 15 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        16 11 other processes 2->16 process3 dnsIp4 38 144.48.240.173, 29106, 49704, 49705 CLOUDIE-AS-APCloudieLimitedHK Hong Kong 7->38 40 103.229.126.73, 49703, 8000 CLOUDIE-AS-APCloudieLimitedHK Taiwan; Republic of China (ROC) 7->40 34 C:\services.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\...\services[1].exe, PE32 7->36 dropped 60 Checks if browser processes are running 7->60 62 Contains functionality to capture and log keystrokes 7->62 64 Drops PE files with benign system names 7->64 18 services.exe 19 7->18         started        66 Changes security center settings (notifications, updates, antivirus, firewall) 12->66 22 MpCmdRun.exe 1 12->22         started        42 127.0.0.1 unknown unknown 14->42 44 192.168.2.1 unknown unknown 16->44 file5 signatures6 process7 file8 28 C:\Program Files (x86)\...hqdrvo.exe, PE32 18->28 dropped 30 C:\Users\user\AppData\...30etSyst96[1].dll, data 18->30 dropped 32 C:\Program Files\AppPatch32etSyst96.dll, data 18->32 dropped 54 Antivirus detection for dropped file 18->54 56 Multi AV Scanner detection for dropped file 18->56 58 Machine Learning detection for dropped file 18->58 24 Ehqdrvo.exe 1 18->24         started        26 conhost.exe 22->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/323ea92408f9dfb0598cea001209880501388393ed76e9f20974b2819141ca9a/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 10:38:00 UTC
AV detection:
32 of 46 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gi7ksjai7hp3awmm5iabecmiauatra4t5v3ot4qjoszidekbzkna._file
Verdict:
malicious
Similar samples:
06c56274fc1db5ddff596e3c3ba6e332cdb8f2329e295b1515bcc1f9493464bd
Redosdru
799866f1237d484f5e55633b6200443fe19bddc88257207b4a1142ae97b93f3c
Redosdru
7d74db6d7705d15a9a3e25989d7c2983ff9ae2d4fbe561bc8a020c37eb3e2d3b
Redosdru
7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697
Redosdru
9f905e04970d3c86d99ddb67052f2f948605a26891d085d1ab431a693260e155
Redosdru
b19f2c2eec099ce6116313fff9348927a979584c82338f16c4f24231100dbd4b
Redosdru
d494d1c9597021407f9167547604c663e7f70f705b5e70bfa207d346d9de7ae9
Redosdru
f2e9b563cfb903599a87072f6f36d77c02eb4a9c885e7c8da435f4f02801ad15
Redosdru
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210813-zt43az57x6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
bc90d90205eec81fd0acca0394dc16177e9e8f4e070ea0e13183971da32545d2
MD5 hash:
f9fe2d50dee7d4761afc1e11eee11698
SHA1 hash:
1a34939aeafc985d93772d9ec69962bc55a88b5e
Link:
https://www.unpac.me/results/4223ab62-19da-4fc8-9eb1-02671a6d74cc/
SH256 hash:
323ea92408f9dfb0598cea001209880501388393ed76e9f20974b2819141ca9a
MD5 hash:
ca0bfb0e149468f828793f18cd1db393
SHA1 hash:
0a70a88da5ec490db7d6c2e633cc1bc2d43a273d
Link:
https://www.unpac.me/results/4223ab62-19da-4fc8-9eb1-02671a6d74cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/323ea92408f9dfb0598cea001209880501388393ed76e9f20974b2819141ca9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_Mal1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Redosdru

Executable exe 323ea92408f9dfb0598cea001209880501388393ed76e9f20974b2819141ca9a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1529274/
Cape
Cape
https://www.capesandbox.com/analysis/178810/

Comments


Avatar
zbet commented on 2021-08-13 02:28:55 UTC

url : hxxp://144.48.240.173:29106/%E8%BD%AF%E4%BB%B6%E6%8E%88%E6%9D%83%E7%A8%8B%E5%BA%8F.exe