MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35e9e7da2c65a752eaa1ac125edc931c15bfff308941e47e2c4347ed7d6b26f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35e9e7da2c65a752eaa1ac125edc931c15bfff308941e47e2c4347ed7d6b26f7
SHA3-384 hash: 62e926d7113d0b7d0d60465b726e467c2dc4c41e1fc4be8adbdb6f25e4ea335d2889052ebc73e179cafba91db3a25993
SHA1 hash: f614537222a24c1a8f285dddab72d6e5fc824bd4
MD5 hash: 1e456c4662e143e0d6d1c38abeb3b475
humanhash: high-wisconsin-earth-alanine
File name:Cheat.Lab.2.7.1.msi
Download: download sample
File size:2'821'120 bytes
First seen:2023-10-25 16:27:37 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:YIjRd5W8zBQSc0ZnSKxZKumZrDq4Fb6HXr1iWnYs4ntHurpllQ6aBuxtZRhHAHFL:v20ZnHKbFnWnwuxDmL
Threatray 2 similar samples on MalwareBazaar
TLSH T176D5BE2935CAC637EB7E82306669D77A21BA7EE00BB104DB63D43A1E1E305C15276F17
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Xev
Tags:msi RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456327/
Detection(s):
SecuriteInfo.com.Application.HackTool.BBI.10922.24915.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control evasive fingerprint lolbin masquerade remote shell32
Link:
https://www.filescan.io/uploads/65394214bc703e36b08cd48b/reports/a9503947-41f7-4e84-b003-4e2c35ae1481/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/35e9e7da2c65a752eaa1ac125edc931c15bfff308941e47e2c4347ed7d6b26f7
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/35e9e7da2c65a752eaa1ac125edc931c15bfff308941e47e2c4347ed7d6b26f7
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1332053
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Query firmware table information (likely to detect VMs)
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332053 Sample: Cheat.Lab.2.7.1.msi Startdate: 25/10/2023 Architecture: WINDOWS Score: 30 60 ip-api.com 2->60 62 files.catbox.moe 2->62 70 Uses schtasks.exe or at.exe to add and modify task schedules 2->70 9 msiexec.exe 14 37 2->9         started        13 LuaJIT.exe 22 2->13         started        16 msiexec.exe 15 2->16         started        18 NzA5.exe 2->18         started        signatures3 process4 dnsIp5 42 C:\Windows\Installer\MSIF882.tmp, PE32 9->42 dropped 44 C:\Program Files\CheatLab Corp\...\LuaJIT.exe, PE32+ 9->44 dropped 46 C:\Windows\Installer\MSIF7B5.tmp, PE32 9->46 dropped 56 5 other files (none is malicious) 9->56 dropped 74 Drops executables to the windows directory (C:\Windows) and starts them 9->74 20 MSIF882.tmp 1 9->20         started        22 msiexec.exe 1 9->22         started        25 msiexec.exe 9->25         started        27 msiexec.exe 2 9->27         started        64 193.37.71.129, 49715, 80 VAD-SRL-AS1MD Russian Federation 13->64 66 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 13->66 68 2 other IPs or domains 13->68 48 C:\ProgramData\...48zA5.exe, PE32+ 13->48 dropped 50 C:\ProgramData\...\CheatLab.lua, data 13->50 dropped 29 schtasks.exe 1 13->29         started        52 C:\Users\user\AppData\Local\...\MSID829.tmp, PE32 16->52 dropped 54 C:\Users\user\AppData\Local\...\MSID809.tmp, PE32 16->54 dropped 58 8 other files (none is malicious) 16->58 dropped file6 signatures7 process8 signatures9 31 cmd.exe 1 20->31         started        72 Query firmware table information (likely to detect VMs) 22->72 34 LuaJIT.exe 22->34         started        36 conhost.exe 29->36         started        process10 signatures11 76 Suspicious powershell command line found 31->76 78 Adds a directory exclusion to Windows Defender 31->78 38 powershell.exe 23 31->38         started        40 conhost.exe 31->40         started        process12
Score:
63%
Verdict:
Susipicious
File Type:
MSI
Link:
https://malprob.io/report/35e9e7da2c65a752eaa1ac125edc931c15bfff308941e47e2c4347ed7d6b26f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35e9e7da2c65a752eaa1ac125edc931c15bfff308941e47e2c4347ed7d6b26f7/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-25 16:28:06 UTC
File Type:
Binary (Archive)
Extracted files:
79
AV detection:
3 of 23 (13.04%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
38133a37857191a12c3bc10ea186743641825c8081bd9434d2c941370b3504a6
96816cf646d9eb8a7e4434e9841128f5529554a054a8645a54d01a41a07e3e32
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231025-tynblabh55/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35e9e7da2c65a752eaa1ac125edc931c15bfff308941e47e2c4347ed7d6b26f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://tria.ge/231025-sy44nsbf6x
Cape
Cape
https://www.capesandbox.com/analysis/456327/

Comments