MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38e48e1967243e151457e75a0b17b04d65a840308d68cf116da52c2fa944f330. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	38e48e1967243e151457e75a0b17b04d65a840308d68cf116da52c2fa944f330
SHA3-384 hash:	5b0f921c74ce25f4d3d50b10aa09b839557de87b741843d100214e9776a178d41a7e66f6772353a501f329edd488f5c7
SHA1 hash:	345ae1f0ce3f990e32dcc31173112e523f5f2516
MD5 hash:	3bdbe8968ef996140da94b87af9a3f21
humanhash:	cat-carbon-massachusetts-uncle
File name:	3bdbe8968ef996140da94b87af9a3f21
Download:	download sample
File size:	1'759'705 bytes
First seen:	2023-07-03 09:47:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	aac51396886833dc961fcd7aab7711e4 (11 x NetSupport, 7 x DCRat, 4 x njrat)
ssdeep	24576:8HHyFCEEQFmSNhUV6P92hT+9RMVVlO1VuhSMCI0WYIOovwlXtVqGaC1DZPh7oizQ:zeC2hT+4VbEMDChKvYqs1DZJFPW942j
Threatray	564 similar samples on MalwareBazaar
TLSH	T189852302B7C44BB2D16224335E2A6B25B97C7C705F7989DFA394291EDE311C0AA31B77
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	zbetcheckin
Tags:	32 exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

277

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-07-03 09:35:57 UTC

Tags:

rat redline amadey trojan opendir loader smoke

Link:

https://app.any.run/tasks/d45cc139-f4b8-42c1-a2d9-1520f7a5ad44

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/405824/

ClamAV Detected

Detection(s):

Win.Malware.Uztuby-9979905-0

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Creating a window

Searching for the window

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/95245/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

anti-vm greyware lolbin msiexec msiexec overlay packed packed replace setupapi shdocvw shell32

Link:

https://www.filescan.io/uploads/64a299522299d26882645521/reports/df60b4fc-c874-46dd-a7be-6723756a9a47/overview

Hybrid Analysis Trojan.Uztuby

Verdict:

Malicious

Labled as:

Trojan.Uztuby

Link:

https://www.hybrid-analysis.com/sample/38e48e1967243e151457e75a0b17b04d65a840308d68cf116da52c2fa944f330

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0176e76e-3856-4eea-94f3-9106b4a2712f

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1266141

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/38e48e1967243e151457e75a0b17b04d65a840308d68cf116da52c2fa944f330/

ReversingLabs TitaniumCloud Win32.Trojan.Amadey

Threat name:

Win32.Trojan.Amadey

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-03 09:48:05 UTC

File Type:

PE (Exe)

Extracted files:

18

AV detection:

17 of 24 (70.83%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hdsi4glheq7bkfcx45nawf5qjvs2qqbqrvum6elnuuwc7kke6mya._file

Threatray malicious

Verdict:

malicious

Similar samples:

0af3aa9e62ae449301ef9b3d9965d45775c13b2fc7a662795d39585d5c0fa908

18ab5e7a8a16ee97cfaf8d710e023a7816f0e0c6e57c1d6ca2f9ca311db0dd12

3f64e635a811969032be1c3bd6d467b6edae118ea00996a66e56e9d798a4db03

43d1c7d70506db33b4db5a3f27582e1f1493b69b6d2493756c88f550529ca969

5cf55c9824d5c162a1f18f76c5b146a5c703b0d234c984045ac5849026411792

6c51139a5f272db52f58adb10074de00bf1046033d0ae970b924499e0dc4390f

811566c02b85bfff2c60105b3638aa7a7d906658c1fc1fd0e2f5112dfcb492be

a040c35ef32cbe289d5bc2b8014adcb961ab3aed1e2873d1f2e335933e97927b

d102af126bcff04b5b089f3872b3add0fef3e755eea0182e8f28324b3c5dcc5f

+ 554 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/230703-lssecsfh53/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

UnpacMe 2

Unpacked files

SH256 hash:

51634c90ae8d55497d59c2dd849f257b21e71875cee6b9404dbbf1d5ed0b75b4

MD5 hash:

7ed4514a99ab71230e5ffe07be90b41f

SHA1 hash:

2d54e56f16badd2d2ffd02562f2885fd6457c846

Link:

https://www.unpac.me/results/4ecc73fe-7159-4cb0-87f5-2f77dd3b5987/

SH256 hash:

38e48e1967243e151457e75a0b17b04d65a840308d68cf116da52c2fa944f330

MD5 hash:

3bdbe8968ef996140da94b87af9a3f21

SHA1 hash:

345ae1f0ce3f990e32dcc31173112e523f5f2516

Link:

https://www.unpac.me/results/4ecc73fe-7159-4cb0-87f5-2f77dd3b5987/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 38e48e1967243e151457e75a0b17b04d65a840308d68cf116da52c2fa944f330

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2675870/

Cape

https://www.capesandbox.com/analysis/405824/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-07-03 09:47:29 UTC

url : hxxp://77.91.68.30/fuzz/rama.exe