MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


1xxbot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229
SHA3-384 hash: dbb99651fc3e4e46b31101c9dc6b21b0714d5aa3bae257839db4596703241624aa1db431facbd25030ed5d1dba34490c
SHA1 hash: 3dbd8d1487710f268421363d6a4ec0a81c8b30d8
MD5 hash: 611c3237e37b5d0a8b3037e695d690a2
humanhash: delaware-sodium-alanine-cat
File name:611c3237e37b5d0a8b3037e695d690a2.exe
Download: download sample
Signature 1xxbot
Create hunting rule
File size:2'294'063 bytes
First seen:2021-06-16 18:15:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 49152:HYvVeWhd4gWixm9sNZH5kErlIRUQuZdsT69jx9ZfOqAETtmC6:HYvVfHrW0mskErlcUvswxOhWtmC6
Threatray 1'177 similar samples on MalwareBazaar
TLSH D8B533617E80687FC4461F3818EDAA7943DA3E613BDD2F87061437F769B88612B4970E
Reporter abuse_ch
Tags:1xxbot exe


Avatar
abuse_ch
1xxbot C2:
77.232.42.253:228

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.232.42.253:228 https://threatfox.abuse.ch/ioc/130851/

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
611c3237e37b5d0a8b3037e695d690a2.exe
Verdict:
Malicious activity
Analysis date:
2021-06-16 18:22:23 UTC
Tags:
trojan 1xxbot autoit stealer vidar loader
Link:
https://app.any.run/tasks/cfc452b0-0d68-4daf-9dbb-2a784e2b9955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Dopping-9832657-0
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.UGA.20041.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Launching a process
Launching cmd.exe command interpreter
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffc0dd4f-e775-443d-b08a-f9ee7328ad33
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803269
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Check external IP via Powershell
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435685 Sample: kYvdP38gUv.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 120 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->120 122 Multi AV Scanner detection for submitted file 2->122 124 Yara detected AntiVM3 2->124 126 5 other signatures 2->126 12 kYvdP38gUv.exe 18 2->12         started        15 CsdglRYnnK.exe.com 2->15         started        19 wscript.exe 2->19         started        process3 dnsIp4 90 C:\Users\user\AppData\Local\Temp\seup.exe, PE32 12->90 dropped 92 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 12->92 dropped 94 C:\Users\user\AppData\...\P3AQ8WD7EANE8.dll, PE32 12->94 dropped 21 cmd.exe 1 12->21         started        110 iCVaAzHWRHOTljBi.iCVaAzHWRHOTljBi 15->110 96 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 15->96 dropped 114 Writes to foreign memory regions 15->114 116 Injects a PE file into a foreign processes 15->116 24 RegAsm.exe 15->24         started        118 Creates processes via WMI 19->118 file5 signatures6 process7 signatures8 134 Submitted sample is a known malware sample 21->134 136 Obfuscated command line found 21->136 138 Uses ping.exe to sleep 21->138 140 Uses ping.exe to check the status of other devices and networks 21->140 26 setup.exe 7 21->26         started        29 seup.exe 3 21->29         started        31 powershell.exe 15 18 21->31         started        34 conhost.exe 21->34         started        142 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->142 process9 dnsIp10 152 Machine Learning detection for dropped file 26->152 154 Contains functionality to register a low level keyboard hook 26->154 36 cmd.exe 1 26->36         started        156 Injects a PE file into a foreign processes 29->156 38 seup.exe 29->38         started        112 iplogger.org 88.99.66.31, 443, 49735 HETZNER-ASDE Germany 31->112 158 May check the online IP address of the machine 31->158 signatures11 process12 dnsIp13 43 cmd.exe 3 36->43         started        46 conhost.exe 36->46         started        104 159.69.20.131, 49734, 80 HETZNER-ASDE Germany 38->104 106 bandakere.tumblr.com 74.114.154.22, 443, 49733 AUTOMATTICUS Canada 38->106 80 C:\Users\user\AppData\...\softokn3[1].dll, PE32 38->80 dropped 82 C:\Users\user\AppData\...\freebl3[1].dll, PE32 38->82 dropped 84 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 38->84 dropped 86 9 other files (none is malicious) 38->86 dropped 146 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->146 148 Tries to harvest and steal browser information (history, passwords, etc) 38->148 150 Tries to steal Crypto Currency Wallets 38->150 48 cmd.exe 38->48         started        file14 signatures15 process16 signatures17 160 Obfuscated command line found 43->160 162 Uses ping.exe to sleep 43->162 50 Chiusa.exe.com 43->50         started        53 PING.EXE 1 43->53         started        56 findstr.exe 1 43->56         started        59 conhost.exe 48->59         started        61 taskkill.exe 48->61         started        63 timeout.exe 48->63         started        process18 dnsIp19 128 Drops PE files with a suspicious file extension 50->128 65 Chiusa.exe.com 7 50->65         started        102 127.0.0.1 unknown unknown 53->102 88 C:\Users\user\AppData\...\Chiusa.exe.com, Targa 56->88 dropped file20 signatures21 process22 dnsIp23 98 192.168.2.1 unknown unknown 65->98 100 iCVaAzHWRHOTljBi.iCVaAzHWRHOTljBi 65->100 74 C:\Users\user\AppData\...\CsdglRYnnK.exe.com, PE32 65->74 dropped 76 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 65->76 dropped 78 C:\Users\user\AppData\...\CsdglRYnnK.url, MS 65->78 dropped 130 Writes to foreign memory regions 65->130 132 Injects a PE file into a foreign processes 65->132 70 RegAsm.exe 65->70         started        file24 signatures25 process26 dnsIp27 108 77.232.42.253, 228, 49747, 49748 EUT-ASEUTIPNetworkRU Russian Federation 70->108 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->144 signatures28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 18:16:22 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hq7ayk3l4m3kve477hamtica2hxxhk3be3qa7hmx6cmvognyaiuq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
186e9e1877c50ecf4619bf75856c84bf1305ce117ad9b2e14410a340cccfd2a0
1xxbot
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
1xxbot
3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c
1xxbot
6ae2b85bbb7df33cb5c97373647b30331f8dfffd1ec0f76a11a0af81d1c1d592
1xxbot
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
1xxbot
c391ea2f8b72e2810362cd512a640220f20fb149bdd85eaef408c25471f74b92
1xxbot
c7d0d8513552fd13ecb15e4fd518549aa71498af923b024e721a527b5d7682b3
1xxbot
d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4
1xxbot
dbeb99d2b3f5ab13560c96f80ee6153f909f64aac45d4ad56e2468320430acd3
1xxbot
e8da10d6d1bc9983ce35416b130f9814e346ada4ea0117fe78b4805c26c96a72
1xxbot
+ 1'167 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210616-azcv1s7sce/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Sets desktop wallpaper using registry
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
Vidar Stealer
Vidar
Unpacked files
SH256 hash:
8e8cbf4a5b194908657cbe674c137cdfd0447d43e2fc40318fd2636d9c87c051
MD5 hash:
d6b12689b6d18879bd31adc4c585bbcb
SHA1 hash:
fb476310e8521bee22331c66489d80f4693e8a3c
Link:
https://www.unpac.me/results/7eaae456-128a-489e-9bb4-eea8bf682af1/
SH256 hash:
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
MD5 hash:
293165db1e46070410b4209519e67494
SHA1 hash:
777b96a4f74b6c34d43a4e7c7e656757d1c97f01
Link:
https://www.unpac.me/results/7eaae456-128a-489e-9bb4-eea8bf682af1/
SH256 hash:
cfff5cdecfcadd69b3fd72274a371582a7b081922488d91c893cc50d287d3f77
MD5 hash:
4bee820026a1f22175bdba0aa2f1389b
SHA1 hash:
98ef1211f99c7cb81ce0337ffd2585c91c8de972
Link:
https://www.unpac.me/results/7eaae456-128a-489e-9bb4-eea8bf682af1/
SH256 hash:
ca694724f5a15213e6f141de929e72aef985596356f2ec831d7ad6452239b4fc
MD5 hash:
ebd54dfd37e646478c936391c20b5608
SHA1 hash:
126fc8f79fe2e1275280a85230e675f07a0bb091
Link:
https://www.unpac.me/results/7eaae456-128a-489e-9bb4-eea8bf682af1/
SH256 hash:
a6fe62d19b2b0f608fe3367ba5612742b9ff248b91a32b13fe189c891a22a00d
MD5 hash:
729168d16501390f6b7d92edb38886c4
SHA1 hash:
d244dc2a6325b22a02372c2b8e01ef4a3e51d10c
Link:
https://www.unpac.me/results/7eaae456-128a-489e-9bb4-eea8bf682af1/
SH256 hash:
3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229
MD5 hash:
611c3237e37b5d0a8b3037e695d690a2
SHA1 hash:
3dbd8d1487710f268421363d6a4ec0a81c8b30d8
Link:
https://www.unpac.me/results/7eaae456-128a-489e-9bb4-eea8bf682af1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

1xxbot

Executable exe 3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1103586/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1104214/

Comments