MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 4 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
SHA3-384 hash: a8f3262af10ac3f158009dfb1f9c4005b10a85dea4ceae7906b2d356adef38adca5b6e575a11ff7c2960ebf5ea32937f
SHA1 hash: 457a463a66466eb8f00ad1559fcc4889b0ef494c
MD5 hash: 0b3c9a8b248dc3fbb73be5dd742e640d
humanhash: glucose-twenty-five-thirteen
File name:40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'852'094 bytes
First seen:2022-08-06 18:10:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xgCvLUBsggfY2SStzjaK9SzGaZclaWb49yrAIAKjPvu7csQVC:xdLUCggfHSStfwzGaZcQ9PIvvu4sQVC
TLSH T1F5263300309458FFE6066570BB188E3C77FED2D8071519A3F3A8871DEF291E3A51AAD9
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.36.177.7:39556

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.36.177.7:39556 https://threatfox.abuse.ch/ioc/841642/
65.108.231.254:29517 https://threatfox.abuse.ch/ioc/841643/
185.106.92.8:38644 https://threatfox.abuse.ch/ioc/841664/
193.124.22.7:35318 https://threatfox.abuse.ch/ioc/841665/

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe
Verdict:
No threats detected
Analysis date:
2022-08-06 18:11:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92a30502-d766-4a5d-b4b5-6b2c2007f21e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296894/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28256/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
arkeistealer barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62eeaef56336465f2a1b556c/reports/b6f33e87-2a76-4767-b801-47a5b222ce14/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d0d968b-c481-4fca-b38e-5bd9d30efb97
Result
Threat name:
Nymaim, Raccoon, RedLine, Socelars, only
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1047342
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679836 Sample: 40C4D06433A2DB2E570B3302E01... Startdate: 06/08/2022 Architecture: WINDOWS Score: 100 146 Malicious sample detected (through community Yara rule) 2->146 148 Antivirus detection for URL or domain 2->148 150 Antivirus detection for dropped file 2->150 152 16 other signatures 2->152 11 40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe 23 2->11         started        14 rundll32.exe 2->14         started        16 WmiPrvSE.exe 2->16         started        process3 file4 108 C:\Users\user\AppData\...\setup_install.exe, PE32 11->108 dropped 110 C:\Users\user\AppData\...\Tue19de85da9de6.exe, PE32 11->110 dropped 112 C:\Users\user\AppData\...\Tue19c43a743a35.exe, PE32 11->112 dropped 114 18 other files (13 malicious) 11->114 dropped 18 setup_install.exe 1 11->18         started        22 rundll32.exe 14->22         started        process5 dnsIp6 122 8.8.8.8 GOOGLEUS United States 18->122 124 127.0.0.1 unknown unknown 18->124 154 Adds a directory exclusion to Windows Defender 18->154 156 Disables Windows Defender (via service or powershell) 18->156 24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 cmd.exe 18->28         started        33 16 other processes 18->33 158 Writes to foreign memory regions 22->158 160 Allocates memory in foreign processes 22->160 162 Creates a thread in another existing process (thread injection) 22->162 30 svchost.exe 22->30 injected signatures7 process8 dnsIp9 36 Tue19c43a743a35.exe 2 24->36         started        40 Tue1922ecc1aaabd2.exe 26->40         started        43 Tue1984208f692605cf.exe 28->43         started        190 Sets debug register (to hijack the execution of another thread) 30->190 192 Modifies the context of a thread in another process (thread injection) 30->192 120 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->120 194 Adds a directory exclusion to Windows Defender 33->194 196 Disables Windows Defender (via service or powershell) 33->196 45 Tue19053251dd9e13fe.exe 33->45         started        47 Tue19b1a112f2.exe 33->47         started        49 Tue19896d3ece3b4.exe 33->49         started        51 11 other processes 33->51 signatures10 process11 dnsIp12 76 C:\Users\user\AppData\...\Tue19c43a743a35.tmp, PE32 36->76 dropped 164 Obfuscated command line found 36->164 53 Tue19c43a743a35.tmp 36->53         started        128 62.204.41.178 TNNET-ASTNNetOyMainnetworkFI United Kingdom 40->128 130 212.193.30.115 SPD-NETTR Russian Federation 40->130 138 9 other IPs or domains 40->138 78 C:\Users\user\AppData\...\newfile[1].exe, PE32 40->78 dropped 80 C:\Users\user\AppData\...\Service[1].exe, PE32 40->80 dropped 82 C:\Users\user\...\zaebalidelete2_2.bmp.exe, PE32 40->82 dropped 90 9 other files (none is malicious) 40->90 dropped 166 Antivirus detection for dropped file 40->166 168 Multi AV Scanner detection for dropped file 40->168 170 Disable Windows Defender real time protection (registry) 40->170 132 104.21.1.91 CLOUDFLARENETUS United States 43->132 84 C:\Users\user\AppData\...\newfile[1].exe, PE32 43->84 dropped 86 C:\Users\user\AppData\...\Service[1].exe, PE32 43->86 dropped 92 10 other files (none is malicious) 43->92 dropped 172 Tries to harvest and steal browser information (history, passwords, etc) 43->172 174 Machine Learning detection for dropped file 45->174 176 Sample uses process hollowing technique 45->176 178 Injects a PE file into a foreign processes 47->178 134 103.224.212.220 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 51->134 136 149.154.167.99 TELEGRAMRU United Kingdom 51->136 140 8 other IPs or domains 51->140 88 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 51->88 dropped 180 Detected unpacking (changes PE section rights) 51->180 182 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->182 184 Creates processes via WMI 51->184 186 2 other signatures 51->186 56 mshta.exe 51->56         started        58 WerFault.exe 51->58         started        61 explorer.exe 51->61 injected file13 signatures14 process15 dnsIp16 94 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 53->94 dropped 96 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 53->96 dropped 98 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->98 dropped 63 Tue19c43a743a35.exe 53->63         started        67 cmd.exe 56->67         started        142 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 58->142 file17 process18 file19 116 C:\Users\user\AppData\...\Tue19c43a743a35.tmp, PE32 63->116 dropped 144 Obfuscated command line found 63->144 69 Tue19c43a743a35.tmp 63->69         started        118 C:\Users\user\AppData\...\~Xy1GPomKV09sC.Exe, PE32 67->118 dropped 74 conhost.exe 67->74         started        signatures20 process21 dnsIp22 126 45.130.41.25 BEGET-ASRU Russian Federation 69->126 100 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 69->100 dropped 102 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 69->102 dropped 104 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 69->104 dropped 106 2 other files (none is malicious) 69->106 dropped 188 Creates HTML files with .exe extension (expired dropper behavior) 69->188 file23 signatures24
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 18:39:00 UTC
File Type:
PE (Exe)
Extracted files:
437
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=idcnazbtulns4vylgmboahc4f27fd35vsrz2lmemwezkw2xymofq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:raccoon family:redline family:socelars botnet:2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 botnet:chris botnet:fucker2 botnet:media18 aspackv2 discovery infostealer loader spyware stealer
Link:
https://tria.ge/reports/220806-wsk1dsbhe2/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Executes dropped EXE
OnlyLogger payload
OnlyLogger
PrivateLoader
Process spawned unexpected child process
Raccoon
RedLine
RedLine payload
Socelars
Socelars payload
Malware Config
C2 Extraction:
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
135.181.129.119:4805
91.121.67.60:2151
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
194.104.136.5:46013
Unpacked files
SH256 hash:
dad89b9cca7c412934236ee99619455ba50a99a63bb21413d4fcd79ae441daae
MD5 hash:
b180ba09c71fbee514daead02222c158
SHA1 hash:
d633a5334d29660175f7f6cb3509033e34fc0167
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
03c7096f04ff5c60e9cc2f959fd2b412137ab04e131c54295edf86e6c73a9427
MD5 hash:
93477906b5ba6f5b376b21d4bf810752
SHA1 hash:
7dc227ed554b97276fd3385faa9f9af9cc9da18a
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
f88e2926a7aff6788062ace2d4999d73a4de253d8758c262e7f674088ec4bbde
MD5 hash:
9c27633bcdf8507a59b7a283a3b2b490
SHA1 hash:
102ab66902788948457c3cd715fbd3a2650f1933
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3
MD5 hash:
42c09e2ff1923e01e6b465436b1d176f
SHA1 hash:
6fc4b58ff71392865812ba14a6b469ddec5df7d4
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
Parent samples :
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
731d0a54e7caa6970826f59cc588087ef84b6c3a408a63b8aa07a2394f9200f6
MD5 hash:
fcd774eca8d3095efea6a1248a32f083
SHA1 hash:
ff5d275dfb5fdb7fd61292dea7810ccd7cc09622
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
51a78b5f1799ffe27a1412e5eaa89e46dc32482e140c46ddafcd4c248e701b07
MD5 hash:
74c38bb6084f0c955a35c2355f6d9bc9
SHA1 hash:
ff3911cf479e9932acbb4148918b1e10e368b13a
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
MD5 hash:
26278caf1df5ef5ea045185380a1d7c9
SHA1 hash:
df16e31d1dd45dc4440ec7052de2fc026071286c
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
d616ed8d6f573101edd3c9687bef16e52ef5f4d8fe38110eeecafd905f6a8c42
MD5 hash:
7697517327a3b3a27f991f4c93cb9875
SHA1 hash:
c92dc1f0bff3f6452f46f432a62b194b0f0b9478
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
c64c636a6cde93b910e11b14b8ad437ab183202c3b32c43e296f263a7c26d06e
MD5 hash:
3178652931f57bd6010738b3d3f49019
SHA1 hash:
74d5f53dcd247f4eda456c75de04222fc358b29a
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
4d7bf2038b241cc664c74c6e979f5fe95434613b0e1cfb6484417cb61793ffb9
MD5 hash:
3dab7aa5329772c930838683b5599fec
SHA1 hash:
6ef7d0cdedbd1520c1b346a9467aa5837eca679d
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
eeee883d35e156e405ff9c1b0ee01e4dc9e9dbcbd7427079545d28db2d7c254b
MD5 hash:
63ec10dab6c0f2ddbf8ffc4fb8a8d0af
SHA1 hash:
6eb54664e0d097871c902d8e5e5ba4dfee85eeac
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752
MD5 hash:
0c4602580c43df3321e55647c7c7dfdb
SHA1 hash:
5e4c40d78db55305ac5a30f0e36a2e84f3849cd1
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
a8ca735fa0547d147076d00309acbe79009bc0f1f7d172d94ee2f033cf221665
MD5 hash:
d00a1168f43f14691c73f94ca1d85e7f
SHA1 hash:
4990ad52aa36558d41e4bc682b210024512fb7ba
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
fcfa9db46e13113b2845e437bf2b15e8848803ebe75e90a474b63eafb94a47d1
MD5 hash:
fe51cc88be13b519b08dc291debf8039
SHA1 hash:
47365b8eea99f2b7e0b78c5757623d4e30605b75
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
f60bd1658ad05f37e2777cb49ea63588ac24f6e18c3f631d7b11e7a6819e75ed
MD5 hash:
81760d3d0914159e7d6836166efce6bf
SHA1 hash:
15789eee76b780a0bde70071ecb0a738dea445b6
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
31c5fbbf2c420eec04c859d1de4cc968a521042c89b37259d22860c1f06b82c3
MD5 hash:
3810282ac410423b0677032702a2dceb
SHA1 hash:
13ba7a447efe3900b02ecb2aa17ac23068a56a74
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
Parent samples :
c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
dfdf01dceb1fb2ec420ae4c9614dc1b48b7c6278309faabe776318996a1d1306
MD5 hash:
78894df5a30519b7abe75dc78ac76702
SHA1 hash:
c8ce95fb5e39b4dceb0a94a72d34a67c662f59a8
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
7a80d50dfc48a2bf444ad732f03fa4cdc259467ad6a02b0e9f3e1ce748f5d023
MD5 hash:
4f79dbdca3628deabf4c95594082465e
SHA1 hash:
c213c4b379082c78bec7ed508c58912ac9f4887d
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
8181aff9a220df96b9d5493bd55b1bb53e5247c7405225f3c195b0ffc7d9be12
MD5 hash:
3415f5180f99421ba63d119118e7e725
SHA1 hash:
6243e57d593cf332ae252ceed1a9db2dda7a4d54
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
SH256 hash:
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
MD5 hash:
0b3c9a8b248dc3fbb73be5dd742e640d
SHA1 hash:
457a463a66466eb8f00ad1559fcc4889b0ef494c
Link:
https://www.unpac.me/results/a640073c-0df4-4495-9aef-554038169c4c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/40c4d06433a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296894/

Comments