MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42e0e8fbe866fd8b79d5d7aa644b295a2ff73b5cb85e42251faf492494871909. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42e0e8fbe866fd8b79d5d7aa644b295a2ff73b5cb85e42251faf492494871909
SHA3-384 hash: 30b90e0db7f2f5e57609e3320d26aeeaf574d029f690d4e42a3c92fd538309f34edee5f89e091f522958cecf4f2441a1
SHA1 hash: f2155df27a994c4d9a5b7eb02e3914c63e3de84d
MD5 hash: 59091e61431a1ce16039b8936cb0cde1
humanhash: floor-mississippi-emma-thirteen
File name:59091e61431a1ce16039b8936cb0cde1
Download: download sample
File size:5'864'320 bytes
First seen:2023-02-06 10:04:46 UTC
Last seen:2023-02-06 12:50:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 46 x PureHVNC, 28 x RedLineStealer)
ssdeep 98304:es1MU4RPZVtWSitaFlEWDgMF1IP++FVXJrLrCxvHAblOR7Ll2ONR:eSkPZVtWNY/EEgMFmPBXZrCtHNn2ONR
Threatray 7'978 similar samples on MalwareBazaar
TLSH T10246331A4CE7DB67F1BC4E71383E411F89F8918AB36E6974844784C3B8D48912DEB47A
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c2a8b49a9ada9690 (3 x Formbook, 3 x ACRStealer, 1 x PureCrypter)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
be0c0547570c0da64a4de45481fc25a8
Verdict:
Malicious activity
Analysis date:
2023-02-03 18:27:09 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/90bb9940-9773-43fa-82c5-6d92ab761846

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360777/
Detection(s):
SecuriteInfo.com.Variant.Lazy.291992.28007.25806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63e0d0cf416d38777a7a988e/reports/56eaca22-75c0-4d93-bc1c-61c5a5326ca9/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/42e0e8fbe866fd8b79d5d7aa644b295a2ff73b5cb85e42251faf492494871909
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f5780cb0-774f-41e6-b00d-f12179146012
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166470
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42e0e8fbe866fd8b79d5d7aa644b295a2ff73b5cb85e42251faf492494871909/
Threat name:
Win64.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2023-02-03 19:47:06 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
14 of 39 (35.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilqor67im36yw6ov26vgiszjlix7oo24xbpeeji7v5esjfehdeeq._file
Verdict:
malicious
Similar samples:
5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10
7f4b450947cbe4007402816a42e6281cd1f3d76ce090c547d5643d5b8f227d49
829579ba6d7c9e90371a9238ac081d671e291cedf3ac53103aa28c1460d74822
867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e
a8d00ba550db4bb552fb9d9eebde24e740d7d11b8041b381f94f331e60514fb6
e1689f695b580c88f6b58274cfed905541749bd86f9f3cd95b70ae22387313ca
e9450c3121f962ad35052a0eb013d667116a77c29299a43047ccd19bd3abfe40
f44026b4e831c9297565ce9477c49859f0fe3a2e99a7ebe50abafcf1ec99487a
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
+ 7'968 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit evasion persistence trojan
Link:
https://tria.ge/reports/230206-l4hdjagf5t/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Blocklisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
42e0e8fbe866fd8b79d5d7aa644b295a2ff73b5cb85e42251faf492494871909
MD5 hash:
59091e61431a1ce16039b8936cb0cde1
SHA1 hash:
f2155df27a994c4d9a5b7eb02e3914c63e3de84d
Link:
https://www.unpac.me/results/59be8536-bc4a-4aac-b90f-f522bc3d6914/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42e0e8fbe866fd8b79d5d7aa644b295a2ff73b5cb85e42251faf492494871909

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 42e0e8fbe866fd8b79d5d7aa644b295a2ff73b5cb85e42251faf492494871909

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/360777/
  
URLhaus
https://urlhaus.abuse.ch/url/2531866/

Comments


Avatar
zbet commented on 2023-02-06 10:04:54 UTC

url : hxxp://62.204.41.88/lend/meta100.exe