MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43715837d6ea1e9d2f7110867a50e0b9ed588152d623161ce626c80648d1fef3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43715837d6ea1e9d2f7110867a50e0b9ed588152d623161ce626c80648d1fef3
SHA3-384 hash: 800608a73cf58f2ac9385a6e7ff52dd62bd362830e5bfe03843f5db23d7b0eaa59d40d6fae1e223ed249768fff54beca
SHA1 hash: 96aa2fb97194b4bb387d4c84224b18093abb0cd2
MD5 hash: 9bd149c2a517b561b3871630753cf20b
humanhash: twelve-robin-network-nevada
File name:tyrone.dll
Download: download sample
File size:366'592 bytes
First seen:2025-01-30 00:18:54 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 6144:euPQbMmhAUA6O8uzBYmh7ZdqnatEWXkcpsieycdyIDwX6BZB6x2:eu4fhAUA6O8uzbLqn6ETilcoL6BL6x
Threatray 2'384 similar samples on MalwareBazaar
TLSH T165747D18FE67DA1ECD9A8BF3C5D1185453A49453920BF72B238312EB5D1B3EB8A102D7
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter lilfvchx
Tags:dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
533
Origin country :
AR AR
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10009321-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679ac72f29ae628cf42b2fb4
Tags:
virus
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/679ac576a2886cdc5ac6847e/reports/5d3f1409-9b95-4184-8260-1e25167f8789/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/43715837d6ea1e9d2f7110867a50e0b9ed588152d623161ce626c80648d1fef3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a27d798d-3386-4495-a875-6a806304ea33
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1602630
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1602630 Sample: tyrone.dll Startdate: 30/01/2025 Architecture: WINDOWS Score: 68 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 .NET source code contains potential unpacker 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/43715837d6ea1e9d2f7110867a50e0b9ed588152d623161ce626c80648d1fef3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43715837d6ea1e9d2f7110867a50e0b9ed588152d623161ce626c80648d1fef3/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-01-30 00:19:04 UTC
File Type:
PE (.Net Dll)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=inyvqn6w5ipj2l3rccdhuuhaxhwvraks2yrrmhhge3eamsgr73zq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
1ef157ac210e1e53b74f64f066fa6e9e29c37dc3533bd090456a54601505f347
43715837d6ea1e9d2f7110867a50e0b9ed588152d623161ce626c80648d1fef3
a61b8d2bc79e489fe0009755c0a3ca485d64cbdee48bcd55f2dc2624b73e994e
b684fa6621ac71f22449614bfe6064d3cc91fd7aeb3c8d16fb6d586947c85bc3
ced3557310b98b8a1ede8c1c24c4997a2eb2e05e561dd0b6ca36627f0d987d14
error
+ 2'374 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250130-al64dstlfz/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
43715837d6ea1e9d2f7110867a50e0b9ed588152d623161ce626c80648d1fef3
MD5 hash:
9bd149c2a517b561b3871630753cf20b
SHA1 hash:
96aa2fb97194b4bb387d4c84224b18093abb0cd2
Link:
https://www.unpac.me/results/c59f0dea-b3ef-40d7-989c-097fc827a4f8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DLL dll 924915fcdcf83d580e54eb626ea55487431b1ab2095ac7144e0bb9a62c3d2079

RedLineStealer

Executable exe ced3557310b98b8a1ede8c1c24c4997a2eb2e05e561dd0b6ca36627f0d987d14

DLL dll 43715837d6ea1e9d2f7110867a50e0b9ed588152d623161ce626c80648d1fef3

(this sample)

  
Dropped by
SHA256 ced3557310b98b8a1ede8c1c24c4997a2eb2e05e561dd0b6ca36627f0d987d14
  
Delivery method
Multiple
  
Dropped by
MD5 c4b108f45b87751371fb6e78597772ae

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments