MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46381f6540a0a0075a17fb9747e5cf09dbcdd69b5509b1f4beced1c13d1deec2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46381f6540a0a0075a17fb9747e5cf09dbcdd69b5509b1f4beced1c13d1deec2
SHA3-384 hash: 66f6862f23f61744e470ff779e926468a9748397d54dc42d08ff71c9cbe4f277d024762236d73333de829a75936a6cc3
SHA1 hash: 28c5fe4661cacaa8e0de5c260fbb1cd773965d46
MD5 hash: f5d91bbb276a18910e6a0aa235136279
humanhash: fifteen-finch-fanta-juliet
File name:f5d91bbb276a18910e6a0aa235136279
Download: download sample
File size:1'046'320 bytes
First seen:2022-06-25 02:28:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:HAHnh+eWsNbskA4RV1Hom2KX4mGashhPYMPA/:6h+FkldoPKIBashhPYQ
TLSH T1C325AE02B3D1D036FFAB92735B69F20596BD7D250123852F13982D79BE701B2273E662
TrID 56.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon d0ccde92d6ccc8c2
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
plugin-hang-ui.exe
Verdict:
Malicious activity
Analysis date:
2022-06-22 19:56:52 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/33005bec-2d39-477c-a7f3-9a0f4a776521

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuilClipper
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283186/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Enabling the 'hidden' option for analyzed file
Running batch commands
Creating a process with a hidden window
Launching a process
Adding an access-denied ACE
Moving of the original file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22797/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit greyware hacktool keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62b67303e88d6da4ffc43b5b/reports/08e16a0c-ab4b-4b21-9f08-b4c2e097594e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e2fbf61-7d41-42a5-86f2-bee6157a45c4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1019635
Signature
Binary is likely a compiled AutoIt script file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Uses Windows timers to delay execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652131 Sample: pS8DYny5cM Startdate: 25/06/2022 Architecture: WINDOWS Score: 68 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Binary is likely a compiled AutoIt script file 2->30 32 PE file contains section with special chars 2->32 7 pS8DYny5cM.exe 1 2->7         started        10 libmfxsw32.exe 2->10         started        12 libmfxsw32.exe 2->12         started        14 libmfxsw32.exe 2->14         started        process3 signatures4 34 Binary is likely a compiled AutoIt script file 7->34 36 Uses Windows timers to delay execution 7->36 16 cmd.exe 1 7->16         started        process5 process6 18 conhost.exe 16->18         started        20 icacls.exe 1 16->20         started        22 icacls.exe 1 16->22         started        24 icacls.exe 1 16->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46381f6540a0a0075a17fb9747e5cf09dbcdd69b5509b1f4beced1c13d1deec2/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 23:36:46 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iy4b6zkaucqaowqx7olupzopbhn43vu3kue3d5f6z3i4cpi553ba._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220625-cykf9safgp/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
AutoIT Executable
Modifies file permissions
Executes dropped EXE
Unpacked files
SH256 hash:
46381f6540a0a0075a17fb9747e5cf09dbcdd69b5509b1f4beced1c13d1deec2
MD5 hash:
f5d91bbb276a18910e6a0aa235136279
SHA1 hash:
28c5fe4661cacaa8e0de5c260fbb1cd773965d46
Link:
https://www.unpac.me/results/066a0850-379f-4905-80c5-cfe17ef58173/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46381f6540a0a0075a17fb9747e5cf09dbcdd69b5509b1f4beced1c13d1deec2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 46381f6540a0a0075a17fb9747e5cf09dbcdd69b5509b1f4beced1c13d1deec2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2249236/
Cape
Cape
https://www.capesandbox.com/analysis/283186/

Comments


Avatar
zbet commented on 2022-06-25 02:28:35 UTC

url : hxxp://jrfurnace.com/wp-down/fodhelper.exe