MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce
SHA3-384 hash: 5ff6bb90e1295a116b6c5d7eafa6cf192f3a8678c3172d887af15dd2f3b7043092e94d1b8d0c33ac821e32deed4e90a5
SHA1 hash: fbee26b4e7890b81ec8f3d5456ac0d301e9cb3ae
MD5 hash: 68a70167645fa690aa89281024abacd1
humanhash: fish-alpha-papa-sweet
File name:file
Download: download sample
File size:10'339'957 bytes
First seen:2024-02-08 15:51:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5546933531fafa869b1f86a4e2a959 (10 x DCRat, 3 x RedLineStealer, 2 x RemcosRAT)
ssdeep 196608:X7FL0sKYu/PaQL2rB+veqH2AbUEOgvDDJf6Wv/VrxiWmo33gWH2VoCsIAV:HQLKB+GqH2AoEOgv3Jx/VMWrgC2VGI
TLSH T15CA633A1670208F8D9A762BF44518D6D5772BC235364EBD303F8995F6F031D02A7EBA1
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter Bitsight
Tags:exe


Avatar
Bitsight
url: http://195.123.230.238/install.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-02-08 16:43:40 UTC
Tags:
opendir loader stealer stealc hausbomber evasion redline rat asyncrat remote raccoon phorpiex trojan rhadamanthys gcleaner azorult backdoor dcrat payload keylogger remcos arechclient2 quasar lumma banload gh0stcringe gh0st vidar amadey botnet xworm shellcode
Link:
https://app.any.run/tasks/c65b687c-00b5-44dc-9a2e-c88da53356e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475459/
Detection(s):
SecuriteInfo.com.FileRepMalware.29467.15994.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
expand lolbin overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/65c4f8a4b4bd387cafd2683b/reports/51228be6-aeb9-4cef-a671-2afe1ea72583/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/527d882b-9b15-4b20-ab51-2066aa789505
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1389252
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1389252 Sample: file.exe Startdate: 08/02/2024 Architecture: WINDOWS Score: 76 7 file.exe 80 2->7         started        file3 36 C:\Users\user\AppData\Local\...\registers.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 7->38 dropped 40 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 7->40 dropped 42 69 other files (none is malicious) 7->42 dropped 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->44 46 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 7->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->48 50 4 other signatures 7->50 11 file.exe 7 7->11         started        13 conhost.exe 7->13         started        signatures4 process5 process6 15 registers.exe 1 11->15         started        18 cmd.exe 1 11->18         started        20 cmd.exe 1 11->20         started        22 33 other processes 11->22 signatures7 52 Contains functionality to detect hardware virtualization (CPUID execution measurement) 15->52 54 Tries to detect virtualization through RDTSC time measurements 15->54 24 upx.exe 1 18->24         started        26 upx.exe 1 20->26         started        28 upx.exe 1 22->28         started        30 upx.exe 1 22->30         started        32 upx.exe 1 22->32         started        34 27 other processes 22->34 process8
Score:
62%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-08 15:52:14 UTC
File Type:
PE+ (Exe)
Extracted files:
1486
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ja275s54fojqvlrygtkgcc754wudoxtsclwi42hevyfznxsgk3ha._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller upx
Link:
https://tria.ge/reports/240208-ta2t3sfe3t/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce
MD5 hash:
68a70167645fa690aa89281024abacd1
SHA1 hash:
fbee26b4e7890b81ec8f3d5456ac0d301e9cb3ae
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/4388da79-28b3-4b4e-be7e-c953294c4230/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2758368/
  
URLhaus
https://urlhaus.abuse.ch/url/2758411/
  
URLhaus
https://urlhaus.abuse.ch/url/2756611/
Cape
Cape
https://www.capesandbox.com/analysis/475459/
  
URLhaus
https://urlhaus.abuse.ch/url/2758418/

Comments