MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48b226bb739aac1a4f9d90b898aeae795dff4a2035ae2805b8a43ba11ddaa667. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48b226bb739aac1a4f9d90b898aeae795dff4a2035ae2805b8a43ba11ddaa667
SHA3-384 hash: b4341eed3ad68bd2afa26e7f21c5f12329b4e30419734553958d6fa70e7dc8c93cdf33c5700a592a5c0697abed7ff7f1
SHA1 hash: 701af0ba3adf97d676f4520bf7eafcfda2e555bd
MD5 hash: 7d2220453a1ebda86b9f9de7986db7df
humanhash: east-bulldog-low-magnesium
File name:7d2220453a1ebda86b9f9de7986db7df.exe
Download: download sample
File size:4'620'264 bytes
First seen:2023-02-26 06:31:19 UTC
Last seen:2023-02-26 08:33:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be2d56e421d8822f0045d5374eec2349 (1 x RedLineStealer)
ssdeep 98304:sXmf1qVFGaOn7s8zE/7nvueuZOZmPFkCZ1b68:LtqVFVO4D7nAZrkCjN
Threatray 2 similar samples on MalwareBazaar
TLSH T11C267B62BF4800D6CC61CF3606B5A7120221FD616967F78F7D697958CEEBDE12E012E8
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7d2220453a1ebda86b9f9de7986db7df.exe
Verdict:
Suspicious activity
Analysis date:
2023-02-26 06:34:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d384b34-e9e2-45ff-ac83-616e2a691413

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369762/
Detection(s):
SecuriteInfo.com.Variant.Zusy.451444.7798.21214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63fafce381c7f31327fa0a90/reports/cd1663a5-f5d7-4801-a655-8a99287eb894/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/48b226bb739aac1a4f9d90b898aeae795dff4a2035ae2805b8a43ba11ddaa667
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e00a997e-ae98-4bce-ae94-165d50967162
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1182512
Signature
Allocates memory in foreign processes
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 815343 Sample: 5878kTVJYC.exe Startdate: 26/02/2023 Architecture: WINDOWS Score: 68 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 7 5878kTVJYC.exe 1 2->7         started        10 DesktopWindowsHolographicDevices-tupe2.9.6.5.exe 2->10         started        12 DesktopWindowsHolographicDevices-tupe2.9.6.5.exe 2->12         started        process3 signatures4 28 Writes to foreign memory regions 7->28 30 Allocates memory in foreign processes 7->30 32 Injects a PE file into a foreign processes 7->32 14 AppLaunch.exe 1 6 7->14         started        18 conhost.exe 7->18         started        process5 file6 22 DesktopWindowsHolo...ces-tupe2.9.6.5.exe, PE32+ 14->22 dropped 34 Creates autostart registry keys with suspicious names 14->34 20 DesktopWindowsHolographicDevices-tupe2.9.6.5.exe 14->20         started        signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48b226bb739aac1a4f9d90b898aeae795dff4a2035ae2805b8a43ba11ddaa667/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-02-26 06:32:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
10 of 39 (25.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jczcno3ttkwbut45sc4jrlvopfo76sragwxcqbnyuq52cho2uztq._file
Verdict:
malicious
Similar samples:
2485066b0a47ef5a72bed598787fc60afa1e15727e0fcb987ba47c9e100a01b1
d429c7f575a65bc5bb031d953315379f8a2b2bcd8bbb9c40b4a1f1d005a10370
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230226-halx3sgb34/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
e5d98f8dc8876f53c57e5b3da38aa46207d65ba4701e5918b0b8108f49d375f9
MD5 hash:
51c269529d8eda8d5028f84e40d83f03
SHA1 hash:
4b6c83da4dc02a25e8c86151638e04b6fe30187b
Link:
https://www.unpac.me/results/25b87ff4-c99e-4c32-bade-1415ba012a45/
SH256 hash:
48b226bb739aac1a4f9d90b898aeae795dff4a2035ae2805b8a43ba11ddaa667
MD5 hash:
7d2220453a1ebda86b9f9de7986db7df
SHA1 hash:
701af0ba3adf97d676f4520bf7eafcfda2e555bd
Link:
https://www.unpac.me/results/25b87ff4-c99e-4c32-bade-1415ba012a45/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48b226bb739a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/48b226bb739aac1a4f9d90b898aeae795dff4a2035ae2805b8a43ba11ddaa667

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369762/

Comments