MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b53141faa0056a011e8fa713851d73929ac70b6add0146333181c1bd598b96c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b53141faa0056a011e8fa713851d73929ac70b6add0146333181c1bd598b96c
SHA3-384 hash: a720f0627528a77ae6547242eca0aff4f2f40baf3d22a0f5b8d20b4a204525d9f98cf0c51b726df05212fd1f915e5023
SHA1 hash: 33fdf363f1421d1abba26bf1b64b8b5f6ffa5591
MD5 hash: f0296a91af28c5f51e3ffea1bbfcac4b
humanhash: freddie-william-floor-purple
File name:file
Download: download sample
File size:219'648 bytes
First seen:2022-10-17 14:46:56 UTC
Last seen:2022-10-18 05:15:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 882e681a084840290020f3f1495d29b7 (1 x ArkeiStealer, 1 x CoinMiner)
ssdeep 3072:wXpRRHJLUeAIpvQ56Gp/7U5EF+19xmFCoZWYD0KTG0:kRHJL1vDGt7U55oHD0l
TLSH T1C624D029B5C2F4B1C855047C8868CBA07E7F6D702A68595B3B683B3F7F702C16672396
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 38b078cccacecc43 (14 x Smoke Loader, 7 x Stop, 5 x ArkeiStealer)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc120747115_650675094?hash=kZJYQv47L0HXd3NgiRSZNEQYTrnr2QJu4tfTyAhGXd4&dl=GEZDANZUG4YTCNI:1665939027:Z7OZAbUntMhoWc9zjnccz4V4X42foMG1tWLBcDpQsEH&api=1&no_preview=1#hvnceu

Intelligence

File Origin
# of uploads :
33
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Install.bin
Verdict:
Malicious activity
Analysis date:
2022-10-18 02:56:08 UTC
Tags:
installer evasion loader trojan rat redline raccoon recordbreaker stealer opendir
Link:
https://app.any.run/tasks/504917b2-d089-4d2f-afbf-9c5ff37f5731

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321042/
Detection(s):
Win.Malware.Azorult-9949206-0
Create hunting rule

Win.Packed.Tofsee-9951336-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a file in the system32 subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware mikey redline smoke
Link:
https://www.filescan.io/uploads/634d6ae8898b0652a4b86b2e/reports/e1b73d14-1fdf-49b6-8577-85e28ee375bd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8963382e-2d1c-4297-a179-400f8522823d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1092003
Signature
Creates autostart registry keys with suspicious names
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b53141faa0056a011e8fa713851d73929ac70b6add0146333181c1bd598b96c/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 13:26:54 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnjrih5kablkaepi7jytquoxheu2y4fwvxibiyztdaobxvmyxfwa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221017-r5vyxacbb6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
27c1079c83e78a69316f70b330572c530ccbee78fbc7224f616af6e071c54a34
MD5 hash:
4ee4a5bff12ecd74ac55068aba562ea0
SHA1 hash:
dccc788a1ba6e01d68c6e1266d335d522a54a757
Link:
https://www.unpac.me/results/75f9ecae-6157-406a-96d7-1ccc1ae448ed/
SH256 hash:
4b53141faa0056a011e8fa713851d73929ac70b6add0146333181c1bd598b96c
MD5 hash:
f0296a91af28c5f51e3ffea1bbfcac4b
SHA1 hash:
33fdf363f1421d1abba26bf1b64b8b5f6ffa5591
Link:
https://www.unpac.me/results/75f9ecae-6157-406a-96d7-1ccc1ae448ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b53141faa0056a011e8fa713851d73929ac70b6add0146333181c1bd598b96c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/321042/

Comments