MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 542d926a79efb59d9d36dce0d20dfcdc9e681b851d81866909b9f6da2970a1c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 542d926a79efb59d9d36dce0d20dfcdc9e681b851d81866909b9f6da2970a1c8
SHA3-384 hash: 70513195c3be760351ac227fbae6622ddc0d5aa6db422a592e661dfee9fdb4002ae40695ca33dfd7065375f3d28b1a71
SHA1 hash: e3a6353bc6a125734fc307f3c2776706f154d006
MD5 hash: 3815e829458b648469f91ffc79c21aac
humanhash: enemy-item-bulldog-paris
File name:SecuriteInfo.com.Trojan.GenericKD.37725535.12289.20834
Download: download sample
File size:1'109'504 bytes
First seen:2021-10-06 09:07:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 583c2768feec831ae134853b0c2b8ec9 (1 x RedLineStealer)
ssdeep 24576:5Mrgug5EPJaxYhlIv0jBFcb95lU/jiTXkPlSKZpgP19cs4:5mVg6PI90jIbTO2UPlSKZo2
Threatray 14 similar samples on MalwareBazaar
TLSH T19F35334CCC442243C9D51738768E827596EDFBFBDD3AC8BD3EE537328922A24569A413
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
YUSU v1.5.exe
Verdict:
Malicious activity
Analysis date:
2021-10-05 19:53:38 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/2999817c-ee17-4e57-aaea-80227a3095be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195384/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37725535.12289.20834.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/615d6776e3d213d202b85316/reports/61d0c051-4f7c-4110-9753-0db1744c9b13/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aca3c901-4722-47d2-860f-200dee8332dd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865459
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/542d926a79efb59d9d36dce0d20dfcdc9e681b851d81866909b9f6da2970a1c8/
Threat name:
Win32.Trojan.Nitol
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 03:44:40 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
11a153c8afaa36b8af99ceb85f50b7b923ddacb921dfa9888e0c49d795933075
206daa7d62850c579968f14560f06ba362ded251da3a8faeb9a331dd862b970f
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5
5f3d5f1a734020dabc57565c29f60194eb2a0fd1eba8fd7a041c6329d5803f78
612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc
6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5
ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a
abe3031332bae1f6a27965882c14a88f740514103b8532f2fb41ccc925879e59
f2aed23ccdcd5c9b2ae03bdf764e971a5ef30d4ef9dfc37f66806a057433c23a
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211006-k3xamabbcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://cu85891.tmweb.ru/chrome32.exe
Unpacked files
SH256 hash:
542d926a79efb59d9d36dce0d20dfcdc9e681b851d81866909b9f6da2970a1c8
MD5 hash:
3815e829458b648469f91ffc79c21aac
SHA1 hash:
e3a6353bc6a125734fc307f3c2776706f154d006
Link:
https://www.unpac.me/results/66b2dfdb-1bdc-44fa-91f6-077611bce9b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/542d926a79efb59d9d36dce0d20dfcdc9e681b851d81866909b9f6da2970a1c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 542d926a79efb59d9d36dce0d20dfcdc9e681b851d81866909b9f6da2970a1c8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1657153/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195384/

Comments