MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 570e6dec1d80315fbb63bd6a7e5fd00847221428bbbe41618df4b3797a41d8a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 570e6dec1d80315fbb63bd6a7e5fd00847221428bbbe41618df4b3797a41d8a8
SHA3-384 hash: 8cddd205d7d51db2073b8d84d25db94e7afeab188fe273772c0739fc2a1a2e6ae4537c1a40c905cb720bfd7cd5398f2a
SHA1 hash: 0e545c330d510a35c95736671d323b27d4571ee6
MD5 hash: 1409a8b5859cfc13905d30b37b6febe4
humanhash: comet-winner-london-wisconsin
File name:SecuriteInfo.com.FileRepMalware.32466.30047
Download: download sample
File size:16'984'064 bytes
First seen:2024-01-19 10:30:14 UTC
Last seen:2024-01-19 11:21:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 72 x LummaStealer, 62 x Rhadamanthys)
ssdeep 393216:18I6nZPRdxwWSv2qXVr4st4KthyYbGFTrv0qtGqBa:18IqHxwWIrr4st5piJrv0qt5
Threatray 494 similar samples on MalwareBazaar
TLSH T13A073381A8E852E7D4BBC575D0BA76B34170F862875AE09729CED03A9D709D4FF3260C
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.32466.30047.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
advpack anti-debug CAB control crypto evasive expand explorer greyware installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65aa4f7159502c0e7b3a4807/reports/162acb2b-ec39-4159-835e-b0ddb5c85d23/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/570e6dec1d80315fbb63bd6a7e5fd00847221428bbbe41618df4b3797a41d8a8
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5291cd0a-3f32-478e-8603-2927f5a6c760
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1377344
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377344 Sample: SecuriteInfo.com.FileRepMal... Startdate: 19/01/2024 Architecture: WINDOWS Score: 56 41 cdn.discordapp.com 2->41 45 Multi AV Scanner detection for submitted file 2->45 9 SecuriteInfo.com.FileRepMalware.32466.30047.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\FORTNI~2.EXE, PE32+ 9->29 dropped 31 C:\Users\user\AppData\Local\...\FORTNI~1.EXE, PE32+ 9->31 dropped 14 FORTNI~1.EXE 20 9->14         started        18 FORTNI~2.EXE 2 9->18         started        process6 dnsIp7 33 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->33 dropped 35 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 14->35 dropped 37 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 14->37 dropped 39 14 other files (12 malicious) 14->39 dropped 47 Multi AV Scanner detection for dropped file 14->47 21 FORTNI~1.EXE 1 14->21         started        23 conhost.exe 14->23         started        43 cdn.discordapp.com 162.159.129.233, 443, 49700 CLOUDFLARENETUS United States 18->43 25 conhost.exe 18->25         started        file8 signatures9 process10 process11 27 cmd.exe 1 21->27         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/570e6dec1d80315fbb63bd6a7e5fd00847221428bbbe41618df4b3797a41d8a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/570e6dec1d80315fbb63bd6a7e5fd00847221428bbbe41618df4b3797a41d8a8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-16 00:56:12 UTC
File Type:
PE+ (Exe)
Extracted files:
415
AV detection:
8 of 38 (21.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4hg33a5qayv7o3dxvvh4x6qbbdsefbixo7ecymn6szxs6sb3cua._file
Verdict:
unknown
Similar samples:
611f5ffa068e79b43ee99f31b5ac20bdc5684d5c1bca049f7b14f58cb8cb118a
896c5898ce95f078e8246f62ccd4b7da07959b2884362fa9c1933712aedeb553
8982eecbc6365b0320c57d0d186f0b0569a6cb619da669f5a87ad3ad7b09e698
be8e942ff8e30b01a840f745356bf6398bc57874e1d76f2515c40f057933abc5
c8b92119a5b562bbcea0562512a45db5a9695166b8950617604ced871f604bc0
cfe4c58d8b3c1e4bfbb69be9fd65d987f2f229744202e024b5e50e84b322adc4
fbe720229b96efaa4082c195a6d98d43005e1f69ed031f3f9b1f8dcb2113f4d8
fc999e372d1a938956bd8130512bf13be780ebbddfc42d4bb085587ba10f4c2a
+ 484 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence pyinstaller upx
Link:
https://tria.ge/reports/240119-mkdrnscge2/
Behaviour
Detects videocard installed
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
c4f1c887cbb70e8c701f3c36d7450a8f93036dbfeb1c2d5b89099fce199d95db
MD5 hash:
eae13dce88e7b4ca6303b4874250d933
SHA1 hash:
4feac5220a6fb35b1e4c1003363f12997d6b281d
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/a41c44b2-190b-4f8d-8b90-8642c25bde04/
SH256 hash:
7dfa193485b78ec9b1a7c7ffaa0e636d556dc36dbb514a4fd4b2a8ff011ff822
MD5 hash:
0f23f332989d21d6d109e3a404d7c57d
SHA1 hash:
9b791c879a864ce6a2d01eb83c9c7123376cc47a
Detections:
win_karius_g0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Link:
https://www.unpac.me/results/a41c44b2-190b-4f8d-8b90-8642c25bde04/
SH256 hash:
570e6dec1d80315fbb63bd6a7e5fd00847221428bbbe41618df4b3797a41d8a8
MD5 hash:
1409a8b5859cfc13905d30b37b6febe4
SHA1 hash:
0e545c330d510a35c95736671d323b27d4571ee6
Link:
https://www.unpac.me/results/a41c44b2-190b-4f8d-8b90-8642c25bde04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/570e6dec1d80315fbb63bd6a7e5fd00847221428bbbe41618df4b3797a41d8a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments