MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 10 File information Comments

SHA256 hash:	5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
SHA3-384 hash:	125d4996692a62d33a610b275d75ca7645e5b0ffb0903b3c27cd9a7d746f0f23aa62e315038524e59c2040b514c36900
SHA1 hash:	fa743df03be339ceb9886f378123866a1bbce206
MD5 hash:	636f22abea75530fe531784bcd0c50bb
humanhash:	delaware-burger-mars-magazine
File name:	5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	906'240 bytes
First seen:	2025-08-12 14:10:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:okA3LRhnkKmYT+cW5IXCVdwA7ETwrfreHW:aX2YycW5TdwqETwEW
TLSH	T11A15EF506D59EB1DECA523F0C870F2B503B57D686826E2094EE53CEB7B23B0C16657A3
TrID	66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.5% (.EXE) Win64 Executable (generic) (10522/11/4) 5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	b2cecca4dacc8cb2 (7 x AgentTesla, 6 x Formbook, 2 x SnakeKeylogger)
Reporter	adrian__luca
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Quotation.lzh

Verdict:

Malicious activity

Analysis date:

2025-07-22 12:01:41 UTC

Tags:

arch-exec auto-sch-xml evasion stealer ultravnc rmm-tool exfiltration smtp

Link:

https://app.any.run/tasks/e1d3eb3d-32d6-4573-91d0-6201b5708765

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/20545/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689b4d41fca70bd90e8f09fd

Tags:

masslogger lien spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Launching a service

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e9c25025-62ed-46ab-8457-f9949fcfefdb

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f/

Threat name:

ByteCode-MSIL.Infostealer.Pony

Status:

Malicious

First seen:

2025-07-22 08:45:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k4y4enxkgrqb36ce4vxfubtid4vvnljmaadg4eaetoywuvyammhq._file

Verdict:

malicious

Label(s):

unc_loader_001

unc_loader_037

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/250812-sfz21adr9v/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a251325e-65e7-42c1-bc69-7ef1ea000521

Unpacked files

SH256 hash:

321c0ecba7d8bfa67b3e3a47fb3978bc9c0d86babad2fd196becbcc5ce6ca5a4

MD5 hash:

4e37a6d4a1d072f448a41929a4fff0f2

SHA1 hash:

54ec55b1f8151fa5cbd66fcd704fe167871e4d7b

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/aeab296e-21ac-4ca4-98f4-312eeb5608bd/

Parent samples :

0094fc5c570fbe55996557919c14a19aef098d14823b68a815f8d41757cb3684
e74447674de0d55b2b2cde2c6bde58806c411c3f0304d518630bf850145f2cef
8338252e1b1b007bfb5317df49e88c9aeb3b7f8206465c2e84f9d2d949e7cf95
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
eaf06d0161d881f32c23d38ed02cc8112f302367b96b588724541b0c7788a0c8
b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e
0568496f5fe35ca41b4a979106cac8a6ef15f5a0a6725fd4786795c1d2de152c
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
1220ac02f58b92353d39a8835a05d509f42244112eea97a789712aee5c22eb85
237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5
14e7936882debada11baf4d5075cb0f81c89257464a35a53012ddd4c18fefd63
55edd2620490e0aa9f0a40f4183a5959a1a5e35bef971399b6703cdc5e817894
ce241e344c9db9df9c0f257fd145c6a676429d315bd0748f89a4ab8657697798

SH256 hash:

f3519b7324178fba50f3c0360fd78a2031ad81b17852e90657a06fb5d49362a6

MD5 hash:

450b95e855a947bed6bb39b15602317a

SHA1 hash:

5f0714570eefabfdafe70071f05ecdc71f4d9da9

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/aeab296e-21ac-4ca4-98f4-312eeb5608bd/

Parent samples :

1dd0021ea8fc63fd5576b92848053f8c125944f4aa28197693b11672223c881e
e04f83f2d0684b8ca6864c65fe3965c358aee7beee26cabd33beaa1e94c3d2e1
eb54ebd946de089a842c01f8f72e8d74e7308f22d01b1c5e422aef85807494e2
c893d4d4e7bc91f14c350b66f6ee3727ce54605da71211870999a3dafd6218f9
ffa2ef64753d388a36eef4da1fe88cd54a1f823483445c97c016e984bfe85374
9db5517deff1c9950b4f5d1cff7ea67ff1c83a2c6330e4d7c2267d30252f7b5d
86c3e32ee0df4a00ace137b2c5392f1e86dc50d80e3c29b04915c495fd6f3475
3b97bd64269de273033970ca786f468f1a397d64f4cbdc86289b7a418a196c33
744e016edfc466927f2b7955eade93b58822a6b3bed09794d47f412831d84728
057e5f4fafbf1a293bc9e8b711c23d88b931522bdf08c51ac18723a43ff625d4
f2e0595463196470692945a3b90a3de2a8d4b22a5a3cef610c0a9bceedce3db1
c6cd12aefb61eadf7e46c05de445a63dd5ab74d46b28495f3136c64c93513e0c
5d15d1f4fc9001ab14cfd8fc7acc86aaaf6ddd51e1054dd6cdc387544b657559
50bee81de3e9e73ef381e154620e5e81a3e8aa2d62ae88efca8e56d27feaf1a0
49c288bdd977b430764c2067d4e25cb45dbbfb55105a080458af03221e776f63
a6a9b636acea176d2d225f18d8f28797631b1ce4c5b2e46ed4cbe18f1a71fa6e
6d0143dd66ca4f5b6d342c88feb3a564c81e18e3db7805c85e7f5895acb059bb
dd33f8080b6dc03098609e93e5fb3cf8345c60d9cc980f336bc495f234712d35
49ef1d66eb97245c704e2e92e369ae6b9d5dd5319376b136dbdb297196a472af
efd69a0ac7b81d3d2fe4900b06a98066f2517e0d9364361d396e143d6f90d128
1fa3c4e703405564123cb7d433d69566075ae20b4ba894c91681b0f55b14c14d
e8c55f45805066a63c2f467849f5e055b159faa1a818e458d1c78a76146b3a60
8df390f196fab73f2bae64890816a0045d987cdb9bdee34a2fddb504dfe82234
35c8388a3b8fb7c09ee5786f1bdcfef5a30f04563624dce11d8a2b943bf3a614
741d07fc375b6ac27cabb27a08327af7044741d485af7070c3eb1dde96c08d40
5ad7ee9c5a5165a10dbc330483b45ab27e26ebf8023e8f8c2bd4d8529feb5dc1
89b5724cc6f47227d806e6383d1da6534f28e1d3be5a914c89d3fe2689c6a1f8
4cc4ef1db310f70a8f0a7b8c316e7701ffbe9086d75d5bec6f7a8cae9502ce54
b7e7bc4e1ecbab19a0f5f2e51abd0cb7d6d3beed30a9edc405e71751eea35a6d
30cbfa02438f1323a65cba36353b3f4b5754480c1a8d53a8a96459063e957c84
81bf08f12cdd41902982c5bfb43b2ebcc327a47e24d8d17a085349081138c1f7
c0676910f1362864201df2da6fc69db6b679c8ba7fc0f66a2dc47c2236142bce
1a8cae4d0b7aed52a77e8e33770bfc4148c5766b8f4e24614a2953b5e931ed35
1a60823d2507bf095559dd725fcd7d87c20c98c61bab8c65551ad58892095909
b56564440c97e239fae221a1bcc221e620beac2117a81f05bed47936f51f86c5
6a2ed18bf270a3af67b3048a69f8e601ab0e6d9200a79183ff3bf9f4daf7b225
deadfb57cd54af6fc0fd10b8bdc065b67a9b43eb3868bb1c9442572f0efa62b3
b2d5d9d3c3bfdca561730af8e3cedf26a7a8863e8ee2b7b2e0b5ea8a1aa19636
9973a4893b1d9286439f7fe307592e9efe68d27f769c8de21727aeb1426be787
0094fc5c570fbe55996557919c14a19aef098d14823b68a815f8d41757cb3684
769faad4d101ca7d2c112be380d8c23be716a5a4ba2febe06a0ecc38196fc2a2
d27348a799f87eea272a85478ee75657d29ab30367b493368d29f4d2f20d4727
e74447674de0d55b2b2cde2c6bde58806c411c3f0304d518630bf850145f2cef
e71ddc6968d16669b1cefa0d300fc06f8e8ff2c59acc60f30dbd88217d931c0e
c260d4d3424207395916f74a9276a07ef80c9fc4b580b1815f8b5d22a9cb582b
019f809d35950f9c45a9f2b33b2fa85b17829481aac37124b28478c9f0faf71c
881a03adabb46296752648b7bf93ddc112672464b19022e5e4d807cbeb5435ae
160fe75f8db44c72ff8f98df4238f196d783d78b605eafee68a9bf48224dee98
9fbed6ca2290ff9c03ce544faeb7c65be1e114070414100f5169ede53c918d3d
d0434e247474e854773c4577c0e139af063665c3c71dbf012628b89f2b42d3a2
ac68239a14d084ecf1bc56f98f80073ac30a3f9f08e4279329f7626da648aae2
ef91e44f0b82089f27624e313848ce58878807eb0584c6f8adf943c575e7fba2
ce2a1e75336f3a8a1538a0019aaeeeaa3b69ee6fb86d4427b17d7d985fce4901
79865785eb9723da8edd0f2355e3e5eaa284090bc2c12b4e553121a9a4a53118
8208d70472361b29ee7a71a31ce3231ad68eb2355f6f7a66a2ffe3470d6de43e
2cf509961fdf76bdce189a3216b441dca91f858527062699d2ed55487aba80a4
efe869295ac3b949a986cbb03bcbce50d8cdee27d904592d1f5915a59d604422
04622020a45463744984946bfd38f4bdc01af96087ac784a790db1f1009157ab
948a49335d8343153b509abbad3880b9f7a7c18c133551c638ea026c73a6226e
282c71a915fb16491ac0ca5e5bc43ec8079ebf6db203d880d2b40c6217782807
eb5bbf26af55849a6308af378047a9130006b3e90ac3fe80207371607d586672
152be6a2be012d6fad53c047978748dc01900bcae8e86b6c337b0e8058dbb3e6
7c770feb62e46be197fbb56da6e8eba885b433cfae93f5f9669712c7e3d951dd
f8cc61c1b57d3fc2e254b4ea25cc7a6dc10fda0dfc3f4de11e7b5a518b1bd402
489c3b4e65ec46019d1b57f2485c8862d3904e85994280a41d5271903386f07f
77b83e393ef87abb079566a928461c6348da9d6c3ab029d8781d97391d94adac
6a9f51fc80910555c294f00fc1d99907b22f0321f2a6b3db67a85192caf1a6d0
70a576a39497248cdc4e1510b0b210abc5c4fbc702fe00f69d4ed1f6f50ce7f8
ec81c38ff89da4f91aff94a7ae635adef1e8a4eb07f6ee5eb3f1908e33fb1a19
7d282a1482db57d407c29f6d4198773712ac7a22686f3716c8c655bac7cae268
b7b1ed68e613b5465324b715d04c711d03bfe54223b5dd450eef96d23ae9de96
417c165a04979b22d52eeb3fda53a4b6a699f80c3fc89a69fd408ea0fbad16ac
412934cdc4794191987bdee6aa6161dcae7ee21c5ab62c25aba1c9604c4ab0dd
7a9dfd4083ac768178f01c34659480b81aab334e087b91fe1055c9c43b8ac9aa
99d71c0bc33e95d7a229b32d3f55964f0e0b083fa189fa808b72e340f797b818
3d5a3fe3a54a865807bafa5facb473440da44415efa328b4941dd26d0c4065a8
c1d59d4290604980ef30e6b5635108258a206354814ab0b447a2c70f9c7b9cd7
f23512e02ec9e4ef0e85e110cac1b8777f7f0db6da73ddad8451560547e36ff0
3257b7bb84593414de08c5f7050cb38f4b1cbaf3022705ac071974b720ba533b
8f4137c1511c9ef89a6fe06bd7a2e0ca79c0306775cdc3e8fb3a603c01ab53bf
a49cad8202799fb9d9a5c7d98bd39fc2b967da62a99be1cb1c9856353d747e76
63026f72f41c3da6c760d599525fd38d2fd3c067b6d88b0c25e893785d1911da
3bbe94e388c5e4d74cbf909acffeb608904eca5cc548b89262dfc135dd86ea83
37cd053124973d351eba289478ef51493ca8d8e73f1b3561fec7fa5f278b4c63
c5731cdbb8604adea26e561124d3feb93d600d6062357a7fd3231478a370390d
e6bc3c7660a78a0cea6dca54163039daef66c904409baea3bd79667657270749
b7da4b2bd1caa35f1940adbfa56ef8ff5fc6d7c4ebd49716a188fe480000e530
b7becd06ed5d7a5672557ac209ac03e69055c94c25d80e44a46670b01f42955c
c5f3ff2435c7f3fe3a08a1b762a2046c9e0a34fb3c8117c826d6b9970bd299c5
7ffbc8a42a1ad362989b7098ecad4392f1c2a18f49a294932946ab99ac54368a
22d7ca89918de5ad403867dfc9b0fcae5f3f7c2b6f91cab12f1cc444fedd880b
2278589011ac08c34a0fc7eb9a116f7b348605a9ee28a5d8e1509394f4f35089
a7a427b9b9f7ce1d847bce150139c546e43f61d49c637ee425d24f52803d47c8
8338252e1b1b007bfb5317df49e88c9aeb3b7f8206465c2e84f9d2d949e7cf95
81f16350767ce770055b3629bf915511bb0bd63fdea739d0bed336fa75f6b551
4aa035616ed50d2ca3d86455ef14e5c306d072b3942d25ce570b519b0cb142d6
a8cdfa7e2c10da2b86a2c1824415310726630037cdb268ff2a40763aa811b632
9278dc6a1b10740f3b00ed2be2f00eaf35d3adef17f3c70695fd25cd6ac439c1
c4afe513b1a779d8665a35329cf95c8a5d0d5e6b3925b5af4643ad7cef283a7d
a72143b5769c74747fa3e9d4e6ecca69f9df376b4d8623fbfaf6cb1629bb8bd5
e7274ea8ff50007cdaa3585479d0329920520c16b8424eef5fb8b67ff5c1c8b5
8dc78eff027e8905701bab87ee6d0158988bd624bf31e1d734cc8371f2877838
1e6a20beefa219a71e74f86c55a894b9ba5b69e078e7dc0b0ae65bf5a115489a
cd0d409ccf5fca51e470a6248ade7dfa7e184820294e2a831e888c7d56ed8a0e
3b82841f90c2399ad32af068c7461b1b62039ddcb2f4c597d25c596b37e48f8b
0b5d9aa2bd595e87142227888824aeb7e42b5b3b4c67718fd8001b40575581a6
29a8e6a6d00c902fb249248cd1094e22b3041a87b8b60d8e2cb01d738f4931ca
4ab079696054cf52e0e1a470f98a30f61d628e5bbb69aac6ee60c88deb8843ed
3bd1423600d0763fe0ab5639d0623463cea418ecfc4967a69418e7f8afaf7621
07ef1f0d2150d1e1e0fc070061f387899b0e7c66faa502cdf9da770a730bb1f4
e0f8299e376635dfa8ad50213255a999fb418936c322312c042b42399165df2c
2fac96da4fa6e3190b5aeb5fb672bd2353fb0ae33fb5ae3430a347373addfa7d
3b4f2be2e11dd739f806a4fabd11d75302cfcd01dd82041dfb9367f96590c2b6
32ff5c52ef67ccb5520286787e5875b411e84877860fb4e9b0a53bee6cd20348
f25c044dd471991df3a8fd7ffdd3b0298454309d93882958afa02533d2e93e05
9bad830196ad87ad3561962b28208053792bdccb538c10aa46e7fea76adb300f
f800dc83f7940aba00cfeddcea77ae45a363c8bb242dd9e1477c5a7ab2303b26
38cdc9dad1bbefd14ea3e4f08dd721e11fe5b22bc8039b44714418a614c0f595
b98e000445a9449403003ee760b283e461cbd7aa63080d9981c740be908ec356
8fb46c0cd46a775f5510f5b94a0b579b023ec485137196d70febde274e7b2f57
dea72dfe120fd7ace84ced315abe9ff76a06bdab418ca17c5c04e358676b9dfe
f693db1218d19063d65f0617d326d298f67233cdbc4c3d3b9943987a91049508
b9cb68c5ee8eba74c54c45242cd0fddb6191b5488659ffee0adccad2d38d12c1
cedb9ab81e9912662907d238b24aa684a50da9ce0293f3a5ade6a92a6585e649
9e0cc54e0a325f35de7bd1ae2a15de27ded52f98c08f236af8b8e67b0d60b43e
59cc5fdbe163c5b3e62b4a9ab7df9f72c560e7bb978557d2111a6a1e3e21d691
4fd17cabd75688a8689188dcd5c1290f2075839a9d1825007e1df05e5390f4af
478fee9c40658dbee561fcb81d652bc152d38384b0a6e9905a026105a2e42930
f74e2292aa59f3887ef2e53c94a8f4ac6dda4d96907f45f2dd6018c1e18d6035
65402a7aa85775eba8a6676cc281ec426b0e94fb1f32b9bc625718ade8010f1f
78d09a95f6c402fa6021aefad287e8726b53145ab9d575069f69a41bc29e48c0
27bc76d9371b4b42a83ee6a8a13359ebbffc5fa956f6f074a2e6bb92a117713b
fb39d5e33289245077e8656566d5b55d8b03c09765d72ef55485fc6ef8b4f6a7
b7eab5f19a05b4dc7dc0d210995778e5c74e0aac6e26c740e3a7593774c5d8bf
1f3fa2be48b42d1aea6fdf4c2cf9bc8de2bdee0db74214aee951081b611fdbd7
10b1e678c178cbbb2dda0b5a981d24654fc0fd8211e02b6b315f9cee74d11b86
ea6d24e9fa0a851f4db1736d6100c04bf90713ab63a0f05e23c6c8aae77ec5cd
deda21016ef825cc0df5367d8b40fa1b181a951fe27876a30775b5f9ad777bd1
228d5b79c332bdc4a4d604e22570c0d51fab59665ac0608a4b8242473218a672
a3d56cabd8b53e8273fcaeb5fe5fb67df5b2845a88764f8817f59edfe8b9a4cc
8925bf200e0cbcd6b3615a07250d8d5013dbe309033af7256a4abc93b9225e75
12a5b7f9e8f2ff795e57a6f6550dd793d29cff3fd5a914813ab682fa4a4c7d78
323378dbca5ee14637ea3690b436b90f0ce5b3894051e9f37bc5f4a7b046135e
7b544ccaa0faa1e36c64b6fe56829bbdf428fbe5758361e93fad6c1a87679cf7
2fe9c94efb856517f92bb543c65901ec76b46eaf1ea0d8ae7ac7bad689b9a0af
cc5f0d88e7a634abbfec245547371894e7a617187bb62086d6a7d2fde41982d4
1cf210fbd992ccaceed3a25edb6dbb86c904e5518d3f62d91287138dd51c1bac
77b4e081c839664ad7d952d4475434a52bd94ab42fcb73b898e24514892f57ab
7859144f1586edb705317225bc448262aee1b6a5dd33a17a75338d2458473bd2
1d140bafe5d20cca9ee7d5a111ae63960694f15955f6feeaf43edb54559ae8e1
d4e9b201d25baa1d9421d44c3d0b95f71f5ef7faa6944d75414fd61adb1d897e
1d7f6f56f567e0b079f9f7c828f2384de372fbb3a43bb9a420c4979c48ef3d6d
f206bf4656c5745014977f86d15cb05ab35da6b582343463969747d18146f1f3
f199e8a011ce9dc5c0e579358241f64e951ea530ff27052ebc41f09f1b6546b1
cdc314f346d72dc793385aba0bf05f62206ff6916db4619431c69e379ac9dbbc
785d18fbe268ffc3282fdaf471e46eac4dc46d22a33a359c81395da09d0b37db
5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
3ef0dfc4b0dce97b488f8f54c19f27d1860367d76a09c00aadc2284a27b1c1bd
9738dcbc69c9e6aa0bba8f74c87ef7533af09f539e105fd19f8eebd8151682d2
2a04d12984e5643f61616c4f1cfe1f5f72c4d7e327fb3914a6a9396b76d69f7d
1cb4254b1a62245b30f20ccffbefb79c36b1ef324c6d401cfb6d48ddb00ce6a0
38c2618381541fa79644a0425c1179a9e5667eecce76b3f6b63da719694339cf
e10958007f3b248b76b6423fd3d3567961a3c3b95b9237c247bf4a36a4141984
d5b0da49ea0cb9f02688daaced18dafe9dda4038b649ac44b8e8bd5ae750b122
3f00459bf84d76e5dc3affcbb5211d3d1ca3e083674eaaf6e8c7137ee7dc449e
c75d0dd517c95d24288b71934a0bab7d6ede632eb13af2b142099c6667bf0a6e
1220ac02f58b92353d39a8835a05d509f42244112eea97a789712aee5c22eb85
f0b03fabef2308dadb12ec33fd972048552275518d3830321d4f79012c70578e
8a9868a699f100c367c96c73e1db3135fc915218db42a596458bb109148f7caa
ed1b0cbba209aa95d91ce6d8991afd7982303335f96f459ac9b6b10257c6693a
bb2402bbb7d4563920c4fb18b2f1e2cd016ee87bf9f0a278787fe1654f12d073
bd6ca74d6dc83d0ddf0caa8084facfc3c8dc2bc0882388ba4cf4884a61289524
d02110093b567b37699be31053e454e28ced6e5fa9796ae4fef877f261ec27c0
4815c4b0a11e7bd4bac2db7bff612905804f5ec2272a6c299f842f572572f135
d9e52d9da6fe2b3a961b9bc07004f8a02190f41b17f6ba0473a1325d14e249a4
4597d6374ea637ebcdeb17f5a89b68f7453fb50f718805f648649a2eee72b4b5
bcb809eb36703d28e5175d02dc171bbb82e4459d0d29d1988f490cbe28cdec96
d7ac2f6052c4dcc2749b419018ec5fedbfda677a93da146c26088b0f38d4dde7
14e7936882debada11baf4d5075cb0f81c89257464a35a53012ddd4c18fefd63
90849d86ac7bae351db2917f30c435f8f55ea15fb78cfd04830e598b3d437611
677aa5345f44c45dcf71c85392c2f18b0303f9fb77ffd202bed000606eeefc99
18bae3ade8cb51814a950f4275a500a7105278618c03f27b71494624fa193d30
39257a3171d288b46ee3fa4572be28b0cf1ea8997c9de7e09d692cb7cf09a18f
770013d433ff93470a1c3e3aed7fd7d9dc38725a6b8f95fcc58af900df9b99d2
8b45845bf90a11a1cddf71ad83042a7908e1a721a1e6db90ca6cc7f6600f765e
4b1914795fc885bf2aea6ae4df1225bc2c04f2133e5eca3b44153ebdf743219d
dbc17925f6b344b2f803d81256644eb38d06d85cd87853d4b62f43d14eb3b9a0
671f711a7864063b26897c6bc3114327671e9a85d501c6819b3da16ed401ff48
2c47279be65dc9cf162c20dadcf90215c958946212f52daa6987e2cf30c61987
886e7723b559c601c9d00e21bb016d5a4aeb00bafd267b7a1939b7b30b18ad50
e980147feb749704db2b218c9bf20b80d8a616fc70d3a75a1b4f1f7c0b03b0d1
d5a9a7dbe3a40bf7875cf82a4a36537e19334394d9e765f7b87f07a24cc6e5c8
d78998da684d655070bf9e220cd990e914869245b0faf4592afc1f2c1182de0e
cc0be9f62a9bd5e8568699ba597b1995608b1edc99f79cd2068a2c4ddd5e1b1d
8bccbfd1ffbab7ebcb280e2d9a00e3060b35a39a8ee1567f6d50e9252631ec19
b792318331c4178ab12eba584e625fc6ec9ba6a69adfccd7f78b4b6380494593
ab28a9c31b3ae251c2a88c963a87941a788062b5ed20b5f546ed9243322ea263
c69a7800b5482d1e8e984e2e5ad548e057e1e9236e3ba937b167833e9c3302e2
c42f5c842ada25aeca1ec5153489f23c4cb25dee1df1f0235d2b6fd7bcc0d05d
9c259077adbc15c9fce702a70ba80d6824b3f38b6c899d68f19ef516b442603c
9a68a7bffc93071a4594bed91ff9289e85038fa452e511a6466c2725d63fbe73
881782dcb1d8eda6949c49e10d755a8f9bd72a5d9b23bd88a47af3e21aaa3e9a
d51c25d9940b7f3adb8ce5c9b753e3b43982f55504780bc217dfa1928965b159
b78ac7ead04f796c03a2720933cfabd9ffcce365477ef0f9061fb02d9eb2d19b
698e40f255d340d4a643b5838f58207934c74a3ad1ed881148cf589548f32a4f
c0d097b0b4cb4d354e6a19d7238762c181eb408ccfba7bbea95c142bdb0b5504
4c2d6b024e7af04fe1a42d5afad603b085bf37eff5f3a0b9d59a42b3c2828cc9
f4080676cb63d2c4297e0a38fdddd176f57bb472a93eb9e32a642e3eb55bb0f8
42297810b91165ed7fb3c30d157f94fed8e1f166b94f722d39a98dba01258976
d26ca3593d9b0683f5f32a22c7ae50211391b9b230d9f90c720d4e17b9847983
bf4f6390dc46a09ecb8ee5f35d6b0ddda41861d5ee12b106e9faf2b0e34aa749
f7d2aeb3c3f8d1bec48bbf92745cc52825a00a57dcda82d2b4ac2f09c87f373c
7c0928e18f60a6243e7abd515416fca912827e2929410e30834b0ccf31e03f64
74f8f30b48c4b6306079aed81544bf568cc676b6b678af86874d22b6ece70915
156aae917468256389912d703f16f156f9089c881dd54265b67dbc844f0cc6de
a126609f1200a6789ba34e458e6e58cba14d939bb2823fbe0b4b25397463c0d7
4195e137b692e92936c05fd47ca8487c89ae26bf80de290636b7890c7bdf4316

SH256 hash:

ef2f763b0b000e58429a6ed378e88317a2e8e1f042846704f88f3a65efd6a6fb

MD5 hash:

281189a7faf7c1b662e48f384843d5cc

SHA1 hash:

6b60164066ba67404dad1e215d605c2ecf8ecdf5

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/aeab296e-21ac-4ca4-98f4-312eeb5608bd/

SH256 hash:

7802240a7de0426b64f0bce2b382c75653962d39941295fc148ccb705a15a520

MD5 hash:

d5fd3313654d981f19ad78eacf68dbdb

SHA1 hash:

8c32322d26485bb69b5a07b423ebd7deb983551c

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/aeab296e-21ac-4ca4-98f4-312eeb5608bd/

Parent samples :

0094fc5c570fbe55996557919c14a19aef098d14823b68a815f8d41757cb3684
e74447674de0d55b2b2cde2c6bde58806c411c3f0304d518630bf850145f2cef
8338252e1b1b007bfb5317df49e88c9aeb3b7f8206465c2e84f9d2d949e7cf95
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
eaf06d0161d881f32c23d38ed02cc8112f302367b96b588724541b0c7788a0c8
b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
1220ac02f58b92353d39a8835a05d509f42244112eea97a789712aee5c22eb85
14e7936882debada11baf4d5075cb0f81c89257464a35a53012ddd4c18fefd63
55edd2620490e0aa9f0a40f4183a5959a1a5e35bef971399b6703cdc5e817894
ce241e344c9db9df9c0f257fd145c6a676429d315bd0748f89a4ab8657697798

SH256 hash:

c2a49ce4c45a706411c07535e2ea1d067bea53648f52e53364963bdf70f1f4e3

MD5 hash:

0ebd6bb2a257adee41c18e057b98f874

SHA1 hash:

c5be07becf5e6a9ab35df15d22af1d316ab29b2b

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/aeab296e-21ac-4ca4-98f4-312eeb5608bd/

Parent samples :

0094fc5c570fbe55996557919c14a19aef098d14823b68a815f8d41757cb3684
e74447674de0d55b2b2cde2c6bde58806c411c3f0304d518630bf850145f2cef
8338252e1b1b007bfb5317df49e88c9aeb3b7f8206465c2e84f9d2d949e7cf95
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
eaf06d0161d881f32c23d38ed02cc8112f302367b96b588724541b0c7788a0c8
b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
1220ac02f58b92353d39a8835a05d509f42244112eea97a789712aee5c22eb85
14e7936882debada11baf4d5075cb0f81c89257464a35a53012ddd4c18fefd63
55edd2620490e0aa9f0a40f4183a5959a1a5e35bef971399b6703cdc5e817894
ce241e344c9db9df9c0f257fd145c6a676429d315bd0748f89a4ab8657697798

SH256 hash:

5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f

MD5 hash:

636f22abea75530fe531784bcd0c50bb

SHA1 hash:

fa743df03be339ceb9886f378123866a1bbce206

Link:

https://www.unpac.me/results/aeab296e-21ac-4ca4-98f4-312eeb5608bd/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20545/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample