MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Spambot.Kelihos


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
SHA3-384 hash: b43af2cdd4a5c1f8c8b4ec20bd37863759bbb5b19d721dc5efd502c6a332988143ab01c37063c5fe6bbf91a78ab7af21
SHA1 hash: 5c8805bd3c08d9866748ac033d9e0497bb84761c
MD5 hash: d4359d5d0bbe9828a1340fb1d8537a74
humanhash: salami-red-thirteen-crazy
File name:d4359d5d0bbe9828a1340fb1d8537a74
Download: download sample
Signature Spambot.Kelihos
Create hunting rule
File size:7'036'688 bytes
First seen:2021-08-25 04:42:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:pAI+SlhLuZHUt0eb4gECc3TKnUESV/eqRrqmfgSmhML0CzSbquFwa1//NbAxg6gJ:itBUieh7c56qRTL0oLKw+NcA4BzicQ
TLSH T10466332CB4841572E5A71F32988753B7F47BF39C4FE8688DB6D81618AC2BB014E7614E
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe Spambot.Kelihos

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.234.247.35/ https://threatfox.abuse.ch/ioc/193640/

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d4359d5d0bbe9828a1340fb1d8537a74
Verdict:
No threats detected
Analysis date:
2021-08-25 04:43:24 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1d4ebc87-2a90-4db7-8c7d-fba2f2a8a19a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182055/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Connection attempt
Sending an HTTP GET request
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Connection attempt to an infection source
Creating a file
Reading critical registry keys
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b126c46c-6249-44be-a15b-c459e3e93c7c
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838703
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 471132 Sample: zEQyeKgNgG Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 76 37.0.10.214 WKD-ASIE Netherlands 2->76 78 37.0.10.237 WKD-ASIE Netherlands 2->78 80 13 other IPs or domains 2->80 104 Antivirus detection for URL or domain 2->104 106 Antivirus detection for dropped file 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 8 other signatures 2->110 8 zEQyeKgNgG.exe 14 19 2->8         started        signatures3 process4 file5 50 C:\Program Files (x86)\...\xtect12.exe, PE32 8->50 dropped 52 C:\Program Files (x86)\...\runvd.exe, PE32 8->52 dropped 54 C:\...\WEATHER Manager.exe, PE32 8->54 dropped 56 10 other files (7 malicious) 8->56 dropped 11 runvd.exe 87 8->11         started        16 Inlog.exe 2 8->16         started        18 Stats.exe 2 8->18         started        20 5 other processes 8->20 process6 dnsIp7 96 188.34.200.103 HETZNER-ASDE Germany 11->96 98 74.114.154.22 AUTOMATTICUS Canada 11->98 58 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 11->58 dropped 60 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 11->60 dropped 72 10 other files (none is malicious) 11->72 dropped 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->112 114 Tries to harvest and steal browser information (history, passwords, etc) 11->114 116 Tries to steal Crypto Currency Wallets 11->116 62 C:\Users\user\AppData\Local\...\Inlog.tmp, PE32 16->62 dropped 22 Inlog.tmp 3 14 16->22         started        64 C:\Users\user\AppData\Local\...\Stats.tmp, PE32 18->64 dropped 26 Stats.tmp 3 13 18->26         started        100 88.99.66.31 HETZNER-ASDE Germany 20->100 102 172.67.128.192 CLOUDFLARENETUS United States 20->102 66 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 20->66 dropped 68 C:\Users\user\AppData\Roaming\8642392.exe, PE32 20->68 dropped 70 C:\Users\user\AppData\Roaming\8031697.exe, PE32 20->70 dropped 74 8 other files (none is malicious) 20->74 dropped 28 WEATHER Manager.tmp 20->28         started        30 VPN.tmp 20->30         started        file8 signatures9 process10 dnsIp11 90 3 other IPs or domains 22->90 32 C:\Users\user\AppData\...\itdownload.dll, PE32 22->32 dropped 34 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 22->34 dropped 44 2 other files (none is malicious) 22->44 dropped 82 8.8.8.8 GOOGLEUS United States 26->82 92 2 other IPs or domains 26->92 46 4 other files (none is malicious) 26->46 dropped 84 144.76.17.137 HETZNER-ASDE Germany 28->84 86 188.40.106.215 HETZNER-ASDE Germany 28->86 88 172.217.168.78 GOOGLEUS United States 28->88 36 C:\Users\user\AppData\...\itdownload.dll, PE32 28->36 dropped 38 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 28->38 dropped 40 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->40 dropped 42 C:\Users\user\AppData\Local\...\Setup.exe, PE32 28->42 dropped 94 2 other IPs or domains 30->94 48 4 other files (none is malicious) 30->48 dropped file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 16:42:30 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7rpt3tkvlkas6wcwekr7yopsvdmr66eobtqw46iaojil5h5jw2q._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:netsupport family:redline family:vidar botnet:3 botnet:allsup discovery infostealer rat stealer suricata
Link:
https://tria.ge/reports/210825-b52wfpj8qe/
Behaviour
Kills process with taskkill
Script User-Agent
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
NetSupport
Process spawned unexpected child process
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
deyrolorme.xyz:80
xariebelal.xyz:80
anihelardd.xyz:80
188.124.36.242:25802
Unpacked files
SH256 hash:
862305fad02dda89baf888fd077fa125e7fbd2c3bdcf418083ca4b3e0850552d
MD5 hash:
c9db9929444494a29d95f1394244755c
SHA1 hash:
83459b3f8f2fb55890cc9e350c50f7b91d3cf690
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
SH256 hash:
2a3f6e7c0b883c40a75aac2e2b9d4e4d23f2a720f1c2adb0707af66f06e64712
MD5 hash:
d54e197df43237c44ca4982fab6d0cfd
SHA1 hash:
6a9456504d728bedc7ef76ffd8628833e26f44d5
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
SH256 hash:
1461bd0f109ecf37388a5f68334b8e10ee7a134b979cc6761a71134dd05d53ac
MD5 hash:
d3eb2f4c9bec71fd28a5b92993625baf
SHA1 hash:
d949d7f57e80d008ac74f65211b9f3c5e383fd44
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
SH256 hash:
93106cc00f70f6f920c250e4d94eaf336f0c21d5ab7ac6a3194eb678b0781bbd
MD5 hash:
90582c93ca5e028da981724003a2e8d6
SHA1 hash:
3df1da32fea4fff3e5ebe67c39f3cc8e7b1eba13
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
SH256 hash:
0d378b7a4d424c4a2bf591780c335ae0244a45823d515600cc1fccd334c32d1c
MD5 hash:
c95b601f44e230a0e2d3b92d5ff24a91
SHA1 hash:
a108dd9ce56b4abca113c23bc8bfc82309b2ac6a
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
SH256 hash:
3936e6b6d8018af2c6271905877c14571cc18da7ad14c45c74b6269bf3184090
MD5 hash:
d5f6496fb67ac4276228b2aa0ecbb02a
SHA1 hash:
a45e9f5931da720acf43bf86f416cca258e73f90
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
SH256 hash:
05cb4d3f27ca36b85a280475d7926d9a7598de768c9ec1848ddb214a8d1e8d68
MD5 hash:
dd968dc54609a7c7df165a766174175d
SHA1 hash:
3b6797debd66c196c216da084fcfb1926c95f41e
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
SH256 hash:
57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
MD5 hash:
d4359d5d0bbe9828a1340fb1d8537a74
SHA1 hash:
5c8805bd3c08d9866748ac033d9e0497bb84761c
Link:
https://www.unpac.me/results/1f5502a6-15b6-4d89-9906-95d35bc8dd5d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/57e2f9ee6aaa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Spambot.Kelihos

Executable exe 57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1562275/
Cape
Cape
https://www.capesandbox.com/analysis/182055/

Comments


Avatar
zbet commented on 2021-08-25 04:42:34 UTC

url : hxxp://7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com/Download/GameBox.exe