MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5aa958dc21c0a3d83b4a10f8e709f0d1ae3f63fb66074d97c7224e5c5cb16ada. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5aa958dc21c0a3d83b4a10f8e709f0d1ae3f63fb66074d97c7224e5c5cb16ada
SHA3-384 hash: ac060e1069fae8dc796ed98389994cfcff24b67afb9f47b8599b8dd235b0bb7c0136612c168e5ed81cbc75cfb065cb85
SHA1 hash: db5fafd942912ca7ff9d807f6cffc7578ac75f49
MD5 hash: 9b1764b1cca5f1eb5946e182100681e4
humanhash: victor-green-potato-oxygen
File name:9b1764b1cca5f1eb5946e182100681e4
Download: download sample
File size:718'216 bytes
First seen:2021-09-24 20:36:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 99e1335f3817517f11962dc50cb29aa7 (3 x RedLineStealer, 2 x Stop, 1 x RaccoonStealer)
ssdeep 12288:9ZxnhgINwTujDlmcKkUnSqEKXpmyQc2BYkwCRGslkAITxc+2iNhPFd9dP4gXIrDX:9znhg8IGUPFcY2BYNCQslkVKiNhPFflE
Threatray 9 similar samples on MalwareBazaar
TLSH T1C8E4F1217A60C036F5B702F45AB98769A93E7E716B7085CB72D212FE5234AE4DC30397
File icon (PE):PE icon
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 14:51:42 UTC
Tags:
trojan rat redline evasion loader stealer vidar opendir
Link:
https://app.any.run/tasks/382869a7-b430-4072-aad3-df1bb0ac7b23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191280/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.23220.18891.UNOFFICIAL
Create hunting rule

Win.Packed.Fragtor-9895216-0
Create hunting rule

Win.Packed.Fragtor-9895250-0
Create hunting rule

Win.Malware.Generic-9895402-0
Create hunting rule

Win.Malware.Fragtor-9895682-0
Create hunting rule

Win.Malware.Fragtor-9895683-0
Create hunting rule

Win.Packed.Fragtor-9895692-0
Create hunting rule

Win.Malware.Fragtor-9895773-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3155a19d-0f8d-4d34-9ea2-c0b5b2db4fcd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/857643
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490070 Sample: 3LNSjXtdQS Startdate: 24/09/2021 Architecture: WINDOWS Score: 80 46 Multi AV Scanner detection for submitted file 2->46 48 Machine Learning detection for sample 2->48 7 3LNSjXtdQS.exe 16 4 2->7         started        process3 dnsIp4 40 p6701.softemstore.xyz 172.67.162.27, 443, 49737 CLOUDFLARENETUS United States 7->40 42 192.168.2.1 unknown unknown 7->42 30 C:\Windows\System32\drivers\etc\hosts, ASCII 7->30 dropped 32 C:\Users\user\AppData\...\3LNSjXtdQS.exe.log, ASCII 7->32 dropped 50 Detected unpacking (changes PE section rights) 7->50 52 Detected unpacking (overwrites its own PE header) 7->52 54 Performs DNS queries to domains with low reputation 7->54 56 2 other signatures 7->56 12 chrome.exe 10 73 7->12         started        15 cmd.exe 1 7->15         started        17 cmd.exe 1 7->17         started        file5 signatures6 process7 dnsIp8 44 239.255.255.250 unknown Reserved 12->44 19 chrome.exe 16 12->19         started        22 taskkill.exe 1 15->22         started        24 conhost.exe 15->24         started        26 taskkill.exe 1 17->26         started        28 conhost.exe 17->28         started        process9 dnsIp10 34 www.google.com 142.250.180.196, 443, 49738, 49742 GOOGLEUS United States 19->34 36 gstaticadssl.l.google.com 142.250.185.163, 443, 49751 GOOGLEUS United States 19->36 38 3 other IPs or domains 19->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5aa958dc21c0a3d83b4a10f8e709f0d1ae3f63fb66074d97c7224e5c5cb16ada/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 16:59:38 UTC
AV detection:
39 of 45 (86.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
25cf264589639fc27c6dc012e33e5fa8054add3915d9265e934d849f763e5b51
3d05fee7a89dfce1ad029562fa7b84346bce12d932214cde9b26f266d53ce49c
62a47f5b00fd13033debb845a6874afb640b98b09038a3d70a6f76d3de27bea9
a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4
aeb1bfcef382789091e72e2d6cae6e471123d0e8e7a5f39c64abf5a3d9a4eaa8
c2a307a15f392b72cc51b12a1061c6ad7a2e76843754ee3d2e7b8ba0bc17e540
f47a0c643ec5aa9d2b0302391d39bedfd675abd8892d5a2bd18b66fc303f66f7
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210924-zd59kahheq/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Deletes itself
Reads user/profile data of web browsers
Drops file in Drivers directory
Unpacked files
SH256 hash:
62701fe365cc2644d88d36574b663b8ea69ee4ca7c50450069e0c4b9007fa12d
MD5 hash:
a9be257eb251faa39ef792cef986416e
SHA1 hash:
cdc8c26025242d5fe94f1d6c19ee8d7beb364d2f
Link:
https://www.unpac.me/results/2d771483-ab26-49ee-a125-02561e07fad8/
SH256 hash:
5fbdaa6942b8c31cac996e309a8de8a545618d986e49f3dd208804b0b4d9c6a0
MD5 hash:
e58b6b47395d12f7be5b5859b128a13a
SHA1 hash:
9b365a89b85a4306acff247f1138408e9d5b3371
Link:
https://www.unpac.me/results/2d771483-ab26-49ee-a125-02561e07fad8/
SH256 hash:
c9761860c27baae19ae977efe9d1d2eb9c3279e792f05045b51046dd2dc3ffb7
MD5 hash:
9e761803fc99198716323f0ac9681a8d
SHA1 hash:
90dc44363ad873777e1d9c37e3c76b52688878d8
Link:
https://www.unpac.me/results/2d771483-ab26-49ee-a125-02561e07fad8/
SH256 hash:
da29c870d9ae1c5c3ab4e13277478e231412a8156d51b46635d32eb2197caf76
MD5 hash:
629f5017a6e8067cb621fa0167f9eef9
SHA1 hash:
5f4503ee9cef9675b25295842fda111b8ef3c5af
Link:
https://www.unpac.me/results/2d771483-ab26-49ee-a125-02561e07fad8/
SH256 hash:
c6a916056f26260b2eafd02e28372b3c17be0684144319ca850317cc9c71584e
MD5 hash:
268382ed587ff070a0a25765cc1cb2ea
SHA1 hash:
3f8290ac279405185e7d1e105362bd28de8dfeb6
Link:
https://www.unpac.me/results/2d771483-ab26-49ee-a125-02561e07fad8/
SH256 hash:
5aa958dc21c0a3d83b4a10f8e709f0d1ae3f63fb66074d97c7224e5c5cb16ada
MD5 hash:
9b1764b1cca5f1eb5946e182100681e4
SHA1 hash:
db5fafd942912ca7ff9d807f6cffc7578ac75f49
Link:
https://www.unpac.me/results/2d771483-ab26-49ee-a125-02561e07fad8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5aa958dc21c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5aa958dc21c0a3d83b4a10f8e709f0d1ae3f63fb66074d97c7224e5c5cb16ada

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5aa958dc21c0a3d83b4a10f8e709f0d1ae3f63fb66074d97c7224e5c5cb16ada

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1642817/
Cape
Cape
https://www.capesandbox.com/analysis/191280/

Comments


Avatar
zbet commented on 2021-09-24 20:36:13 UTC

url : hxxp://2.56.59.42/EU/UnpackChrome2009.exe