MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bbc865f0347c81d627eaf6d11a2e7f34403b7ab4d12dd860af4b6fd650d41dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bbc865f0347c81d627eaf6d11a2e7f34403b7ab4d12dd860af4b6fd650d41dd
SHA3-384 hash: 4b05eb485014a578d73708a0dc2f1db3300fa8c7f4d1f24740e7f73597348c2b264708d87df77cfb83ab8b1cdae79eda
SHA1 hash: cdb310f7417f150c0632e5739783b1d25b3a020e
MD5 hash: b4c9e5e0d6c7bda7586e4c8cf80ce549
humanhash: pip-lima-hotel-failed
File name:b4c9e5e0d6c7bda7586e4c8cf80ce549.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:7'165'809 bytes
First seen:2022-03-15 05:26:39 UTC
Last seen:2022-04-20 10:22:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JTQasSaycxELWYzIjTkDXAsVZW34fGZ3Z9wXjd:JTzUycxERzzDXTV1Gxczd
Threatray 6'726 similar samples on MalwareBazaar
TLSH T1B0763312B7F4D527F0F416775B5F12AEA4A8E06420D1276081843E4F34AADE4E5FEBCA
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
45.9.88.246:43235

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.88.246:43235 https://threatfox.abuse.ch/ioc/395246/

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b4c9e5e0d6c7bda7586e4c8cf80ce549.exe
Verdict:
No threats detected
Analysis date:
2022-03-15 06:38:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a835a9aa-0ede-4293-9b18-18fdfab69f10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/250552/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9890303-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9227/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe manuscrypt overlay packed shell32.dll spybot
Link:
https://www.filescan.io/uploads/623023aadfdfa8501ca20b38/reports/1610a3cb-e738-4026-92b5-713647006e88/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b94f216a-da0b-4a2e-b525-30f84ac41675
Result
Threat name:
SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956716
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected onlyLogger
Yara detected SmokeLoader
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589197 Sample: gbC7tqLvqe.exe Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 136 Multi AV Scanner detection for domain / URL 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 Antivirus detection for URL or domain 2->140 142 17 other signatures 2->142 11 gbC7tqLvqe.exe 10 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 2->17         started        19 6 other processes 2->19 process3 dnsIp4 92 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->92 dropped 21 setup_installer.exe 21 11->21         started        122 23.211.4.86 AKAMAI-ASUS United States 14->122 124 127.0.0.1 unknown unknown 14->124 file5 process6 file7 74 C:\Users\user\AppData\...\setup_install.exe, PE32 21->74 dropped 76 C:\Users\...\622a4510b1304_Thu1879b8faf.exe, PE32 21->76 dropped 78 C:\Users\...\622a450ed2f39_Thu18540b859.exe, PE32 21->78 dropped 80 16 other files (11 malicious) 21->80 dropped 24 setup_install.exe 1 21->24         started        process8 signatures9 178 Adds a directory exclusion to Windows Defender 24->178 27 cmd.exe 1 24->27         started        29 cmd.exe 24->29         started        31 cmd.exe 24->31         started        33 12 other processes 24->33 process10 signatures11 36 622a44d66c12e_Thu1824f64b9ab.exe 1 27->36         started        39 622a450b36b18_Thu18a874e729.exe 29->39         started        43 622a450ed2f39_Thu18540b859.exe 31->43         started        132 Adds a directory exclusion to Windows Defender 33->132 134 Disables Windows Defender (via service or powershell) 33->134 45 622a44dc1c4c6_Thu18e8fcba3cff.exe 33->45         started        47 622a44d7ca762_Thu18a178c3.exe 33->47         started        49 622a450e3539f_Thu18e38482914c.exe 33->49         started        51 8 other processes 33->51 process12 dnsIp13 144 Multi AV Scanner detection for dropped file 36->144 146 Detected unpacking (changes PE section rights) 36->146 148 Machine Learning detection for dropped file 36->148 150 Disables Windows Defender (via service or powershell) 36->150 53 cmd.exe 36->53         started        108 208.95.112.1 TUT-ASUS United States 39->108 110 45.136.151.102 ENZUINC-US Latvia 39->110 82 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 39->82 dropped 152 Antivirus detection for dropped file 39->152 56 11111.exe 39->56         started        116 2 other IPs or domains 43->116 84 C:\Users\user\AppData\Local\TempDDDE.exe, PE32 43->84 dropped 154 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->154 156 Tries to evade analysis by execution special instruction which cause usermode exception 43->156 158 Hides threads from debuggers 43->158 160 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->160 162 Checks if the current machine is a virtual machine (disk enumeration) 45->162 58 explorer.exe 45->58 injected 118 3 other IPs or domains 47->118 86 155de795-79c9-47bf-906d-975b2c602bdf.exe, PE32 47->86 dropped 60 155de795-79c9-47bf-906d-975b2c602bdf.exe 47->60         started        88 C:\...\622a450e3539f_Thu18e38482914c.tmp, PE32 49->88 dropped 164 Obfuscated command line found 49->164 62 622a450e3539f_Thu18e38482914c.tmp 49->62         started        112 80.71.158.165 PARKNET-ASDK unknown 51->112 114 194.40.243.90 NTSERVICE-ASUA Netherlands 51->114 120 2 other IPs or domains 51->120 90 C:\Users\...\622a44da5a1b9_Thu1858c7be86.tmp, PE32 51->90 dropped 166 Creates processes via WMI 51->166 168 2 other signatures 51->168 66 622a44d93a554_Thu18f9b844.exe 51->66         started        68 622a44da5a1b9_Thu1858c7be86.tmp 51->68         started        70 622a450d40418_Thu18a65a2d479.exe 51->70         started        file14 signatures15 process16 dnsIp17 170 Disables Windows Defender (via service or powershell) 53->170 72 powershell.exe 53->72         started        172 Multi AV Scanner detection for dropped file 56->172 174 Machine Learning detection for dropped file 56->174 176 Antivirus detection for dropped file 60->176 126 151.115.10.1 OnlineSASFR United Kingdom 62->126 94 C:\Users\user\AppData\...\5(6665____.exe, PE32 62->94 dropped 96 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 62->96 dropped 98 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 62->98 dropped 100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 62->100 dropped 128 104.21.40.196 CLOUDFLARENETUS United States 66->128 130 172.67.188.70 CLOUDFLARENETUS United States 66->130 102 C:\Users\user\AppData\Local\Temp\db.dll, PE32 66->102 dropped 104 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 68->104 dropped 106 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 68->106 dropped file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bbc865f0347c81d627eaf6d11a2e7f34403b7ab4d12dd860af4b6fd650d41dd/
Threat name:
Win32.Trojan.Gloader
Create hunting rule
Status:
Malicious
First seen:
2022-03-12 16:50:01 UTC
File Type:
PE (Exe)
Extracted files:
309
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lo6imxydi7eb2yt6v5wrdixh6ncahn5ljujn3bqk6s3p2zinihoq._file
Verdict:
malicious
Similar samples:
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
GCleaner
42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49
GCleaner
7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813
GCleaner
b8319b0b5b554b983279cc8ceb7c23ba8a6a46446a06a6902b1b15eee964b010
GCleaner
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
GCleaner
d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
GCleaner
+ 6'716 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:mdea80555 aspackv2 backdoor infostealer loader spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220315-f5eq5sabgr/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
92.255.57.154:11841
Unpacked files
SH256 hash:
7ddf88854da75948219fa40c942c1878e2c6658df2449474fe370715ac522abb
MD5 hash:
7147a6039f5d57cb23ccd4fdd49823a2
SHA1 hash:
bda5c1ac1e31e848822d28acc6c5af137d3cca96
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
438d2aee613d40b0d35b48a7b671f8f60ac2424b688e7d00400ec8879065c37a
MD5 hash:
5b00a30277a186a4cc0ea60bf8f84e3f
SHA1 hash:
d76af7d1dfec8693c5ee1cdd7383dbaefad8f7bc
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
7382632010b962fe845138c67406a369d1a00e77b293003a6aa89a206806f892
MD5 hash:
79d12bf220e9ea93125df294ac4a2c47
SHA1 hash:
d0d63a8d43e079f856cce3186f3714ea66cda844
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
a0465f3a24b9cb6679052df2a8d483fbe208f15ea3b562d4b30738fa366d2ad5
MD5 hash:
6c0c16b0deda27e33a7c909f401ca46a
SHA1 hash:
c8681caa07d32066e9c38cd05aa5c627f0592ba7
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
0baa4038bb4ba1912765d303c2f4e3847a0b860ae531fd592e4c955b5a552897
MD5 hash:
a51acfdfd5c8caa97422516965382ecd
SHA1 hash:
c56fef0fcb1fe78226b5daf36e8243624d5156f5
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
44ab99b7e10f73b114898b1f8feb3ab2d09bbc57a6cf7c70f64d8db90c1c4f6c
MD5 hash:
56291f3fc35d0aa907f70d5b7b84a181
SHA1 hash:
c3c8b0659227a0231f6fe8aabe58a6ade0f4265c
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
7ecc667abaea716e8853d9028f4582b53548e17575ddfee52d45871c5d5a5d66
MD5 hash:
fb84bebe76cddcc6870f2d2ba27183b1
SHA1 hash:
b90605c21e35ce0128630d00bf8c619357def2bb
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
43fa7bd5404424876d96ec611b4a1a79add6e3639a9dc53f47896281ca0c2b39
MD5 hash:
9ea5845dff182250953b4bd7b6bd99ac
SHA1 hash:
2b5ecae895a4924a3e81b19b4ad31a3701192e58
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
9049ff744c56858b777adf1cf80f4e0f876a4d54dc23ea884c2f8aa39a3bef1d
MD5 hash:
31ebd93c9fb74de0bf3c9eac412f72fb
SHA1 hash:
b7c4e5e258b4b7a3742c23315c7a204d73bf72d4
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
84f745ceea980ed2342724f877d798e5c18ab46ba10af0986ee306c05d5a486f
MD5 hash:
fe2c8b8a149d61280c73d89ef54664ed
SHA1 hash:
03c9d039a43364b35ddeb4ae27a82aa3f9b284a3
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
cd66d8f4c1b15668aa216039ff187ab2595406d8a4d6fcf54632e9d5c1e19157
MD5 hash:
22559ba7d43d3b6c40cb21851ddddfa8
SHA1 hash:
8cd2154c88fdfbdffc813c4a023d9253aee4513d
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
0a31968d7ec10506fcd6dc796488601ce7b629450c0987ed78081324f3a9bc79
MD5 hash:
9e6c73f42b8763d06fe8c311e8dda189
SHA1 hash:
93586e4a448947bf449274370ffd9ce63ab5e796
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
fed2feef7bf4a6c0f08d9bb0ba9a51040347cee68d7b64ac646473d98115bb6d
MD5 hash:
217467bc47dabdae153fdf51108fc099
SHA1 hash:
5628150c231cc534cf9316330a985f20332328a9
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
d9cf430b0006953f1950e11f8bce489237650aac86cb395a408ab0cfb5bf11c1
MD5 hash:
29132130e7dc1f10589ee721d9ff3fac
SHA1 hash:
c6feca390ab89e8a3da165fc7d84bfeabca93fb0
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
9c95ac6d893b99c90cd9b6ccb65292971f52711127d314ff7990ccc717e0b03e
MD5 hash:
7b97f106dde0ba69fba9753702f01213
SHA1 hash:
efdaeb584bf4d3ea6640cdef9491928a5b6c8c06
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
19dced086af5af25c55b86e5832c22abecc97cf206e1827afa962f733c4878f3
MD5 hash:
45833b84a90532c640d6cf0e6258ba5a
SHA1 hash:
dbf7dd66a48fa9ea6a0bb6dd49fdf1b602709e3e
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
3834b695300307d48debde3222e78a714ee481ede7394ac8c7c239ecc216b34d
MD5 hash:
324542919635fc80f8f9cc53e740ecfd
SHA1 hash:
38286652e2da911bcff4ce4fd7ed28df5c071975
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
0c33a02c6092ec15205fd59fe11c84182ee80d09f01802712927961d8eec4833
MD5 hash:
281d6892d3fd2f98efeb46ce22dfe44f
SHA1 hash:
b53d485e3aa9e3fee86834f08ee5810adc74ca55
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
c7b40c40c982da336054fbb5217c70d5b06c1bab2cce043f25636e4ea74a220b
MD5 hash:
8c7be5b9427134ba05e6d804b5810c7d
SHA1 hash:
7e97593e7e8bc067674dd72fb900607b4a435199
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
SH256 hash:
5bbc865f0347c81d627eaf6d11a2e7f34403b7ab4d12dd860af4b6fd650d41dd
MD5 hash:
b4c9e5e0d6c7bda7586e4c8cf80ce549
SHA1 hash:
cdb310f7417f150c0632e5739783b1d25b3a020e
Link:
https://www.unpac.me/results/9ed16b54-f5bb-4c20-88ae-4315b59cf474/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/5bbc865f0347c81d627eaf6d11a2e7f34403b7ab4d12dd860af4b6fd650d41dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250552/

Comments