MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlackGuard

Vendor detections: 15

Intelligence 15 IOCs 1 YARA File information Comments

SHA256 hash:	5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9
SHA3-384 hash:	46028eb9cf2536a769c883d5286d0e20b4d6afe1afb77c05c6b133df0f4caa2106f0f1756e226fd32977a711f56b9f67
SHA1 hash:	c54e31d25377079015273f7124e84d2fc3060b8f
MD5 hash:	dab10a01405cdcf9e2737f84580b9848
humanhash:	network-sodium-six-eighteen
File name:	dab10a01405cdcf9e2737f84580b9848.exe
Download:	download sample
Signature	BlackGuard Create hunting rule
File size:	346'624 bytes
First seen:	2022-05-08 18:10:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dd713e86f79f24fed8f0b30a6d67c702 (3 x RedLineStealer, 1 x BlackGuard)
ssdeep	6144:TahqncO+tCjWTqeHusF+ohoO1H4iKPFnv0hQhUp/Dt3ML3:TahBOuUWTqeHEoFH6d2WM/Dtm
Threatray	5'240 similar samples on MalwareBazaar
TLSH	T1FD74AF407BA0D039F1B316F0B96A93A8B93ABDA15B3550CB22D53BEE5A306D0DC74717
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	b6dacabecee6baa2 (18 x RedLineStealer, 12 x Stop, 9 x ArkeiStealer)
Reporter	abuse_ch
Tags:	BlackGuard exe

abuse_ch

BlackGuard C2:
http://194.36.177.190/files/upgrade.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://194.36.177.190/files/upgrade.php	https://threatfox.abuse.ch/ioc/548956/

Intelligence

File Origin

# of uploads :

# of downloads :

345

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-05-01 01:10:01 UTC

Tags:

evasion trojan socelars stealer loader rat redline

Link:

https://app.any.run/tasks/8738b4f3-2d08-4cbc-8fae-caebd459f9b8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Ransomware.Ransomx-9943921-0

Win.Packed.Filerepmalware-9947507-0

Win.Packed.Pwsx-9948390-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Creating a window

Creating a file in the %AppData% directory

Running batch commands

Launching a process

Blocking the Windows Defender launch

Unauthorized injection to a recently created process

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16738/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed ransomware

Link:

https://www.filescan.io/uploads/627807c54b517e213c24aa84/reports/989c10ec-9cfd-4850-80a2-f7116e075ab3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Tofsee

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/687fef00-23db-4989-b5d2-9667e8364abd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/989807

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disable Windows Defender real time protection (registry)

Downloads files with wrong headers with respect to MIME Content-Type

Found C&C like URL pattern

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9/

Threat name:

Win32.Backdoor.Zapchast

Status:

Malicious

First seen:

2022-04-29 19:50:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

37 of 42 (88.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lvcdkcomzvbp756iejucvwk5c3ux5hyjggihgg5ma7nkp7lq324q._file

Verdict:

malicious

BlackGuard

3b7b44dd7b962d287957a7f912218d56b224e743cab832db0114e69fb329387a

BlackGuard

849beb1413d9750e1bad8a3758dc87053d47fe5cba1528723414c918625e6d27

BlackGuard

a5453a830d01639ad537320c94e68565341328c872a8f2d3456221a0bec6f3e9

BlackGuard

e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061

BlackGuard

e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e

BlackGuard

+ 5'230 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:redline family:smokeloader family:tofsee family:vidar botnet:937 botnet:@humus228p botnet:ink botnet:sushi backdoor evasion infostealer persistence ransomware spyware stealer suricata trojan upx

Link:

https://tria.ge/reports/220508-wsk1dseec3/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Launches sc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

UPX packed file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine Payload

SmokeLoader

Tofsee

Vidar

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

Malware Config

C2 Extraction:

31.41.244.92:6188
185.215.113.24:15994
193.106.191.253:4752
65.108.101.231:14648
niflheimr.cn
jotunheim.name
https://t.me/hollandracing
https://busshi.moe/@ronxik321
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
http://ugll.org/test3/get.php

Unpacked files

SH256 hash:

8e575d495eee5350c89514a6106abf4e601a9dcebc198b9d38d076ae6b45f835

MD5 hash:

fa975e9ec930e7d4850cce26557bbd98

SHA1 hash:

c97a6f308a6c8c35f57a6c3e3536fb88713947f6

Link:

https://www.unpac.me/results/465479fb-74a3-473d-a39d-6f441ea96cb5/

SH256 hash:

5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9

MD5 hash:

dab10a01405cdcf9e2737f84580b9848

SHA1 hash:

c54e31d25377079015273f7124e84d2fc3060b8f

Link:

https://www.unpac.me/results/465479fb-74a3-473d-a39d-6f441ea96cb5/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5d443509cccd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample