MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443
SHA3-384 hash:	6cd7dc85ca11a63dbb0c6877324a75f0d3138eca58f052859a3f63e0374f9ab2b1a227708f13af041080b71b646b6c9f
SHA1 hash:	b553c2e73d7ab9459e77a00ae5b36b56e13ada22
MD5 hash:	865f5d2c00bf96b95319d42d007bea2a
humanhash:	nebraska-cat-ohio-winner
File name:	865f5d2c00bf96b95319d42d007bea2a
Download:	download sample
File size:	668'672 bytes
First seen:	2023-06-07 03:54:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:g3F4L16JYy/3lTjrN+PU1MQvq8hut0M2niS2SBKXK0NSDw:g3Fa1PcjrNpMYfct0M2nGeWck
Threatray	2'178 similar samples on MalwareBazaar
TLSH	T167E4239EF7E21096CC79A33B9F2D10A10428AA627C1B93D43EE1F9134D6DD8D4E55C3A
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	zbetcheckin
Tags:	64 exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

245

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

0ef0b387d96b77ca009418bc15815470.exe

Verdict:

Malicious activity

Analysis date:

2023-06-01 01:07:12 UTC

Tags:

rat redline stealer trojan

Link:

https://app.any.run/tasks/74cc2b39-2e12-4db8-a98b-4c157cf13def

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/396296/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.83820.2403.482.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a file

Creating a process from a recently created file

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Sending a custom TCP request

Enabling autorun by creating a file

Unauthorized injection to a system process

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/647fff96c1815b8f1ed3925b/reports/a300181b-c17f-4123-b158-3885270efc8e/overview

Hybrid Analysis MSILHeracles.Generic

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d3ab2a01-4009-4968-8d11-92449be40141

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1250012

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443/

ReversingLabs TitaniumCloud ByteCode-MSIL.Spyware.RedLine

Threat name:

ByteCode-MSIL.Spyware.RedLine

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-01 03:57:21 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

4

AV detection:

19 of 24 (79.17%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lwr57cgffq6oxiubqqvughba2dzv7pfyoophrh7g73rzxsykcrbq._file

Threatray malicious

Verdict:

malicious

Similar samples:

1c758992ed57930115ba585a43bc0a7a750a476206cf1999bf3333f26fc230f2

36cea9a517889dd607921a87d2bd9ed04b2de4c465f17d52bd1e399aa979da83

5d8e70acefcbcc2eff05078efbea2c82d7a051edaabfa4caaf6d48fc9d6644e3

7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd

812f2741f662194744b33d6e51c4fbe11823d06e90938865aa4517974a072bc1

97ced07bdc4f3aa27a05afd76de293eccc176c133626da95cabee1c25de17867

9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c

a130830dbd995f4e11fd9572076a51db0ea6fa0c4d7c57acc2c72274c05d408a

b2e31ed9833299ec3c166877db92ff5d477858f5867ca5494b26a82558e4616e

+ 2'168 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/230607-egrv5ahd2y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

UnpacMe

Unpacked files

SH256 hash:

5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443

MD5 hash:

865f5d2c00bf96b95319d42d007bea2a

SHA1 hash:

b553c2e73d7ab9459e77a00ae5b36b56e13ada22

Link:

https://www.unpac.me/results/637231b2-c2b6-4f91-9f3e-7bddf19cb032/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5da3df88c52c/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/396296/

  

URLhaus

https://urlhaus.abuse.ch/url/2654406/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-06-07 03:54:33 UTC

url : hxxp://filebin.net/xngdjk0mz4ucyvub/Jhfykdpo.exe