MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf
SHA3-384 hash: c051004ac0ef6141c2d186cf3da47ddc7ff9f57fa798b7412916f592553de2823c67332d413948c2ed18e5a2877e866c
SHA1 hash: 781e2ac0212563ab09956f409e01ffd862fc9d1d
MD5 hash: 5e1f4e1c09bee188627f682d2c0a59dd
humanhash: island-enemy-eleven-yankee
File name:Cool_Tips_Installer.exe
Download: download sample
File size:1'008'128 bytes
First seen:2021-04-29 15:20:19 UTC
Last seen:2021-04-29 19:05:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7534b3971bfd7b1aa0f5a023d960bfad (1 x RedLineStealer)
ssdeep 24576:buE32YtcuBBgGQzNhY7UwJ4GYm21GXn+K:Dp63wKGd2+nV
Threatray 5'467 similar samples on MalwareBazaar
TLSH B2258D53B3C7D0B2DFA226F3D6B587761939B934133C89CB7390282EE9906C16A35359
Reporter Anonymous
Tags:exe


Avatar
Anonymous
Retrieved from https://cdn.discordapp.com/attachments/739993905805787160/836400365108068392/Cool_Tips_Installer.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://gg.gg/cooltip
Verdict:
Malicious activity
Analysis date:
2021-04-28 12:05:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/27207e26-a927-410f-a6de-c6827ab744c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/146762/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLineDropper-AHK.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
42 / 100
Link:
https://www.joesandbox.com/analysis/702569
Signature
Drops PE files to the document folder of the user
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 400201 Sample: Cool_Tips_Installer.exe Startdate: 29/04/2021 Architecture: WINDOWS Score: 42 16 Multi AV Scanner detection for submitted file 2->16 6 Cool_Tips_Installer.exe 6 2->6         started        10 tip.exe 2->10         started        process3 file4 14 C:\Users\user\Documents\Tipz\tip.exe, PE32 6->14 dropped 18 Drops PE files to the document folder of the user 6->18 20 Sample or dropped binary is a compiled AutoHotkey binary 6->20 12 tip.exe 1 6->12         started        signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-28 15:02:50 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1030855f4fc2a6abc876f5528638a6bc86b4380f879ba6545b99460387e2d8d9
171f6b07c6a6499c24d5a6ebe059a666def31b7fad6df1a6d256948d2b7fcb5c
2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
5abc66f1c2e2fb7c2d74dbaa17cfa47b1a4f4fc576ef7c842bc1de10bf236e5e
73b83d70f24909aea7920a86029b43198979d7e31ab768619371e12fc7399f93
7b3850e39e8474d1f218df0d2ba21a3315759ebed9b40957f6336d313103ffb6
8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c
e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
faf4898dc104ee27f1d2adafa647094f57d9b282d6b3e7654c78e3d55eada723
+ 5'457 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210429-ycqv41tt82/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
1fd3bc35b99b7eb585fa3b8cbab9c370fb9cde0a28bb7d7ad8209f60d1733de8
MD5 hash:
88a1ecdcc59d7d91985e63a57f144a82
SHA1 hash:
3a6b762fb7ec5ace1948d84d9ea5bab1483231ed
Link:
https://www.unpac.me/results/5ec6fc9b-4819-4ec0-b277-16af8ceac5d7/
SH256 hash:
5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf
MD5 hash:
5e1f4e1c09bee188627f682d2c0a59dd
SHA1 hash:
781e2ac0212563ab09956f409e01ffd862fc9d1d
Link:
https://www.unpac.me/results/5ec6fc9b-4819-4ec0-b277-16af8ceac5d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/146762/
  
URLhaus
https://urlhaus.abuse.ch/url/1184232/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-29 16:07:24 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.012] Anti-Behavioral Analysis::Human User Check
3) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
4) [F0002.001] Collection::Application Hook
5) [F0002.002] Collection::Polling
7) [B0030.002] Command and Control::Receive Data
8) [C0002.012] Communication Micro-objective::Create Request::HTTP Communication
9) [C0002.017] Communication Micro-objective::Get Response::HTTP Communication
10) [C0002.004] Communication Micro-objective::Open URL::HTTP Communication
11) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
12) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
13) [C0021.005] Cryptography Micro-objective::Mersenne Twister::Generate Pseudo-random Sequence
14) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
15) [C0019] Data Micro-objective::Check String
16) [C0026.001] Data Micro-objective::Base64::Encode Data
17) [C0026.002] Data Micro-objective::XOR::Encode Data
20) [B0043] Discovery::Taskbar Discovery
21) [B0023] Execution::Install Additional Program
22) [C0045] File System Micro-objective::Copy File
23) [C0046] File System Micro-objective::Create Directory
24) [C0048] File System Micro-objective::Delete Directory
25) [C0047] File System Micro-objective::Delete File
26) [C0049] File System Micro-objective::Get File Attributes
27) [C0051] File System Micro-objective::Read File
28) [C0050] File System Micro-objective::Set File Attributes
29) [C0052] File System Micro-objective::Writes File
30) [E1510] Impact::Clipboard Modification
31) [C0007] Memory Micro-objective::Allocate Memory
32) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
33) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
34) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
35) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
36) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
37) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
38) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
39) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
40) [C0040] Process Micro-objective::Allocate Thread Local Storage
41) [C0042] Process Micro-objective::Create Mutex
42) [C0017] Process Micro-objective::Create Process
43) [C0038] Process Micro-objective::Create Thread
44) [C0041] Process Micro-objective::Set Thread Local Storage Value
45) [C0018] Process Micro-objective::Terminate Process