MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
SHA3-384 hash: 2f3ac33640358aa08980a96e10640296a216ab97b9c105e6eb991a0446d63dc4a580b65b20ed5a7b8a6d915e699a46f9
SHA1 hash: 4f56f68dc215a653ed9ef663ece670d9b5f10461
MD5 hash: 96bdeaa4e52db8d04495f5bd17bc8176
humanhash: purple-maine-thirteen-quiet
File name:644ECDD263538E3F6DA1689A78B77101DD86451AFB376.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'210'238 bytes
First seen:2022-10-25 01:40:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x9CvLUBsgnfYLRcq6MT6cbHn53mO0JC2YEq47g+7PP/:xeLUCgnw1UMucbHn53N0DY7QB
TLSH T1C6163310B9E294FAFA62007DCDCCBFF482BCC758591265EF73228519BD6C8649419EBC
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/
85.192.63.57:34210 https://threatfox.abuse.ch/ioc/930664/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
644ECDD263538E3F6DA1689A78B77101DD86451AFB376.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 01:41:27 UTC
Tags:
evasion opendir trojan socelars stealer loader redline rat tofsee ficker miner vidar
Link:
https://app.any.run/tasks/6359d4aa-9881-485e-ac38-989983ca7c15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323720/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45209/overview
Behaviour
MalwareBazaar
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e790f40-99d8-44b7-8504-b6ec43194d2e
Result
Threat name:
Nymaim, RedLine, Socelars, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097143
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Submitted sample is a known malware sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729784 Sample: 644ECDD263538E3F6DA1689A78B... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 139 xv.yxzgamen.com 2->139 141 www.facebook.com 2->141 143 16 other IPs or domains 2->143 189 Snort IDS alert for network traffic 2->189 191 Multi AV Scanner detection for domain / URL 2->191 193 Malicious sample detected (through community Yara rule) 2->193 195 24 other signatures 2->195 15 644ECDD263538E3F6DA1689A78B77101DD86451AFB376.exe 22 2->15         started        signatures3 process4 file5 131 C:\Users\user\AppData\...\setup_install.exe, PE32 15->131 dropped 133 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->133 dropped 135 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->135 dropped 137 17 other files (16 malicious) 15->137 dropped 18 setup_install.exe 1 15->18         started        process6 dnsIp7 145 127.0.0.1 unknown unknown 18->145 147 marianu.xyz 18->147 197 Multi AV Scanner detection for dropped file 18->197 199 Performs DNS queries to domains with low reputation 18->199 201 Adds a directory exclusion to Windows Defender 18->201 203 Disables Windows Defender (via service or powershell) 18->203 22 cmd.exe 1 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 1 18->26         started        28 16 other processes 18->28 signatures8 process9 signatures10 31 Thu17bd3ed35a1cd4764.exe 33 22->31         started        36 Thu17ccc3ee904aa3369.exe 24->36         started        38 Thu17cfcd051e749c.exe 2 26->38         started        209 Submitted sample is a known malware sample 28->209 211 Adds a directory exclusion to Windows Defender 28->211 213 Disables Windows Defender (via service or powershell) 28->213 40 Thu1746697ad4.exe 28->40         started        42 Thu170d53a54cc3.exe 28->42         started        44 Thu17478d64e901281.exe 28->44         started        46 10 other processes 28->46 process11 dnsIp12 151 212.193.30.115, 49711, 49718, 49727 SPD-NETTR Russian Federation 31->151 153 107.182.129.251, 49712, 49719, 80 META-ASUS Reserved 31->153 159 21 other IPs or domains 31->159 93 C:\Users\...\wVJIE_bF7agEYyrpRFgait9Z.exe, PE32 31->93 dropped 95 C:\Users\...\u4bnInh2NzTDbhoRUTMGngmx.exe, PE32 31->95 dropped 97 C:\Users\...\tRD4DwbtRwoKgVRaNju3Ka9Y.exe, PE32 31->97 dropped 107 19 other malicious files 31->107 dropped 165 Multi AV Scanner detection for dropped file 31->165 167 May check the online IP address of the machine 31->167 169 Creates HTML files with .exe extension (expired dropper behavior) 31->169 171 Disable Windows Defender real time protection (registry) 31->171 155 sun9-16.userapi.com 87.240.185.143 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 36->155 161 5 other IPs or domains 36->161 99 C:\Users\...\ximRAMSKpZm1fMsLKjEulqhs.exe, PE32 36->99 dropped 101 C:\Users\...\pv7k2aU5m0OMd_JYp7GzvJDi.exe, PE32 36->101 dropped 103 C:\Users\...\myoZE3Fg8gWZZtvmY3H7WkN4.exe, PE32 36->103 dropped 109 19 other malicious files 36->109 dropped 173 Tries to harvest and steal browser information (history, passwords, etc) 36->173 105 C:\Users\user\...\Thu17cfcd051e749c.tmp, PE32 38->105 dropped 175 Obfuscated command line found 38->175 48 Thu17cfcd051e749c.tmp 38->48         started        177 Machine Learning detection for dropped file 40->177 51 mshta.exe 40->51         started        179 Antivirus detection for dropped file 42->179 181 Injects a PE file into a foreign processes 42->181 53 Thu170d53a54cc3.exe 42->53         started        55 Thu17478d64e901281.exe 44->55         started        157 gcl-gb.biz 46->157 163 8 other IPs or domains 46->163 183 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 46->183 57 explorer.exe 46->57 injected 59 WerFault.exe 46->59         started        61 WerFault.exe 46->61         started        63 Thu173008799238.exe 46->63         started        file13 185 Connects to a pastebin service (likely for C&C) 157->185 signatures14 process15 file16 111 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 48->111 dropped 113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->113 dropped 115 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 48->115 dropped 65 Thu17cfcd051e749c.exe 48->65         started        69 cmd.exe 51->69         started        process17 file18 117 C:\Users\user\...\Thu17cfcd051e749c.tmp, PE32 65->117 dropped 187 Obfuscated command line found 65->187 71 Thu17cfcd051e749c.tmp 65->71         started        119 C:\Users\user\AppData\...\H4BLYYMcKn5.eXE, PE32 69->119 dropped 76 H4BLYYMcKn5.eXE 69->76         started        78 conhost.exe 69->78         started        80 taskkill.exe 69->80         started        signatures19 process20 dnsIp21 149 ppgggb.com 209.99.40.222, 49720, 49721, 80 CONFLUENCE-NETWORK-INCVG United States 71->149 123 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 71->123 dropped 125 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 71->125 dropped 127 C:\...\unins000.exe (copy), PE32 71->127 dropped 129 2 other files (1 malicious) 71->129 dropped 205 Creates HTML files with .exe extension (expired dropper behavior) 71->205 207 Multi AV Scanner detection for dropped file 76->207 82 mshta.exe 76->82         started        84 mshta.exe 76->84         started        file22 signatures23 process24 process25 86 cmd.exe 82->86         started        89 cmd.exe 84->89         started        file26 121 C:\Users\user\AppData\Local\Temp\XDCgDT0.6, PE32 86->121 dropped 91 conhost.exe 89->91         started        process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 07:06:07 UTC
File Type:
PE (Exe)
Extracted files:
241
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mrhm3utdkohd63nbncnhrn3rahoymri27m3w46c3gpi6psonn6ba._file
Verdict:
malicious
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:nullmixer family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:tofsee botnet:6.4 botnet:@noxycloud botnet:chrisnew botnet:logsdiller cloud (tg: @logsdillabot) botnet:media21 botnet:mr x botnet:sehrish2 aspackv2 backdoor dropper evasion infostealer loader main persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/221025-b34j9sbbg8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates processes with tasklist
Kills process with taskkill
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
ASPack v2.12-2.42
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
OnlyLogger payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
Modifies Windows Defender Real-time Protection settings
NullMixer
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Tofsee
Malware Config
C2 Extraction:
http://marianu.xyz/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
135.181.129.119:4805
194.104.136.5:46013
91.121.67.60:23325
79.137.192.41:24746
103.89.90.61:34589
51.89.201.21:7161
85.192.63.57:34210
Unpacked files
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
76e14134a7a8d89f224790e14f5a4e42e1700d62be25ca90e0f3028950e88412
MD5 hash:
b23c671ccff85e3354986b3e05fad8f8
SHA1 hash:
bb9f223669f75e9ba66226556c79761a7c8df165
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
c347a863ee10a621b0368d2c52e297fe82f4a70f5223bdf5e1cc332cfbb300b3
MD5 hash:
222c2101d2689ccd889d864cefc0e52c
SHA1 hash:
dfc809a6dd96db2ceb701883dff3fe826d2b6d69
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
e07353baabb9c287093629bdbe00c5721f3b130a2bf337cba5cf475d857681e9
MD5 hash:
a46e4985a6592cad27270c965643b752
SHA1 hash:
89188cb0f9c715848b71b162916e0c88e956f08a
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3
MD5 hash:
42c09e2ff1923e01e6b465436b1d176f
SHA1 hash:
6fc4b58ff71392865812ba14a6b469ddec5df7d4
Detections:
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
Parent samples :
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
3c7eafd4b40f81bb7bdfb00c5a9d5fc741ddd12ed6d660db826de783aa429b25
MD5 hash:
350b836e6fbd8d8a1f104ebdd82ed0f7
SHA1 hash:
e19ab63560fe796fe7fd140bf315aeff412cde6a
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
fa882cdf67e1f4aa179a8d8b6675fda90daa4538d253738ae814d6bb78ae7bfc
MD5 hash:
b35fe36d634521eae94d39cbae7d3be4
SHA1 hash:
b807dc815b045068c6b4f141ffdcd6c2028f5076
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
6bcca33a599532917b446f07952719fa7a70edf6646c14b13e64686ff2c6d44c
MD5 hash:
7af76a6cff6996241b9d85558848e6c8
SHA1 hash:
a8df8a22e003849550c2e6827bf17a5edbec5524
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
da7af5ed7e6ef9be519c5b3418286e97c7a79784e3f111d136e3ef1630af21d1
MD5 hash:
3e7496e5a607510badd8ded51c439e78
SHA1 hash:
a3e821169b55808d7bff9531384433865e061c60
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
c48f955af8749972b7bd7dba2dd239cb224d049f8bc2dd1fe5c6233e2d64e741
MD5 hash:
78d016d5b9ee552dc76bf8a024392ce9
SHA1 hash:
8ba7b1380ca5cd7c7de57f4b8f2e74028e9b363d
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
a66bf332eab3d4153d03454f661adf5b98afabb119bbe9069a871125ab190a3f
MD5 hash:
177d13a7bf5ae8cb3aa31bc60567f52c
SHA1 hash:
235206d85cb4093ac35adf1be5cb5b686fdd737e
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
42d5dc71c6604b9281d2ed9b1dd30f82a933513a43a0466381e3a7f92505e85c
MD5 hash:
fa34ba2609b9369855bb26bfdcf628a6
SHA1 hash:
15863e818ba7d3ecb4414b6d0708c75de79e4815
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
MD5 hash:
9074b165bc9d453e37516a2558af6c9b
SHA1 hash:
11db0a256a502aa87d5491438775922a34fb9aa8
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
d16a5687ff61f94a09f1eaef97ce21b9b3ff1d74074eec7f3c0283843a247b36
MD5 hash:
f899b0c57cc8d7720e01fedbd5abf3f6
SHA1 hash:
b251aa841737d8bd76fda7e8824669a689d6c4cf
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
ebe52c2924109a6642d017c5ae00a7d8d10a174e5a2c192e84de8c7a7dcb536d
MD5 hash:
d01553f797d3bb52a498492931a14f26
SHA1 hash:
a81c6d21d37c114bafcac653d30442c45503c737
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
357513b7b408ac26ef9794810b90ad9cc6edbdf4d264524bcf71a8db9d47a784
MD5 hash:
195fb17c736b27014d6a789b287f6d51
SHA1 hash:
ce0b4fc3c1ec3b63ad1be745c0b3edef600cc98f
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
SH256 hash:
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
MD5 hash:
96bdeaa4e52db8d04495f5bd17bc8176
SHA1 hash:
4f56f68dc215a653ed9ef663ece670d9b5f10461
Link:
https://www.unpac.me/results/0b7b6e15-e23d-43fe-8b5a-fb54c9d80ebf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323720/

Comments