MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3
SHA3-384 hash: 0b9f81c6884647488baf356454ce6c1aeb70efbbfe68d7fb766e4e4fe7ff2939c21c59fec8de6114399237b4dce0882e
SHA1 hash: 38100751a4ae45a143232cbacf9bb441b31fb211
MD5 hash: 848b847cd19805d19235b5acb8ef2bef
humanhash: foxtrot-papa-triple-pluto
File name:3rd_2.7_injector.dll
Download: download sample
File size:142'848 bytes
First seen:2023-08-26 06:30:37 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 3072:l7bcaK96uK9RhZEGyASjdeqSwxqlqfrYNZIO7RJfMLpO:23N4ZE1ASjNfH+1i
Threatray 364 similar samples on MalwareBazaar
TLSH T12ED3D56A33D84F41CA9819B5C2E3893423E3AA877633D7453E441AC61F417E9DECA7C9
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Securityinbits
Tags:dll


Avatar
Securityinbits
This is 3rd stage .NET injector which was used by line.exe (532631b46cb7e5b8b034cb3ef0ecc549fc10856261d9710cf23e7967055ddde4).

The file was extracted from 2ndStage.dll.

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
SG SG
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444824/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.60127.13135.30918.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
83%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/64e99c271d3a8c6c12174626/reports/8b6a9615-950c-4bfe-af7e-044a1535e9d7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f6ceb1f4-f1fe-457c-bb9d-8d58cc72f721
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1297721
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1297721 Sample: 3rd_2.7_injector.dll Startdate: 26/08/2023 Architecture: WINDOWS Score: 64 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 .NET source code contains method to dynamically call methods (often used by packers) 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2023-03-26 06:17:47 UTC
File Type:
PE (.Net Dll)
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxshk6bhjull4g7a6udwpowqv4ljgdpugvln2i6xvvpevxblzprq._file
Verdict:
malicious
Similar samples:
0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326
1c9708a7c1cca2ffb1fb6711828553521a81c313bd3dcefba441e546d2457e5d
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19
532631b46cb7e5b8b034cb3ef0ecc549fc10856261d9710cf23e7967055ddde4
c348c3775a0481aa6b252df6079219b5617ff8e21b2e13c7f230684a9b120001
d42fdb11f10e2455d0197dc973cf384fc2f480e596055dcb1994086c8db4a6da
e02f9dc140a5c96f52f5920069e851e6eb606c8b957ae43cb58081d0e8a87d73
e228a849f5375edec8636a1c110c88169d7f8895cfe209eaf7e52d4f22cabeaa
f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8
+ 354 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230826-g92l5sgf82/
Unpacked files
SH256 hash:
65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3
MD5 hash:
848b847cd19805d19235b5acb8ef2bef
SHA1 hash:
38100751a4ae45a143232cbacf9bb441b31fb211
Link:
https://www.unpac.me/results/cff59037-1cbc-4703-af9f-fbe610cae5a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

zip 3086ac8861aaccdf3dc45f3b1380b6cd70169c7d9fc16f098f5a1d08736fed61

DLL dll dcae7409025c6d7314b2a15beb5452a4d3ed5d441e3e40726854d193135b8e81

DLL dll 65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3

(this sample)

  
X
https://twitter.com/Securityinbits/status/1691081404191260674
  
Dropped by
SHA256 dcae7409025c6d7314b2a15beb5452a4d3ed5d441e3e40726854d193135b8e81
Cape
Cape
https://www.capesandbox.com/analysis/444824/
  
Dropped by
MD5 16ef1f88f6d85b813f4aa7a83d5a0979

Comments