MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 665d4b7c4bec54b430a47f22608d377f3a96775cf5edfee297265e385461266e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 665d4b7c4bec54b430a47f22608d377f3a96775cf5edfee297265e385461266e
SHA3-384 hash: 1ff61fd8463314305ba9c747cf53fc26fe885394564b9964a1c5ad45436202a8445737ba8e9715a3d3288b9c4fc33a2f
SHA1 hash: 53a269707333b61b5729f6a69a64658463a9404c
MD5 hash: ab30bb947e01c244a019178e7f3c91f1
humanhash: football-juliet-march-oxygen
File name:ab30bb947e01c244a019178e7f3c91f1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:11'183'010 bytes
First seen:2021-12-16 11:16:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xWLUCgTM/EYJ78bfGmXz8NPWpUR+0BPKC6kroR/dC8jA5OuKsUVUOJwl6z:x+dgQ/XiGAKqV0Rh6kM/dCyA5xKzAl6
Threatray 811 similar samples on MalwareBazaar
TLSH T1C6B633887A0490F9DE5BE13F114CAEF7A6BE83418263ACF75350C0805BBEA41E5BF556
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
65.108.69.168:13293

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.69.168:13293 https://threatfox.abuse.ch/ioc/276365/

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214575/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
Creating a window
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2257/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/61bb20328541392eb4ea6e9f/reports/723e5406-6b9a-45dc-97d9-498ae0d3c57b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8930a4d-a16c-49c2-abe5-0a859737d7b8
Result
Threat name:
Raccoon RedLine SmokeLoader Socelars Vid
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908484
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540961 Sample: 6VTSHr3nIo.exe Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 70 185.215.113.44 WHOLESALECONNECTIONSNL Portugal 2->70 72 ip-api.com 208.95.112.1, 49786, 80 TUT-ASUS United States 2->72 74 9 other IPs or domains 2->74 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Multi AV Scanner detection for domain / URL 2->96 98 Antivirus detection for URL or domain 2->98 100 25 other signatures 2->100 11 6VTSHr3nIo.exe 27 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\setup_install.exe, PE32 11->50 dropped 52 C:\Users\user\...\Mon16ebe7b7d56fa541.exe, PE32 11->52 dropped 54 C:\Users\user\...\Mon16ebd2f55d741b527.exe, PE32 11->54 dropped 56 22 other files (15 malicious) 11->56 dropped 14 setup_install.exe 1 11->14         started        process6 signatures7 126 Adds a directory exclusion to Windows Defender 14->126 128 Disables Windows Defender (via service or powershell) 14->128 17 cmd.exe 14->17         started        19 cmd.exe 14->19         started        21 cmd.exe 14->21         started        23 11 other processes 14->23 process8 signatures9 26 Mon166ea2343858b.exe 17->26         started        31 Mon16815d373717a5e.exe 19->31         started        33 Mon16183d35ef30e.exe 21->33         started        102 Adds a directory exclusion to Windows Defender 23->102 104 Disables Windows Defender (via service or powershell) 23->104 35 Mon16ebd2f55d741b527.exe 23->35         started        37 Mon1641ad430d.exe 23->37         started        39 Mon16ebe7b7d56fa541.exe 23->39         started        41 5 other processes 23->41 process10 dnsIp11 76 mstdn.social 116.202.14.219, 443, 49785 HETZNER-ASDE Germany 26->76 88 2 other IPs or domains 26->88 58 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->58 dropped 60 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 26->60 dropped 62 C:\Users\user\AppData\...\mozglue[1].dll, PE32 26->62 dropped 68 9 other files (none is malicious) 26->68 dropped 106 Detected unpacking (changes PE section rights) 26->106 108 Detected unpacking (overwrites its own PE header) 26->108 110 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->110 124 2 other signatures 26->124 112 Machine Learning detection for dropped file 31->112 114 Injects a PE file into a foreign processes 31->114 116 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 31->116 43 Mon16815d373717a5e.exe 31->43         started        46 Mon16183d35ef30e.exe 33->46         started        78 iplogger.org 148.251.234.83, 443, 49780, 49787 HETZNER-ASDE Germany 35->78 80 cdn.discordapp.com 162.159.130.233, 443, 49781 CLOUDFLARENETUS United States 35->80 64 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 35->64 dropped 118 May check the online IP address of the machine 35->118 82 www.listincode.com 149.28.253.196, 443, 49784 AS-CHOOPAUS United States 37->82 120 Sample uses process hollowing technique 39->120 84 212.193.30.45, 49779, 49782, 80 SPD-NETTR Russian Federation 41->84 86 pastebin.com 104.23.98.190, 443, 49783 CLOUDFLARENETUS United States 41->86 66 C:\Users\user\...\Mon16cf8423e6ba636.tmp, PE32 41->66 dropped 122 Obfuscated command line found 41->122 file12 signatures13 process14 dnsIp15 90 ad-postback.biz 192.210.222.94, 49778, 80 SERVER-MANIACA United States 43->90 48 cmd.exe 43->48         started        92 45.9.20.221 DEDIPATH-LLCUS Russian Federation 46->92 process16
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/665d4b7c4bec54b430a47f22608d377f3a96775cf5edfee297265e385461266e/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 04:03:44 UTC
File Type:
PE (Exe)
Extracted files:
344
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mzouw7cl5rklimfep4rgbdjxp45jm5246xw75yuxezpdqvdbezxa._file
Verdict:
malicious
Similar samples:
22be97159484e7213af523470521ce27c372f44c2deee2cf61bd0145392b8680
RedLineStealer
29051151777a6f7f0e7ebeab85ed7eaed71029fbbb088785f8598798093e1735
RedLineStealer
956c25ec50bb0668d3bb6b037303a585a9bf98d9da02029aa2f9e0740ee0af75
RedLineStealer
a7ae2843ba9ab452c9588cb8a3cd0a1dc4d66d72d23416238af3e256ac269a89
RedLineStealer
b36eee28fcc8c8e6a9ca2075093de6bd151a267a9f9098c9fde0932e6457097e
RedLineStealer
e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24
RedLineStealer
+ 801 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars family:vidar botnet:03.12_build_3 botnet:915 aspackv2 infostealer stealer suricata
Link:
https://tria.ge/reports/211216-ndpq2acfep/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.yarchworkshop.com/
https://mstdn.social/@sergeev43
https://koyu.space/@sergeev45
45.9.20.221:15590
Unpacked files
SH256 hash:
3f4aae06ce3806593350fe173716b397feb1701278e44c8dc6dab9fbae96d200
MD5 hash:
fc4a1a7f3a0da84f48cb6332de5c60bc
SHA1 hash:
f73fadedd9bd6486e5e63ea77a23408e7751b85c
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
55780f64e283363b69d13f729e7b90a58a4d1526783d385574e3dfca8fa6c1c2
MD5 hash:
ae18376bc80cab006aca515d3c4d01d0
SHA1 hash:
e8892b17436d19f39f009bb704b0388788c4893a
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
458aa4a5b8dcd292a5e07b404d60600b2f855786f9e78ea791ecabfc4644ec92
MD5 hash:
77478a9f5e0dd922a1d18c99824df4a1
SHA1 hash:
70d79fc395da3e5eac1cc2205bccbe6ffed1d052
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
3d966268571cf0a83f327df99ffd7441ffe65ad098f1db2fff8dd6a5d5233796
MD5 hash:
541501763132091ca1571883622b2c81
SHA1 hash:
17f0073da00f8511abc7b4dd5d018f043c0c5489
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
d226a75abbe728580fca776637dafbe09e439504c1fe0b134481db0aee98ea92
MD5 hash:
15719c29e2fd9e8eb9c02ae51df0672e
SHA1 hash:
aaa5dbc932e943dad1ad6c757de6b153149e894b
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
a9ce388d6bf8993725554fd178640ac10d8a194194f4f09b31e0465b83a975b0
MD5 hash:
33b0faae2f9635e7650cde45e82a12ba
SHA1 hash:
0acbfbbf81760a70b05f617717eee9ff4b4aacdc
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
2a93372deb6f0605f375845720380f866fe0eecea899ca0c06c70cfa64cc4a93
MD5 hash:
75108a95a87c842b5df4a556be360458
SHA1 hash:
7aa74a8ba315480f32454df3a19c96684b726c6c
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
3bb55b0de90de0cc651dba71c869675c4fb5cfd1b9b21bd4957f1680f7506f06
MD5 hash:
f9d056f1d085e83a64c8ef2ba5f3be52
SHA1 hash:
bf04d73f991d0e45d459a5341593524e4e498801
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
e79196a498f1a7703639bb0daeccd3fb827a45d14cbf602ab4002a492f844ae0
MD5 hash:
76c11964a9cdd3eb38e24493bcef5ec2
SHA1 hash:
9f5d67397d1303c97dfbd463c2ff8c540fea48f9
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
Parent samples :
a7ae2843ba9ab452c9588cb8a3cd0a1dc4d66d72d23416238af3e256ac269a89
981b90f1d189a21e3b3cc5363f369aa6534614cb63dc76de811aacd583a43b30
94566da96be8685e33c7e21e6b215c53aff7aca4ae105271792e3dcd9e631c63
8f2fe9050989fa67b5075ca8f19c993eac27095da963de63ccbb42e3dc212008
334c12ac95110f2424793e8cb268220e4b89dd622c62849e203481a5ef493c9b
6d7553b09093dc8ff76acdb351b4cef88aebaa05ee58c1ecab5339d03c68a10a
3a3cf64b3e5945a491befc240c35b0d12a4e6c42af37a9d6df6cf457c49c53b1
236dad58970dbb32df7df1c6e317cf5c2a4cba4ec44e872542d926c709026f6c
e282ef9e1d23c80f8ef68d929b2a45352d7932e4f115d662774044b349fe7857
665d4b7c4bec54b430a47f22608d377f3a96775cf5edfee297265e385461266e
0f31fcaa49855c3a40398e2e85604dc062bb4f51e538d689dad2851ea18760ab
2a9103251afe0c1ef6438869cd7f2ab6a9cd3ba724d527bd41dc58834a800256
73e25ced557e8008074958707573a4d6ad68e3861d04a98a22cfdaed57fab84f
1d18c3c86d70c5371e761ba77c60c9361183edc26368e56b5c0d1c3ea8d150ea
c082990403156e860fc5397a9d28d44325bcb24d24a97ad048f1d311a5109451
0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051
06dcc8ec05a3ec53b0066ce702d40993f9862644a37ddce050e03b23ba65a746
SH256 hash:
b19104b568ca3ddccc2a8d3d10ecddb1ea240171e798dc3a486292cfa14b6365
MD5 hash:
7b0900da932f4ed9630d65b04422736d
SHA1 hash:
6fa340436e3a8e73ae2b3e911f861483183c68ef
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
4e3c72337ad6ede0f71934734ba639a39949c003d7943cb946ea4173b23fd0b7
MD5 hash:
88c2669e0bd058696300a9e233961b93
SHA1 hash:
fdbdc7399faa62ef2d811053a5053cd5d543a24b
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
1c1e8e4acd054885319a9039c0887527e19100816731da744c930e366602cef3
MD5 hash:
ab42125c5d10be20037ac015033a9d72
SHA1 hash:
dde0b589588afb89c34ae6905231e846be42146e
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
eedc6ea4c8ac8e8bc5b174271cbdbca451ae28b1b9fca988c3ea0b92cc9a33bb
MD5 hash:
e1052cd1d7a27c3a6088c12ccc4b14f4
SHA1 hash:
d575240875e1a86cea96f7f2c1862c8f7a39ca27
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
1fb1e11869be1863b098b325d18481600960b4fe7f3d8c4d23d3144f7c8b5717
MD5 hash:
52c5877c9babd7bf57ab41ed48d1067e
SHA1 hash:
c821a1b5f90eb750c33c52b30b8239bc605b7daf
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
456e42a84b981f6234df792e4a3a351b579b8e5b88eaf81d390b2888e6a7df5c
MD5 hash:
f3ace4b03ffc5a2cb5c5b36f5f7d8f39
SHA1 hash:
79b054ecfe9b1f60af662807f7bd846d1283235e
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
8a4e7c07be9a87bb29c4f3d680fdb5669c1e9034a50d615c438ae9c059ed3306
MD5 hash:
450fa1d607290cd0884ffe9357b1ed76
SHA1 hash:
2ef8d557014bb41445820ff872ce00584c15c8f4
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
cbbd785de2eb115520aafdf0baa042f47edb53c08600bad4fb6513db5f1da35e
MD5 hash:
b8b62e6bac7dbeaf9a8781be17f572b8
SHA1 hash:
28b17787ce856f37b02744abfd54d4afd82e6f30
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
6653473b69c787bc1c4ddcbff24cae1f8b27c4c900fb51c7fb612f3ecc8e7b36
MD5 hash:
5c630c9f808e04b6d5139b6e29fe052b
SHA1 hash:
1e8ad5205b04b86d9036d2208a467b725541175f
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
d4b0c4f66166cf83625ececbca9a864a68cde0b8ffc0a22b4a7a9aa87807ea87
MD5 hash:
527ef700de0364ffb08678cc5bce583a
SHA1 hash:
17852bd91d182b5277cce675431ed9ab55ca2c94
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
af00e11faf3e4fdfeedfe2057f0d32a77bcf854249bba25d73c284560a0db48b
MD5 hash:
b0bb3b14f1edaa1e98689cc807d53a87
SHA1 hash:
15598f6274fd347c76985fc0aa2b6dbe77beab83
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
827662fdefbbb3155e3875d01ee4cf8a716ca35b8b2a0654862243d0dc45b85d
MD5 hash:
c0b3178387755f5e58e1f5e2e663572c
SHA1 hash:
1041d8bb7a385b54a7c56a8e248f0d40300e2a92
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
589ec88d8c75c6247183114d817cc7559afdca01522f4802134fb33f7f3ec515
MD5 hash:
cb021068c99f999a307c84627c1a1ca8
SHA1 hash:
100cdd3cd13f3a52887a23cccd521898138d562a
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
93d9ce6291eb10f727da27c487816b29fcba1b907d252f94d11ea0c3a99175fa
MD5 hash:
c7fc3bcb573b112eca27af5ef7192cce
SHA1 hash:
e43a907bdaced88d3c4444844e72d2381e9f1ad7
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
63525b0c1ef894632109c3169876b9e2ce728e38ed7f7c574021d5261d56e502
MD5 hash:
ff9b14f4f607a81117cc58916332262e
SHA1 hash:
aed4fe230075f2a067e4ac61fac117aaeb5ef6f9
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
e9c20c14125231568600bc83d093fb29cdce3df11e5b479762aa89a872452081
MD5 hash:
9fd3bb1dae8d76f7a9d0b5480a291eaf
SHA1 hash:
6eee1935fedff1dfbabc973d5a4ef1aebdef2d1c
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
a9df7036047c318badf4f53fc7c6e3186a5214a3ce21ba9c717ae9438daadca8
MD5 hash:
9d59e5a55efb4423cff2c52a02b0d39b
SHA1 hash:
d35a59e50d9e66d3850f540dc30877567bf6da3d
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
9125b47332cae5bbb30b35a514a902d8177fff44e048ba75a4ad450e87e15c95
MD5 hash:
b8caaf7d487daf98ef8f50f5984e241d
SHA1 hash:
e0a11ddcc2552521bda535a3d1123908d34ae9c5
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
6a2c57bb6c07cb8777b0bc1140c7b949cafd97ce65aa7e92ffea0303d6e93d3b
MD5 hash:
f1edf529b0cc45952fb3f9a1d7e67ece
SHA1 hash:
9863df1c5f619b2e764ce00564deda98fda0d833
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
bfbd09251f6d647b80151ae32df0a9f874e5e6127596105f3ed2e4e5480c8c12
MD5 hash:
af77b12aaeb226c5dc00f5034e5535b7
SHA1 hash:
cb68cdc83e325908fb1b425dab2fe43bbcd40aa1
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
079dd93a293a5623486b278ab25a94edbb82122c540712b50443c0a09e409562
MD5 hash:
0d2bee38eaa7c7823fc272e83517cb1d
SHA1 hash:
7974b5aa7be2dd2b3c40d538f53e9665040247ee
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
7b0656ead714950d904899059418e38220e38cb94e8cf0fca11373d9a2256ed2
MD5 hash:
f18be6c92ae91792bd40076a01fa667e
SHA1 hash:
8936377e3e01d0b24aedc6a6929ac3bb144154c7
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
SH256 hash:
665d4b7c4bec54b430a47f22608d377f3a96775cf5edfee297265e385461266e
MD5 hash:
ab30bb947e01c244a019178e7f3c91f1
SHA1 hash:
53a269707333b61b5729f6a69a64658463a9404c
Link:
https://www.unpac.me/results/7e822168-3de7-4186-bf0b-f82b33f0e007/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/214575/

Comments