MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
SHA3-384 hash: a07d5b2ebd6cab5f4a79f49bc694a51ed5f4d0dfd3a775946ea51bcb31e0ebee4809ae033946ea499cc34c83e7f46218
SHA1 hash: be94751be419c65f9ce010bc07c94817bd30a21d
MD5 hash: 9334e72e31a668edc2c2176f609f6f28
humanhash: triple-fifteen-jig-august
File name:66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'312'549 bytes
First seen:2023-02-25 02:50:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JxiveVzaKs6r5oQnghmYsjoay8W8PdrAmDe8cBe2AyD:Jxivo2KshQ6sjNWoOmDAe2L
Threatray 619 similar samples on MalwareBazaar
TLSH T13356338914D1632BFE117EFBC4B4B923D58DBC3396B8E719C368F99E808D4528C25D82
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
193.233.20.23:4124

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exe
Verdict:
Malicious activity
Analysis date:
2023-02-25 02:55:04 UTC
Tags:
trojan evasion redline loader smoke opendir socelars stealer rat
Link:
https://app.any.run/tasks/f15872ec-7e69-4236-aeed-f7455acdd6c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369552/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
mokes overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f97797885563d6c8bbff5d/reports/428978c9-9d27-4a62-94b9-01b492220bbb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a28c910f-421d-4b88-aab4-ecf29dd1e61c
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182181
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copy itself to suspicious location via type command
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Yara detected Generic Downloader
Yara detected onlyLogger
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 815012 Sample: 66BF743BABAD7405D2426B25BF8... Startdate: 25/02/2023 Architecture: WINDOWS Score: 100 156 t.gogamec.com 2->156 158 bbc-s.news 2->158 160 3 other IPs or domains 2->160 199 Snort IDS alert for network traffic 2->199 201 Multi AV Scanner detection for domain / URL 2->201 203 Malicious sample detected (through community Yara rule) 2->203 207 22 other signatures 2->207 13 66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exe 10 2->13         started        signatures3 205 Tries to resolve many domain names, but no domain seems valid 158->205 process4 file5 140 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->140 dropped 16 setup_installer.exe 23 13->16         started        process6 file7 92 C:\Users\user\AppData\...\setup_install.exe, PE32 16->92 dropped 94 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 16->94 dropped 96 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 16->96 dropped 98 18 other files (17 malicious) 16->98 dropped 171 Multi AV Scanner detection for dropped file 16->171 20 setup_install.exe 1 16->20         started        signatures8 process9 signatures10 209 Multi AV Scanner detection for dropped file 20->209 211 Adds a directory exclusion to Windows Defender 20->211 213 Disables Windows Defender (via service or powershell) 20->213 23 cmd.exe 1 20->23         started        25 cmd.exe 20->25         started        27 cmd.exe 20->27         started        29 15 other processes 20->29 process11 signatures12 32 Wed1839f5454177cab.exe 23->32         started        37 Wed18dabbe7d91a64d9.exe 25->37         started        39 Wed18711b9c49.exe 27->39         started        41 Conhost.exe 27->41         started        221 Adds a directory exclusion to Windows Defender 29->221 223 Disables Windows Defender (via service or powershell) 29->223 43 Wed18d17cc3396225c37.exe 29->43         started        45 Wed1832310966dde7a43.exe 29->45         started        47 Wed1837ebe3e6755.exe 29->47         started        49 11 other processes 29->49 process13 dnsIp14 142 212.193.30.115, 49729, 49735, 49738 SPD-NETTR Russian Federation 32->142 150 21 other IPs or domains 32->150 100 C:\Users\...\qzlBBbafWMgEJgc8LAssx5uW.exe, PE32 32->100 dropped 114 22 other malicious files 32->114 dropped 173 Antivirus detection for dropped file 32->173 175 Multi AV Scanner detection for dropped file 32->175 177 May check the online IP address of the machine 32->177 179 Disable Windows Defender real time protection (registry) 32->179 51 WerFault.exe 32->51         started        144 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 37->144 152 3 other IPs or domains 37->152 102 C:\Users\...\tXRTNU6UY5Zhu1ZuyNKPhUVb.exe, PE32 37->102 dropped 104 C:\Users\...\t5GSDEsVNxbuEngRayFdiNPT.exe, PE32 37->104 dropped 106 C:\Users\...\oBoEkBttIuTdt2v0FvlZN2n3.exe, PE32+ 37->106 dropped 116 20 other malicious files 37->116 dropped 195 2 other signatures 37->195 108 C:\Users\user\AppData\...\Wed18711b9c49.tmp, PE32 39->108 dropped 181 Obfuscated command line found 39->181 53 Wed18711b9c49.tmp 39->53         started        183 Detected unpacking (changes PE section rights) 43->183 197 4 other signatures 43->197 56 explorer.exe 43->56 injected 110 C:\Users\user\...\Wed1832310966dde7a43.tmp, PE32 45->110 dropped 185 Machine Learning detection for dropped file 45->185 58 Wed1832310966dde7a43.tmp 45->58         started        187 Detected unpacking (overwrites its own PE header) 47->187 61 cmd.exe 47->61         started        146 s.lletlee.com 49->146 148 buy-fantasy-gxmes.com.sg 49->148 154 9 other IPs or domains 49->154 112 C:\Users\user\...\Wed18988b7f17dd6a0.exe, PE32 49->112 dropped 189 Drops PE files to the document folder of the user 49->189 191 Injects a PE file into a foreign processes 49->191 63 mshta.exe 49->63         started        65 Wed1803909a2bcd6.exe 49->65         started        67 WerFault.exe 49->67         started        69 2 other processes 49->69 file15 193 Tries to resolve many domain names, but no domain seems valid 148->193 signatures16 process17 dnsIp18 124 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 53->124 dropped 126 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->126 dropped 128 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 53->128 dropped 71 Wed18711b9c49.exe 53->71         started        164 hydro-power-plant.com 58->164 167 fouratlinks.com 58->167 130 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 58->130 dropped 132 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 58->132 dropped 134 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->134 dropped 75 conhost.exe 61->75         started        77 taskkill.exe 61->77         started        79 cmd.exe 63->79         started        169 t.gogamec.com 65->169 81 conhost.exe 65->81         started        file19 215 Tries to resolve many domain names, but no domain seems valid 164->215 signatures20 process21 file22 136 C:\Users\user\AppData\...\Wed18711b9c49.tmp, PE32 71->136 dropped 219 Obfuscated command line found 71->219 83 Wed18711b9c49.tmp 71->83         started        138 C:\Users\user\AppData\...\LDR7C~XSQ02NQo.Exe, PE32 79->138 dropped 87 LDR7C~XSQ02NQo.Exe 79->87         started        90 conhost.exe 79->90         started        signatures23 process24 dnsIp25 162 hh3valve.com 83->162 118 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 83->118 dropped 120 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 83->120 dropped 122 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 83->122 dropped 217 Multi AV Scanner detection for dropped file 87->217 file26 signatures27
Detection:
shortloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 08:21:34 UTC
File Type:
PE (Exe)
Extracted files:
1169
AV detection:
29 of 39 (74.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m27xio5lvv2aluscnms37di3wsj7nwiernk63yjy2nvdxcrptsha._file
Verdict:
malicious
Similar samples:
0e5374cb0497bda6bfa5f4587b26826528898cd260186527e3dd112df44abdf7
CoinMiner
12bb5d9a545859825d7927e029992ec7d4c2aa7dab20749c500096564a43084c
CoinMiner
296a3d716d1a9a65d1b9703766994b517c3f7f6999e20aba732200d0c28e3e86
CoinMiner
2a633e3d73cabd7635257ecea37c6b5f9c9880de27f5622c5570092423bfd15a
CoinMiner
38d47d517bc80b5cd349a30b8deae2c60d1f4df47982924aca6e01e9e84b8464
CoinMiner
d063eec4ec30ecc633469e28b06bf8288a9107cd9f16ea97720877a6f761e248
CoinMiner
ed2fe9ae17f3907311604e9ccd86b64cea278d6cb1ec10e46a3b838e9b0357e2
CoinMiner
ee1613bb37062a8e65092ec3aad9efc1c21f65732745d5557d255c13d6b28d3f
CoinMiner
+ 609 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:ffdroider family:gcleaner family:nullmixer family:privateloader family:redline family:smokeloader family:socelars botnet:media10new botnet:user2020 aspackv2 backdoor discovery dropper evasion infostealer loader main spyware stealer trojan
Link:
https://tria.ge/reports/230225-db6awsbh45/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects Smokeloader packer
FFDroider
FFDroider payload
GCleaner
Modifies Windows Defender Real-time Protection settings
NullMixer
PrivateLoader
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Malware Config
C2 Extraction:
http://www.hhgenice.top/
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://111.90.158.95
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
91.121.67.60:51630
135.181.129.119:4805
Unpacked files
SH256 hash:
bdc74786060f0a732fd1c8d55fb99793809ff761128d30e79a12ebc6f36019ba
MD5 hash:
353c82753258006f2043d66ef146e564
SHA1 hash:
727d9ab05e66e6028e54de4ad68866db2ae232bc
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
59663ba76aa00e899459c7f9ac6c9262f7c8f9712a721876779364b6e9ff93dd
MD5 hash:
b5d1faf87efbfc213a80b67c5103b6d0
SHA1 hash:
ca644cf195715d65393632a85a5a6d4d2dd0b9b5
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
382dc91dfdf466b6335b4c1c51ac8166cdb7b0a1b1f89c38579f04aafbf54e6c
MD5 hash:
19bfee1e23f5ce8adb83a0fee1eb6489
SHA1 hash:
c0e955dc5bd431669ffa0aa85adfd490c957138d
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
Parent samples :
d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
SH256 hash:
6913298bde42ae02ef0bd7fceadf28023989c64233c3db30d9552c20820608fe
MD5 hash:
5afbe455f740c4e392041afeb0a33a44
SHA1 hash:
7f137eef259df6bfdb2df3ae8f1e078b02e1d93f
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
a68d2b28b00f342adcb4296ca9ad7d37cbfd5691c59f6c82e4fd7cb8ef5cc5a0
MD5 hash:
3f27eb8eb9881078d385d05018506812
SHA1 hash:
ea8c651a43125dfe68f41e425691d712b67eb3d8
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
d3230298aa28015b880e597312e46133b39c7f72c119585438e3d002c2e535ac
MD5 hash:
8808c7c41cbfd6167a0f05917ffc8025
SHA1 hash:
e477b68445d8e101d73934117d6047c6e6416691
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
0de950ae15038176eddeba44f1158e34aa7590d61b206abe41f119ae1b6dc115
MD5 hash:
3388eb0a3c3cadae6283ac463c8bbdf2
SHA1 hash:
d2b9e50732fa37c1ae166d17ba3225755526d4f8
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
544e67e044dafbf651dc08606d63ab2718024c986ab7e0e403246a1e3f32eb87
MD5 hash:
c084fd0820b600f3617d8d91e03fc88b
SHA1 hash:
ba1bdcd94e02b887d0911e5604ce0c8d13c026af
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
77d393187d64b3d1d927523df25a3548dce1d7267bdba4595eb12044311ccaf9
MD5 hash:
4b48a34ce40240198fb2628c07a967cf
SHA1 hash:
b9c8bdd045842677915119996f519e6b37359a30
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
adb37a696393f9dadc58116a3f2dd47c63de63cf22d3a4edc78fc4b6a2ece172
MD5 hash:
c0eca408098ef557984d69cb507a2224
SHA1 hash:
b91a565cbb0a110182e7a386051f04d2c1e3aa2a
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
5548e1f4e6b53be90d5a4bc7097885c81cf4f1e8c4c7a4ad5b37582b97f6409b
MD5 hash:
44c81ddc487c16c9c40390755cd07162
SHA1 hash:
a5777816017ba474848a1aef088c8dddd776b354
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
28f03315f154309efa8f65aaa8ea0f099310105d62c10ce31ca7577651905078
MD5 hash:
22f1ad66ca6758438cbea6305211e7a7
SHA1 hash:
a27c725d065cbd0f086a71da99349804f7af1a4c
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
fdd2c02584358e78caeb1f59756a97249d64f3d5592275bd2460274efb07db71
MD5 hash:
63a145017bac482a5da12e6536ddae9c
SHA1 hash:
26867206d09e73960a2803984763e1c62279b114
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
2a1dbc4a98393d80c3debb5436c33bf8b839f3c2d92734faeae01d23802b7a7c
MD5 hash:
01b7273b9154e458ec68409124b02020
SHA1 hash:
261ba809f2b3349750dfa72f7bfa6a3bab530f9b
Detections:
win_ffdroider_w0
Create hunting rule
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
1e41101b908c746c4821c95c108021841efea63a203c1c32b54cb5f1a21b5caf
MD5 hash:
93b9f91ae3c8ee0dba0223602693ac7a
SHA1 hash:
1590240f1a4193498065154aa25d3d83234f0141
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
3a88b45fe0801a5420cbbcd6c187dbbc8a0ba5037c7dcb0fdd8a922ef24fe3a9
MD5 hash:
25530d1a36b471c7be96237eb7c76f2b
SHA1 hash:
0c3750255177e3524be89878f4e2395bd9c51272
Detections:
Socelars
Create hunting rule
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
18c5c91d5f256c8c1e24936dbee5fd7fa6b7b91a5464cbefdc1a36b6dfed27be
MD5 hash:
e49f343a65b938acd1b6d91601240b81
SHA1 hash:
dffa8a42250c65ea9b6b05e627805438e01191af
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
c80da5fffcff3fb6d47595d15972213d2e86158f522bcba7d8bf477b913df027
MD5 hash:
2144d7eaa60d909f9df2a484d269a1ec
SHA1 hash:
9cf197c54e869b09451f8b569f20f124df534aa2
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
ecab5fbb498bcd3f7063b1e5c4900b506a616e6c22eecb8d3af5854b20ef1042
MD5 hash:
27c242f7cf6a795f661bbdb9df22576b
SHA1 hash:
9748770ebf6dec03423e13b835fb84cd72c2db96
Detections:
win_ffdroider_w0
Create hunting rule
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
6a496f41c1eb80466c2dac80ab4262ec3f76941cce67ac804d8fc16b88c3ee08
MD5 hash:
9d27c1c5292668a29b976c67495536e5
SHA1 hash:
edd0dafd630fd893e3e3c674efa19d75b1ad7d03
Detections:
Socelars
Create hunting rule
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
de5ad1ef20da7bd871d15e116bde8cb2510993c618cf00a0e4fbf5d5e077eb9f
MD5 hash:
66b9c3253788817c44a6aa299124309c
SHA1 hash:
b51f809386684ec326d65b7540ee86f033afdd15
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
a429412fe8f44b015a6309732e87b19ccea31cf0d4f0449f813da5dc03072e08
MD5 hash:
abd66f20b09466eaab4a4130d7e24c83
SHA1 hash:
411e42523ffa56cdd5713d865256d4921e7d8f9d
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
5ee7dfc750269add3c29cd9bcec30b04de6e7c66d6571c0c955755ec4995457b
MD5 hash:
f15e5063555ad706f0cf824d09e8a1fa
SHA1 hash:
504e1ce93efd6bca3e3acdd4b0ff3b961aa34ebc
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
SH256 hash:
66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
MD5 hash:
9334e72e31a668edc2c2176f609f6f28
SHA1 hash:
be94751be419c65f9ce010bc07c94817bd30a21d
Link:
https://www.unpac.me/results/8b8c48ce-db36-445f-b9b2-b668b7511e83/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66bf743babad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_RedLineStealer_3d9371fd
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369552/

Comments