MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lucifer


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58
SHA3-384 hash: f42e34b4c5feb4c23fa424c46506f0738492037343928d096fc7427d09651b091dcf4c87b7c5922aa74dd5792e776f65
SHA1 hash: 40a258430ebe9297db33a248566a89e163286f3c
MD5 hash: 37048e548f18aba300bafd7822296928
humanhash: three-speaker-bacon-illinois
File name:ApexHackOctober_960652479.exe
Download: download sample
Signature Lucifer
Create hunting rule
File size:115'920 bytes
First seen:2021-10-09 14:23:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:4FHdbTaUxSClJgXZhIHqlHrJRIDbMuL63gFvyTFdAnYPrzGEiZRC7U:4ZdqWSCUZhI0+q3g1ypCuHBkRC7U
TLSH T166B34A5963DC8B29E2BD0F74B8B0522547F0F0C77812EB4E9FC564DE1E227809919AF2
Reporter Anonymous
Tags:exe Lucifer

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ApexHackOctober_960652479.exe
Verdict:
Malicious activity
Analysis date:
2021-10-09 14:24:04 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/13ac4076-b1bb-41c5-96dc-5694f1964bba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196302/
Detection(s):
Win.Packed.Generickdz-9885340-0
Create hunting rule

Win.Packed.Bulz-9891195-0
Create hunting rule

Win.Packed.Filerepmalware-9900630-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a service
Creating a window
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending an HTTP GET request to an infection source
Creating a file in the %temp% directory
Stealing user critical data
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool obfuscated overlay packed stealer
Link:
https://www.filescan.io/uploads/6161a6047b67fa0cf5174bbd/reports/9ec44bb1-1c70-412b-8044-3480bc1277c1/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-09 14:24:09 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m556vhtrvi5fn7tcuicyb2yhqzbrur4jzm2au4uu5msdavazdrma._file
Verdict:
malicious
Similar samples:
22c23de0a046b3652861d880ad53bbfca85448d0a6814d34151b1f359839dd37
Lucifer
56c26a2b13759364f9cc066e2d876bcca463ea1c699b0fe63774686922029f72
Lucifer
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
Lucifer
6ba57cb21a12212bb988ccfc64bfadb07bc25b332905f3db1b84665c3a5ca5ce
Lucifer
9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825
Lucifer
cbc3b5b5bb5bb659f000bf19de99582e19df5f5fbd721e0951d2d2fa93780808
Lucifer
e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
Lucifer
ea5236788c97196a492eb29449a57951e3df07b3d432f85fd23e511cfd02a58d
Lucifer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@esaymane discovery spyware stealer
Link:
https://tria.ge/reports/211009-rqptcafca7/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Malware Config
C2 Extraction:
91.142.79.218:26878
Unpacked files
SH256 hash:
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58
MD5 hash:
37048e548f18aba300bafd7822296928
SHA1 hash:
40a258430ebe9297db33a248566a89e163286f3c
Link:
https://www.unpac.me/results/fbaf53e2-005f-4906-8e71-508e044fc325/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/677bea9e71aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Lucifer

Executable exe 677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196302/

Comments