MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d45f102f456a95eaf31e9a1851c031e6fccbc852c8d56e1fc665aea7945579a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d45f102f456a95eaf31e9a1851c031e6fccbc852c8d56e1fc665aea7945579a
SHA3-384 hash: a19fc2c216bd065408410a590f204863df26247e3bdbdfbdeb4bca21700d197a9736da7b242d166fe8727ba7f6d1d675
SHA1 hash: 3696b0abe6c1bc95fe6e0c0c5ded20b072f3ace3
MD5 hash: ebec1eabb4b5a57b45230566adc8112f
humanhash: missouri-gee-mirror-tennessee
File name:ebec1eabb4b5a57b45230566adc8112f
Download: download sample
File size:195'584 bytes
First seen:2023-04-22 01:53:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:G382MSeuOECznzmX36AClWpeS7sk5P1qnLXT8DPf93RABjOd:G3LKzzK6ACNkR0LALxRAc
Threatray 2'626 similar samples on MalwareBazaar
TLSH T1CB148D3CF74D5E67C67D09BAA0D255508330C1A5B78FC38F9C8658F8998ABCB8D4924B
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
552
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ebec1eabb4b5a57b45230566adc8112f
Verdict:
Malicious activity
Analysis date:
2023-04-22 01:54:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e016942-1e5a-4e2c-93d9-d84dd76f5a5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384097/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66531274.20214.22129.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed
Link:
https://www.filescan.io/uploads/64433e3a7ee5da80cfe033ab/reports/f87bde4a-9d98-4f1f-abbd-2318faa839d3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6d45f102f456a95eaf31e9a1851c031e6fccbc852c8d56e1fc665aea7945579a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ClipBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf144f97-8309-4345-bc6f-013f5257f2fb
Result
Threat name:
Redline Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1218982
Signature
.NET source code contains potential unpacker
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Redline Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 851928 Sample: stFES2fYib.exe Startdate: 22/04/2023 Architecture: WINDOWS Score: 96 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected Redline Clipper 2->55 57 Sigma detected: Schedule system process 2->57 59 2 other signatures 2->59 7 stFES2fYib.exe 2 2->7         started        11 svchost.exe 1 2->11         started        process3 file4 51 C:\Users\user\AppData\...\stFES2fYib.exe.log, ASCII 7->51 dropped 61 Injects a PE file into a foreign processes 7->61 13 cmd.exe 2 7->13         started        16 cmd.exe 3 7->16         started        19 cmd.exe 1 7->19         started        21 stFES2fYib.exe 2 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 23 cmd.exe 11->23         started        25 cmd.exe 1 11->25         started        27 cmd.exe 11->27         started        29 svchost.exe 2 11->29         started        signatures5 process6 file7 67 Uses schtasks.exe or at.exe to add and modify task schedules 13->67 69 Drops PE files with benign system names 13->69 31 conhost.exe 13->31         started        47 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 16->47 dropped 49 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 16->49 dropped 33 conhost.exe 16->33         started        35 conhost.exe 19->35         started        37 schtasks.exe 1 19->37         started        39 conhost.exe 23->39         started        41 schtasks.exe 1 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d45f102f456a95eaf31e9a1851c031e6fccbc852c8d56e1fc665aea7945579a/
Threat name:
ByteCode-MSIL.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 17:10:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 22 (81.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvc7caxuk2uv5lzr5gqykhaddzx4zpeffsgvnyp4mznou6kfk6na._file
Verdict:
malicious
Similar samples:
080e83cd88e49038773d90450837169c0e67c1adcd2c6cb529ec84ebb3f3eff5
3c5ad9f03dee528f706043dd6fb66faa6122d110e1dcd2f72f73cbaa7589c7fb
3fd045cd88e7a647586a0578f8fe90416252b87dcc2f2150d8fcb8825ee2a016
5355439e9a0c11a25ed02d0e8e326a84e1631fc7fd24662982e808179cacef6d
74a6443ca7db8a108e7b5575710258ba406f7a5ebd030944b1ecef0db790f809
7e8d18b9cb6c22b74f8d426e6b40e1a2ed7c1cb0526517b72e08a0bf7657e6ff
80201715ba93ce5c35c6fd6ac3c11bda569f5f7e473f8ae2f67f4405e4faa790
86e141f8e4c978f1a95493b07c0ee43691e049d0310723cfcf645a158ca5b5c0
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275
+ 2'616 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230422-cbjlfsbg52/
Behaviour
Creates scheduled task(s)
Suspicious behavior: SetClipboardViewer
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/b0760563-f731-43f5-87b8-0fa8c4dd616e/
SH256 hash:
74cdd00986e47607095d1c643935d13089fe5a4acb9bf561e3adf53d4071562f
MD5 hash:
80891560a073667abf5f67e4432d3130
SHA1 hash:
2e84143b0460478bba1d9650ea3b13b88fe76177
Link:
https://www.unpac.me/results/b0760563-f731-43f5-87b8-0fa8c4dd616e/
SH256 hash:
6d45f102f456a95eaf31e9a1851c031e6fccbc852c8d56e1fc665aea7945579a
MD5 hash:
ebec1eabb4b5a57b45230566adc8112f
SHA1 hash:
3696b0abe6c1bc95fe6e0c0c5ded20b072f3ace3
Link:
https://www.unpac.me/results/b0760563-f731-43f5-87b8-0fa8c4dd616e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d45f102f456a95eaf31e9a1851c031e6fccbc852c8d56e1fc665aea7945579a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6d45f102f456a95eaf31e9a1851c031e6fccbc852c8d56e1fc665aea7945579a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2615741/
Cape
Cape
https://www.capesandbox.com/analysis/384097/

Comments


Avatar
zbet commented on 2023-04-22 01:53:14 UTC

url : hxxps://upload-wefiles.com/svchost.exe