MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 3 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8
SHA3-384 hash: 489b73b1e20d3dec4bfde51c95fcbbbe37a976bcb9b1fff34137a8df8d4fb52c489d0ab69319338641d613a0d3a655d6
SHA1 hash: 9f1146417212b81fea1f3eb0721ce041c29efdcf
MD5 hash: 693bf3d41da0c334bcaa15c935f5a4ca
humanhash: golf-blossom-bulldog-fish
File name:6E004CB6C3F1C0338A20692C375DE17324C45E5176E80.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:16'607'274 bytes
First seen:2022-03-28 02:16:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 393216:JcktPuChdo3vjd4kfk3uX+cWArbLttByE:JcktmC03rd4yFWcLttME
Threatray 10'888 similar samples on MalwareBazaar
TLSH T13CF6330898368476E6F8C5371FEA8982237355A60149BD3917887F6B1F4078AF47F9E3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.177:34450

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.177:34450 https://threatfox.abuse.ch/ioc/456498/
45.142.214.245:48570 https://threatfox.abuse.ch/ioc/456499/
45.9.88.246:22191 https://threatfox.abuse.ch/ioc/456500/

Intelligence

File Origin
# of uploads :
1
# of downloads :
490
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62411a9f9253b276b78a8a70/reports/7bff0188-cda3-4c9a-8c96-a673e930756a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Deyma
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60f97763-893d-40c7-a90e-b13bf5aa3413
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965457
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Disables Windows Defender (via service or powershell)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS TXT record lookups
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade debugger and weak emulator (self modifying code)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected onlyLogger
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 597938 Sample: 6E004CB6C3F1C0338A20692C375... Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 61 www.hdkapx.com 2->61 63 topniemannpickshop.cc 2->63 65 27 other IPs or domains 2->65 97 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->97 99 Multi AV Scanner detection for domain / URL 2->99 101 Malicious sample detected (through community Yara rule) 2->101 107 28 other signatures 2->107 10 6E004CB6C3F1C0338A20692C375DE17324C45E5176E80.exe 10 2->10         started        13 svchost.exe 1 2->13         started        15 svchost.exe 1 2->15         started        signatures3 103 Performs DNS TXT record lookups 61->103 105 Tries to resolve many domain names, but no domain seems valid 63->105 process4 file5 57 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->57 dropped 17 setup_installer.exe 29 10->17         started        process6 file7 49 C:\Users\user\AppData\...\setup_install.exe, PE32 17->49 dropped 51 C:\Users\user\AppData\...\Fri00fbae6d4c.exe, PE32 17->51 dropped 53 C:\Users\user\AppData\...\Fri00e78130dde.exe, PE32 17->53 dropped 55 24 other files (19 malicious) 17->55 dropped 20 setup_install.exe 1 17->20         started        process8 signatures9 109 Adds a directory exclusion to Windows Defender 20->109 111 Disables Windows Defender (via service or powershell) 20->111 23 cmd.exe 20->23         started        25 cmd.exe 20->25         started        27 cmd.exe 20->27         started        29 6 other processes 20->29 process10 signatures11 32 Fri00356e940953.exe 23->32         started        35 Fri0011e557e6.exe 25->35         started        38 Fri003cde0cb344.exe 27->38         started        113 Adds a directory exclusion to Windows Defender 29->113 115 Disables Windows Defender (via service or powershell) 29->115 40 Fri00457b6235c6213b.exe 29->40         started        42 Fri005785f1070c.exe 29->42         started        45 powershell.exe 26 29->45         started        47 powershell.exe 24 29->47         started        process12 dnsIp13 75 Antivirus detection for dropped file 32->75 77 Multi AV Scanner detection for dropped file 32->77 79 Machine Learning detection for dropped file 32->79 81 Sample uses process hollowing technique 32->81 67 iplogger.org 148.251.234.83, 443, 49782, 49794 HETZNER-ASDE Germany 35->67 69 www.listincode.com 35->69 83 May check the online IP address of the machine 35->83 85 Writes to foreign memory regions 38->85 87 Allocates memory in foreign processes 38->87 89 Injects a PE file into a foreign processes 38->89 71 212.193.30.45, 49784, 80 SPD-NETTR Russian Federation 40->71 73 pastebin.com 104.23.99.190, 443, 49785 CLOUDFLARENETUS United States 40->73 91 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 40->91 59 C:\Users\user\AppData\...\Fri005785f1070c.tmp, PE32 42->59 dropped 93 Obfuscated command line found 42->93 file14 95 Tries to resolve many domain names, but no domain seems valid 67->95 signatures15
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-27 01:53:00 UTC
File Type:
PE (Exe)
Extracted files:
376
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nyaeznwd6hadhcranewdoxpbomsmixsro3uayzqcvyvrx3jl2tea._file
Verdict:
malicious
Similar samples:
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
RedLineStealer
2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7
RedLineStealer
6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b
RedLineStealer
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
RedLineStealer
70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953
RedLineStealer
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
RedLineStealer
b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
RedLineStealer
+ 10'878 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:onlylogger family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:915 botnet:@tui botnet:e01406cf9a804c70b4a66c9ff45ad42151469416 botnet:media3test2 botnet:user1 aspackv2 backdoor discovery evasion infostealer loader spyware stealer suricata trojan
Link:
https://tria.ge/reports/220328-cqpq1sbhej/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Nirsoft
OnlyLogger Payload
Vidar Stealer
Amadey
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com)
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.wgqpw.com/
193.106.191.253:4752
https://qoto.org/@mniami
https://noc.social/@menaomi
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
185.215.113.44:23759
185.215.113.35/d2VxjasuwS/index.php
23.88.118.113:23817
65.108.69.168:16278
Unpacked files
SH256 hash:
d1c351cb812296eb57229d7457642a58245e17f5f80bdc1731c31e245ed23558
MD5 hash:
071f0adc2721cfd1472868a572a52050
SHA1 hash:
daff31cdaf918c7685f0b4ff828211bdd7364589
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
Parent samples :
e15eca7be72dec23df207af8366166fdd6e4bc2b878477c5aaaba5e2a9b4330d
22ebb950592ccc987fd1dab9ddcd34c4fc519975dc1b82e4a793dc038d2d8e41
3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461
f7ea17d6aa49172752b69d2b1b63f8d22cf064c4f2ea2c3dc97c6b815b324cf0
89c7c028a7e7f95a3595dade72ac1f48da3c71fa3e482347a5a61a714dd57d0c
4e1a1db6d3dc39b67666d1e0304a7477fac814e1fbb7068560abc5eab2168c20
e88ecbbe677d8cfb97ba9a42db6f8b038aa96526b283b9de8635a80dd25790dd
a048547702aaf89637813c4cdc925cf25ab7a3710bfc95f21046be931c1cae63
fd21e7dddc8ed426971983f819be29e6fa123dcdfb19d87fbbbffa12c147188e
74bb6b2e6e0fb719237cb58c1ed17a91032ff3c8a3c11da92011b8e0ba5a1179
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea
6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
e26cd1170fb13d18cbcbb26930097f0b9acdcb8093322417b5901ad1429b44f5
MD5 hash:
f8a7d3cc817853a21d1b6312d02aaa6e
SHA1 hash:
ba3aaba94d6c52962cf86b55204d71bfb36541be
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
6ecaba189f108ba0dc83214fa41e43307fdc79147717f2ac68cd832181db9666
MD5 hash:
70768beb1a282fc79ecf19a0a73286f5
SHA1 hash:
e40e4b259715e740c83e3cc27a5654ea3c7bfa37
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
fef7035989f56b8ab573adb9d3d91363668af7b0b71d4cb44d52f941fde3ad4f
MD5 hash:
b712d9cd25656a5f61990a394dc71c8e
SHA1 hash:
f981a7bb6085d3b893e140e85f7df96291683dd6
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
451c693481de62b1a2768050df0e7aba4d7eaa2c70ef924ccc5992f947d27b70
MD5 hash:
2fa2b1760a549b8a8988fbf66c0204ab
SHA1 hash:
cf0a32127dd6d688fbebd56f6c2b672455b5683d
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
5f475583b79255e1a3ad31cefa252d61e3dc4329f6b63d814e636c43325fc217
MD5 hash:
d3b20d66718847ad378a509f307c8a7f
SHA1 hash:
93c047886f106fd9347fd50d56bf7220105b8576
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
a4e799c5b5d4b1a1c77f54a913e392e1c47c402cfc4436254c5fa4b8193420a2
MD5 hash:
e55d4e3519906d3f9d210a626db06117
SHA1 hash:
811ed649fbb04cf170ae24274e004db1078e555f
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
959b9d59fd8370bc9131e073d3cec7ea3e5668c7b094d3b3b3f933ca641ffef7
MD5 hash:
0119986453697a841a9f797839f314a9
SHA1 hash:
79b73626b304a1fb3f406db6125bac37a252f9a4
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
85e85c179f835d3c8ffc30baca4b416dc609784da2dce9e1be30654a6d56c1cb
MD5 hash:
5996df3c339fc9982200197352da1e04
SHA1 hash:
751affb48135c2381c2d88b2f7d836d79ed603a8
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
47778010f16d3579fb8ac7b2a5989a098517edebaa2f2b7450db4699e3f87bfc
MD5 hash:
87762fa5618928431a5aa01bc644f214
SHA1 hash:
56dbac18291a828c2c7d71b5ef9692a7ab732f0f
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
5c83411b40f3426cd9982db10cfb28df17b73c73852490a14ee28258735ae814
MD5 hash:
29cac5a022b0b814e684d0d1fb16ef7f
SHA1 hash:
4b9f2d30030eae606dcb13ae88b6f409f618754d
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
1662ef5fc4f91d7f3db6e36e70c1c89983ecea17e3058f560c23705e5586013d
MD5 hash:
47eba3836ecc2bcc02a26764eaf8c068
SHA1 hash:
45ca4457caa41849383098852c761876982c07f0
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
9f7bbea00a8925fbbaf3e97ab3e87648a03958999ebe11d22363141ea68cd2f1
MD5 hash:
fb697208fbca0509c38067950f2b1ed9
SHA1 hash:
2723addecb06bdcdea7b477d2abbed15d976ee8b
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
2ac2f22f376075b29c0b6c787c57ce9a70ef0727bfb1617c3bfb94198bfa7640
MD5 hash:
f9c6d895abb9e1dac411cf78baeb5dfb
SHA1 hash:
16445ba3e98d44624eb922f7d28ca1b7bbcce1bd
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
fb8dc0272a15b72acb0e9e4836ef4db6b888baae8ee9c40340284cbf802f3675
MD5 hash:
87a1f1791f691c79ccfee34459131f5b
SHA1 hash:
0d3e3375456dc80a57707be394e5facb3d9537bd
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
52ec8bad10a402617417ed4f653f1de756153a73965745534bc0d426bd6ef593
MD5 hash:
17fa3c9bfa4864007d9a5149543a3b8c
SHA1 hash:
09644df6d690025ff218faa3c77ac5a1bd7c3a2c
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
a57e7427333c7b39d51b36dab8820279a03521a371ab4cb274087380f108ab9d
MD5 hash:
a13166c80eccb47b46c9d9587838349d
SHA1 hash:
004c535ead8781b8aef4a3772fe42311e1c99cc7
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
a174e0d67eca3a59399994a54a44f4f2b7584f286dcf3cdb7a80f1ef83c010c6
MD5 hash:
b3b683d8cb51a926977080d7f7cf4bf5
SHA1 hash:
82eb466d03c72417f1a3f1320ccb732899af5e88
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
fee3b9b9b0c9bebc0d54f8ceafec60ebee1bf7888cb1137a20e65c803ef058b6
MD5 hash:
66ca90db08c87719a95b1e90a7261d81
SHA1 hash:
54d08feb21189350b046724e47a017852f332647
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
9c00e935a41bb1dc0b2b65ac18c0a1be05bdc555676e7eb8a830590b52e55436
MD5 hash:
e7526d8f9a8f888b75b85f9a1ebae3dc
SHA1 hash:
79ca1cbf3184302db8defa924c43295106021c7e
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
ee821f8bf24cec68cced8a322129e322a9e5a20f2d92dd2f0b0827aff4711343
MD5 hash:
5eda69604c85537ab3fbaf77da60b2cb
SHA1 hash:
5d0a8f3efa0b26f52fe36eac2583ac419b6dd11d
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
db51913dcbd74a51e46f4d8dca34ddaf44a928fd5250b34858b9d165dd68eca4
MD5 hash:
74f0d39f05f13a059791497a61471842
SHA1 hash:
f5c39e3b0429cba32f009b191d12b590378aa51e
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
4e14e671f698e738d851f333bd2379b8238450732db4674ed3a80c7916a1e808
MD5 hash:
2a83ccaa8f626a3adf1241d58b9a49aa
SHA1 hash:
09f5a9fa4b19cb278bf29098e4fb87093605cfae
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
3c139faadd34fe8173e00f3a23da28087d292f5f939143faf0b0cbb5bbbc8013
MD5 hash:
197c7ac78a4d8d6a260abb42ea131ccb
SHA1 hash:
cd258db1531af70e5da4d650ce717c8c1b81c32f
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
55d8380e111c9c769a74612922072a713611a58c8233b5289e616f292c702808
MD5 hash:
d3ecb9e5321535246f57129158cf382b
SHA1 hash:
a172528f76cec60f153981018154bbb21361bf4f
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
60906903171a55769ee5a662b3413846011b7a1b2218ca45886ba719f05cfb8e
MD5 hash:
00bedba48f19aa592b64664b092144d5
SHA1 hash:
6dd13a2480934a1a162f769e15fce0420c06d8f7
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
712c1f447eb0f0ef4e239e093a995d4d6b2b304dfb1f72c0a13829ac6936af9d
MD5 hash:
da1cadef5c3a3ec890e85cce72e11357
SHA1 hash:
ba8c3fb2ab5fd735cafa782bc2f9d776e40d0433
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
760d687cf4ac59f97cc2b977e8062bf2587f3fd639afed99277f3bdc8cbbc5de
MD5 hash:
9f77b9e71b8ada580957c2a56f4faa44
SHA1 hash:
5940e7d2c7cc1817c6283a5b2806ea3851d2c19a
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
SH256 hash:
6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8
MD5 hash:
693bf3d41da0c334bcaa15c935f5a4ca
SHA1 hash:
9f1146417212b81fea1f3eb0721ce041c29efdcf
Link:
https://www.unpac.me/results/a4d08515-37fc-465e-9e84-87c1edd60c4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments