MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea
SHA3-384 hash: f476e4a8ddf5ba46a2a43eb4b1ac6099b23616d1980658d1913ef2d2f6e96ba693dd73fa8f3b085895cffcdd5aa043e3
SHA1 hash: 67ccae075f8c02609030c77ce6afbe333d911a0c
MD5 hash: 926523aad05fb0df30f2a20685f705d4
humanhash: asparagus-sixteen-butter-london
File name:738BC607C1A64D1867103F3F4B6558C89401C539C3442.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:19'453'342 bytes
First seen:2022-03-11 22:06:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 393216:JJ63pg66/AqFdHbhY0mopq+AVtHZ58PDUpAwaePMLKMQC/m:JJSy/AqvlHmopqV5n8NwbPMLmqm
Threatray 6'596 similar samples on MalwareBazaar
TLSH T1E3173351F01B201AD5A775727F6709A6F58ACA9A027DCE817D2829DB700EC3C93D8BC7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://194.180.158.174/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.158.174/ https://threatfox.abuse.ch/ioc/393789/

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
Creating a window
DNS request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys control.exe mokes overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/622bc8090cd58dbd9281446b/reports/4d602dde-f0c1-4772-a795-163afa818e43/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Raccoon RedLine SmokeLoader Socelars Vid
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955309
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected onlyLogger
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 587790 Sample: 738BC607C1A64D1867103F3F4B6... Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 78 151.115.10.1 OnlineSASFR United Kingdom 2->78 80 163.172.208.8 OnlineSASFR United Kingdom 2->80 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for URL or domain 2->108 110 Antivirus detection for dropped file 2->110 112 22 other signatures 2->112 11 738BC607C1A64D1867103F3F4B6558C89401C539C3442.exe 10 2->11         started        14 svchost.exe 1 1 2->14         started        17 svchost.exe 1 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 76 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->76 dropped 21 setup_installer.exe 32 11->21         started        96 8.8.8.8 GOOGLEUS United States 14->96 98 23.211.4.86 AKAMAI-ASUS United States 14->98 100 127.0.0.1 unknown unknown 14->100 file6 process7 file8 60 C:\Users\user\AppData\...\setup_install.exe, PE32 21->60 dropped 62 C:\Users\user\...\Tue18fcf6a229064.exe, PE32 21->62 dropped 64 C:\Users\user\AppData\...\Tue18eadeef7c8b.exe, PE32 21->64 dropped 66 27 other files (22 malicious) 21->66 dropped 24 setup_install.exe 1 21->24         started        process9 signatures10 144 Adds a directory exclusion to Windows Defender 24->144 146 Disables Windows Defender (via service or powershell) 24->146 27 cmd.exe 24->27         started        29 cmd.exe 24->29         started        31 cmd.exe 24->31         started        33 16 other processes 24->33 process11 signatures12 36 Tue18c5c921904229467.exe 27->36         started        39 Tue18eabbd49d317d.exe 29->39         started        43 Tue1867b22ee7cac.exe 31->43         started        102 Adds a directory exclusion to Windows Defender 33->102 104 Disables Windows Defender (via service or powershell) 33->104 45 Tue18c12f790c32171a.exe 33->45         started        47 Tue186046a9505f4.exe 33->47         started        49 Tue182b5c16944e0.exe 33->49         started        51 11 other processes 33->51 process13 dnsIp14 114 Antivirus detection for dropped file 36->114 116 Query firmware table information (likely to detect VMs) 36->116 118 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->118 136 3 other signatures 36->136 82 208.95.112.1 TUT-ASUS United States 39->82 68 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 39->68 dropped 120 Machine Learning detection for dropped file 39->120 53 11111.exe 39->53         started        84 212.193.30.21 SPD-NETTR Russian Federation 43->84 86 212.193.30.45 SPD-NETTR Russian Federation 43->86 92 4 other IPs or domains 43->92 70 C:\Users\user\...70iceProcessX64[1].bmp, PE32+ 43->70 dropped 72 C:\Users\...\sHRT93fsUcfe6SoMvCtGiirm.exe, PE32+ 43->72 dropped 122 Tries to harvest and steal browser information (history, passwords, etc) 43->122 124 Disable Windows Defender real time protection (registry) 43->124 126 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->126 128 Checks if the current machine is a virtual machine (disk enumeration) 45->128 56 explorer.exe 45->56 injected 88 116.202.14.219 HETZNER-ASDE Germany 47->88 90 45.142.114.226 DE-FIRSTCOLOwwwfirst-colonetDE Germany 47->90 130 Multi AV Scanner detection for dropped file 47->130 132 Injects a PE file into a foreign processes 49->132 94 2 other IPs or domains 51->94 74 C:\Users\user\...\Tue1886c758dcbbec.tmp, PE32 51->74 dropped 134 Obfuscated command line found 51->134 58 Tue18eadeef7c8b.exe 51->58         started        file15 signatures16 process17 signatures18 138 Antivirus detection for dropped file 53->138 140 Multi AV Scanner detection for dropped file 53->140 142 Tries to harvest and steal browser information (history, passwords, etc) 53->142
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea/
Threat name:
Win32.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-09 16:17:52 UTC
File Type:
PE (Exe)
Extracted files:
242
AV detection:
29 of 42 (69.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oof4mb6buzgrqzyqh47uwzkyzckadrjzynccfuphuih6mnecrtva._file
Verdict:
unknown
Similar samples:
42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49
RedLineStealer
7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813
RedLineStealer
b8319b0b5b554b983279cc8ceb7c23ba8a6a46446a06a6902b1b15eee964b010
RedLineStealer
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
RedLineStealer
d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
RedLineStealer
+ 6'586 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:loaderbot family:onlylogger family:raccoon family:redline family:socelars family:tofsee family:vidar botnet:4da27d123a577c68e42716053343dd3f8da508a2 botnet:@tui botnet:media7newtest botnet:traf botnet:user1 aspackv2 evasion infostealer loader miner persistence stealer trojan
Link:
https://tria.ge/reports/220311-11mleabgd2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Launches sc.exe
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets file to hidden
LoaderBot executable
NirSoft WebBrowserPassView
Nirsoft
OnlyLogger Payload
Amadey
LoaderBot
OnlyLogger
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Socelars
Socelars Payload
Tofsee
Vidar
Malware Config
C2 Extraction:
http://www.wgqpw.com/
185.215.113.44:23759
185.215.113.35/d2VxjasuwS/index.php
23.88.118.113:23817
65.108.69.168:16278
194.62.105.57:46625
Dropper Extraction:
http://62.204.41.71/cs/SkyDrive.oo
http://62.204.41.71/cs/RED.oo
http://62.204.41.71/Offer/Offer.oo
http://62.204.41.71/cs/Fax.oo
Unpacked files
SH256 hash:
1908cac443610b332e8adfc72481d2a225b72e679ff468d1643782e9c2d96e7c
MD5 hash:
60d12965e7dd763580b316f0743731c6
SHA1 hash:
54b2f29a834a6f9e931a19e3f53c27a132e19c19
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
9c00e935a41bb1dc0b2b65ac18c0a1be05bdc555676e7eb8a830590b52e55436
MD5 hash:
e7526d8f9a8f888b75b85f9a1ebae3dc
SHA1 hash:
79ca1cbf3184302db8defa924c43295106021c7e
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
840b106054cbe6b56c2fdc588abb8e006543d90848d0fbe68f6871ce010da418
MD5 hash:
ab5c4d4688dd1eacf5ae0dc3b3a738fe
SHA1 hash:
04b8cee430991d3dc77bbe031479a472548c6b6f
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
6637fa5c8da4174619214058cf04c754591befb3cc0e6f4ddc996e0447da3bfd
MD5 hash:
8b3fe1cc77f59723fe643026a5486479
SHA1 hash:
a231292f57de9bfa4f5940e293eb332cd78fdd71
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
2a2d97ed995a689a4231d4308e484903b973061e85f35de3b4224557d403e398
MD5 hash:
dfb3412feba2b75e8bfc06adcb391d8f
SHA1 hash:
4d5b1715c56ddca647d6222c60e6ab19eeb5e0b4
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
d1c351cb812296eb57229d7457642a58245e17f5f80bdc1731c31e245ed23558
MD5 hash:
071f0adc2721cfd1472868a572a52050
SHA1 hash:
daff31cdaf918c7685f0b4ff828211bdd7364589
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
Parent samples :
e15eca7be72dec23df207af8366166fdd6e4bc2b878477c5aaaba5e2a9b4330d
22ebb950592ccc987fd1dab9ddcd34c4fc519975dc1b82e4a793dc038d2d8e41
3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461
f7ea17d6aa49172752b69d2b1b63f8d22cf064c4f2ea2c3dc97c6b815b324cf0
89c7c028a7e7f95a3595dade72ac1f48da3c71fa3e482347a5a61a714dd57d0c
4e1a1db6d3dc39b67666d1e0304a7477fac814e1fbb7068560abc5eab2168c20
e88ecbbe677d8cfb97ba9a42db6f8b038aa96526b283b9de8635a80dd25790dd
a048547702aaf89637813c4cdc925cf25ab7a3710bfc95f21046be931c1cae63
fd21e7dddc8ed426971983f819be29e6fa123dcdfb19d87fbbbffa12c147188e
74bb6b2e6e0fb719237cb58c1ed17a91032ff3c8a3c11da92011b8e0ba5a1179
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea
6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8
SH256 hash:
b56b333218590e42264e3c569891875e6e2c9955d322f2a1a940c53a09cefb63
MD5 hash:
d01a52c156a6a80dd6c12fa897159f94
SHA1 hash:
173411cd147973b6366c11bbbbf87bafcfa4403a
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
63525b0c1ef894632109c3169876b9e2ce728e38ed7f7c574021d5261d56e502
MD5 hash:
ff9b14f4f607a81117cc58916332262e
SHA1 hash:
aed4fe230075f2a067e4ac61fac117aaeb5ef6f9
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
50a81ce8bed3ac9a667372ac12a076ab083efe348469536286c2a485be4e1bee
MD5 hash:
7bc09a4e64a74efae8018b43c864aa89
SHA1 hash:
f32bfe83ec3396d5b47c3cc6087f61c2cf2a9cb5
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
a684b438d98dbecc0ecd32bebe42f8ea8a5f7b023594596218051c79bcba2caa
MD5 hash:
167247f3ee18593f2476746e90eb08ac
SHA1 hash:
e9671e1e8b896ee792a2739bdb266d9394c9d5a7
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
451c693481de62b1a2768050df0e7aba4d7eaa2c70ef924ccc5992f947d27b70
MD5 hash:
2fa2b1760a549b8a8988fbf66c0204ab
SHA1 hash:
cf0a32127dd6d688fbebd56f6c2b672455b5683d
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
5d256ad98e0bc4d17d9d87f09d54b6dc3bfb5abd0909c36e84168e6d5d9e8e80
MD5 hash:
a227ae6f9ca2827a6de2ebd9ae7eb090
SHA1 hash:
aef54455d04798c2910958c583b23d80cb20a272
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
0e59dd40d2b1bfc84763f32e7b9790054fff1851d6e2dce9708c2e6edcaf8ffa
MD5 hash:
43a358ac2555b8023028b1a3f8108a7f
SHA1 hash:
9c03424e1e15a67d21d25845cf6d572d34bed1aa
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
e3c0bdc94d08c69c2276fdaf6e50a9d2e18e461564b1b2890d899c161db1994f
MD5 hash:
7440feb9acd5e8edfe40615eea9484fc
SHA1 hash:
8618c94e7cf0199adeb9f15dd9662378987f8a54
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
8172cf4b02ee585f81eaabcb4760a3a469dec36fb1a490ebb3bca356edd599ad
MD5 hash:
26c95e7900dc2e3b0261a62f0b10553f
SHA1 hash:
7f7b481008226ae7b6e5fec6bae2b7ef7e57e188
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
64f55d5e15b9dbbb0d6e16ffb9aceaee91ee440beef80e4cd1b74b0ded11c7c1
MD5 hash:
1404f942070e57b2ef0b6b3693f730be
SHA1 hash:
7ef83b925afb34c52627b66ad960400fbc1bf776
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
3c7367ffc983f9565173287ae3aa6596b658faea11054542c78670fcd02cdafc
MD5 hash:
ea0053903be31acff2a86e4522b36be7
SHA1 hash:
7e5d3a1163f8873b5fa21cf5f618deb70971995d
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
54cf6f2114f919ebb562a6d9c3b76021d74fb6f60b10ad7b6f44cb511aa1a1ce
MD5 hash:
e9a5d15d4adcbf80c1c8747315ac1a61
SHA1 hash:
6c12c838ec17ca4b68941d2986cde0459ba16c43
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
2d8cd533e30132fc8c70e8d981a8cb8d157851840c0e1e1e18af33a99d265001
MD5 hash:
702456677ddc7a0dc847d947b09fbed0
SHA1 hash:
3dd326877676c2037c758c1222c5bfbc26417d21
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
4a2bd1e79c28a51ed5a68aa1f2fe4a09161e8dd0f7945fc1cd8d1c430dae4c50
MD5 hash:
68a709480943a80aa732ef93a4d584ce
SHA1 hash:
3a8d2e475058da39b716fd4510adbc30322a5fda
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
fb8dc0272a15b72acb0e9e4836ef4db6b888baae8ee9c40340284cbf802f3675
MD5 hash:
87a1f1791f691c79ccfee34459131f5b
SHA1 hash:
0d3e3375456dc80a57707be394e5facb3d9537bd
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
3e627ea5a0a3ed72c6f60b3a9c3ee0a2264cc22178ea20aba1cedb43919a60e3
MD5 hash:
ebfee6765c7e448e3ea21b40550d1a70
SHA1 hash:
08464d94727b3a9f523b93ddbaf21191c65214e5
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
6ecaba189f108ba0dc83214fa41e43307fdc79147717f2ac68cd832181db9666
MD5 hash:
70768beb1a282fc79ecf19a0a73286f5
SHA1 hash:
e40e4b259715e740c83e3cc27a5654ea3c7bfa37
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
3d966268571cf0a83f327df99ffd7441ffe65ad098f1db2fff8dd6a5d5233796
MD5 hash:
541501763132091ca1571883622b2c81
SHA1 hash:
17f0073da00f8511abc7b4dd5d018f043c0c5489
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
ee821f8bf24cec68cced8a322129e322a9e5a20f2d92dd2f0b0827aff4711343
MD5 hash:
5eda69604c85537ab3fbaf77da60b2cb
SHA1 hash:
5d0a8f3efa0b26f52fe36eac2583ac419b6dd11d
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
9d16f162b1935813669e5a5be1e4b9ef74e3553a4b9d40746559663ea7f492ac
MD5 hash:
61dcae962ead22f7efbdc89e471aea1c
SHA1 hash:
2fc4ad93dd6e7461993f521f070d3a6b5e36dba6
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
e66eeda9d80ee2956f39269e738cb128203b5c06aec1806735ff1d4905426a34
MD5 hash:
ebf38e4a0f2120d1aafcbd997f5b1e3b
SHA1 hash:
60ad39cdb33ce9ac99d011e51af86ec62b42739a
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
6012398fb66d01d529109ad5e9ec795660e167f21cc8e27a1f5f97b5d3c8c9f4
MD5 hash:
76b65a8a7cd39dfbe45626a3f6de85be
SHA1 hash:
bac8514c1a75782fbf5fa3403b5c7d6270dbbfd7
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
38f08ea5030d44556b09d7e89e32a09b29bb9daef0c83efc251bc095d59a928e
MD5 hash:
7456b51085e624da2965051df24a2427
SHA1 hash:
75b218f1725bc74f90d3fe296f60fbff372efebc
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
8795d691425916589131e5172ef9160e3997018d464d4b2574ebd8bfd82b6ff4
MD5 hash:
1db581292844e3bdd263aab92cb795b7
SHA1 hash:
5c3044b1d5d0ee2138d0149260ddd999375d45ab
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
SH256 hash:
738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea
MD5 hash:
926523aad05fb0df30f2a20685f705d4
SHA1 hash:
67ccae075f8c02609030c77ce6afbe333d911a0c
Link:
https://www.unpac.me/results/887d9616-42e7-4138-83c9-ed5ebc560eb3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments