MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79352910f5e31ab1c843a5a7230d1f278dda20f721ad03243dd44f8d7806c2ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79352910f5e31ab1c843a5a7230d1f278dda20f721ad03243dd44f8d7806c2ed
SHA3-384 hash: 730e633d16bef0635b968f9f37463ebb88785d3ac4c6fd2064e9252864d278abbfdcb06d44737dc66b376070cb244815
SHA1 hash: 712477107b3ff723416fd85120cdd9ebf7756724
MD5 hash: e08d8ddb2ef5d353f6e5cc7fdb514e73
humanhash: six-november-comet-lion
File name:e08d8ddb2ef5d353f6e5cc7fdb514e73.exe
Download: download sample
Signature Stop
Create hunting rule
File size:387'584 bytes
First seen:2022-06-24 10:12:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f8c4cf685a1da89700dff1891ed4f70 (2 x RedLineStealer, 2 x Loki, 1 x Stop)
ssdeep 6144:T2ba3teXv/VhXtSllX/yWFaokowHlPwbXuahS6KvCgdo0TU:T2l/9hdSllX/zMowOthrKtU
TLSH T147847B00BB50C035E5B615F449BB83686E2EBEE15F2C61CB62E57ADE96355E0EC3031B
TrID 39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
195.242.111.189:20113

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.242.111.189:20113 https://threatfox.abuse.ch/ioc/723474/
85.239.55.11:80 https://threatfox.abuse.ch/ioc/723475/

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283018/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22691/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed redline
Link:
https://www.filescan.io/uploads/62b58e2f49d6271f1a7a04e8/reports/859dea91-8d95-43bc-ba5d-7b1b7d358df9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd94bc60-dd97-43bd-b8fa-f30dd0f1a9a7
Result
Threat name:
Djvu, Nymaim, Record Stealer, RedLine, V
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1019261
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected Record Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651757 Sample: Ox35UIhSO5.exe Startdate: 24/06/2022 Architecture: WINDOWS Score: 100 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for URL or domain 2->127 129 Antivirus detection for dropped file 2->129 131 21 other signatures 2->131 8 Ox35UIhSO5.exe 4 60 2->8         started        process3 dnsIp4 89 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 8->89 91 162.214.79.75 UNIFIEDLAYER-AS-1US United States 8->91 93 13 other IPs or domains 8->93 47 C:\Users\...\y0XYUAhtVoVrskpab6QAP6QP.exe, PE32 8->47 dropped 49 C:\Users\...\sg21PNMsHpxS5Af6MSjov2hB.exe, PE32 8->49 dropped 51 C:\Users\...\mCSByW2vRcNW4tFCA4Q1hXIC.exe, PE32 8->51 dropped 53 25 other files (14 malicious) 8->53 dropped 133 Creates HTML files with .exe extension (expired dropper behavior) 8->133 135 Disable Windows Defender real time protection (registry) 8->135 13 X4pvgRtHtn_E2d0EmXJuPxvm.exe 17 8->13         started        17 sg21PNMsHpxS5Af6MSjov2hB.exe 8->17         started        20 y0XYUAhtVoVrskpab6QAP6QP.exe 23 8->20         started        22 14 other processes 8->22 file5 signatures6 process7 dnsIp8 107 149.154.167.99 TELEGRAMRU United Kingdom 13->107 71 C:\Users\...\B9rDcgbxdkk0qn_V9o07lEt6.exe, PE32 13->71 dropped 73 C:\...\PowerControl_Svc.exe, PE32 13->73 dropped 75 C:\Users\user\AppData\Local\...\WW14[1].exe, PE32 13->75 dropped 24 B9rDcgbxdkk0qn_V9o07lEt6.exe 13->24         started        29 schtasks.exe 13->29         started        31 schtasks.exe 13->31         started        77 C:\Users\...\sg21PNMsHpxS5Af6MSjov2hB.tmp, PE32 17->77 dropped 117 Obfuscated command line found 17->117 33 sg21PNMsHpxS5Af6MSjov2hB.tmp 17->33         started        109 159.69.102.192 HETZNER-ASDE Germany 20->109 85 6 other files (none is malicious) 20->85 dropped 119 Tries to harvest and steal browser information (history, passwords, etc) 20->119 111 167.235.245.75 ALBERTSONSUS United States 22->111 113 186.202.153.98 LocawebServicosdeInternetSABR Brazil 22->113 115 104.21.234.38 CLOUDFLARENETUS United States 22->115 79 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 22->79 dropped 81 C:\Users\user\AppData\...\vcruntime140.dll, PE32 22->81 dropped 83 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 22->83 dropped 87 5 other files (none is malicious) 22->87 dropped 121 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->121 123 Injects a PE file into a foreign processes 22->123 35 WerFault.exe 22->35         started        37 conhost.exe 22->37         started        39 AppLaunch.exe 22->39         started        41 5 other processes 22->41 file9 signatures10 process11 dnsIp12 95 198.54.115.119 NAMECHEAP-NETUS United States 24->95 97 176.9.147.148 HETZNER-ASDE Germany 24->97 105 5 other IPs or domains 24->105 55 C:\Users\user\...55iceProcessX64[1].bmp, PE32+ 24->55 dropped 57 C:\Users\user\AppData\Local\...\chrome[1].exe, PE32 24->57 dropped 59 C:\Users\user\AppData\...\Keeperch2[1].exe, PE32 24->59 dropped 69 9 other files (1 malicious) 24->69 dropped 137 Tries to harvest and steal browser information (history, passwords, etc) 24->137 43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        99 151.115.10.1 OnlineSASFR United Kingdom 33->99 101 192.168.2.1 unknown unknown 33->101 61 C:\Users\user\AppData\Local\...\befeduce.exe, PE32 33->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 33->63 dropped 65 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 33->65 dropped 67 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->67 dropped 103 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->103 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79352910f5e31ab1c843a5a7230d1f278dda20f721ad03243dd44f8d7806c2ed/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 11:43:13 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pe2ssehv4mnldscduwtsgdi7e6g5uihxegwqgjb52rhy26agylwq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:nymaim family:recordbreaker family:redline family:vidar botnet:1448 botnet:937 botnet:@asasasasaasass discovery evasion infostealer persistence ransomware spyware stealer suricata trojan upx vmprotect
Link:
https://tria.ge/reports/220624-l829habehr/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
VMProtect packed file
Vidar Stealer
Amadey
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
NyMaim
Process spawned unexpected child process
RecordBreaker
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
Malware Config
C2 Extraction:
http://abababa.org/test3/get.php
https://t.me/tg_superch
https://climatejustice.social/@olegf9844
46.8.220.88:65531
http://167.235.245.75/
37.0.8.39
31.210.20.149
212.192.241.16
Unpacked files
SH256 hash:
eaac934eb8c0d46762dcfe0aacc02969ea1514f31ada9f4d5849da0518d0f725
MD5 hash:
923b24e40767143bbcdb6450e77353bc
SHA1 hash:
f9437a36bb01a0d9cd668ef2669bb3b627fd4116
Link:
https://www.unpac.me/results/f7113e8f-0841-44c9-bcd0-ea6ba70e06cf/
SH256 hash:
79352910f5e31ab1c843a5a7230d1f278dda20f721ad03243dd44f8d7806c2ed
MD5 hash:
e08d8ddb2ef5d353f6e5cc7fdb514e73
SHA1 hash:
712477107b3ff723416fd85120cdd9ebf7756724
Link:
https://www.unpac.me/results/f7113e8f-0841-44c9-bcd0-ea6ba70e06cf/
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79352910f5e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79352910f5e31ab1c843a5a7230d1f278dda20f721ad03243dd44f8d7806c2ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:privateloader
Create hunting rule
Author:andre@tavares.re
Description:PrivateLoader pay-per-install malware
Rule name:win_privateloader
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283018/

Comments