MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7db58483ed021cf22b0481ccd5fb97cb543e0737146ed27c1182b88598fec4bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash: 7db58483ed021cf22b0481ccd5fb97cb543e0737146ed27c1182b88598fec4bf
SHA3-384 hash: 582c760f8386ec73adb3e57778c427ad69e61d90d07cf8c40f4c53b00c035433475e2d58f98f0f9b7e2d14cff9c33208
SHA1 hash: 028d293fdc1aaf028266ed47c4fc81e65e8af63b
MD5 hash: 3d628d04ef7a6297788db0f43f74fbf8
humanhash: solar-bacon-missouri-princess
File name:SecuriteInfo.com.Win64.Evo-gen.22775.26811
Download: download sample
File size:11'172'202 bytes
First seen:2024-01-31 12:50:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:9NY3avu9cBDzf4LBIP6xDfyGI21X5Sp6GemDMPwuWumNoApiFtxV10+uP:nY3ayszf490yDfDrpfaMPONoApm7aP
TLSH T183B633E485F138F1E0AB1036F484547C67E3782B4765D6AF8767D24A2F03AE65C7AB02
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (16 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter SecuriteInfoCom
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
315
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
https://bazaar.abuse.ch/download/97efe91fe5eff3dcdcb055f037f1df01c1409e6bd38a8f07170ea53a0ff265ef/
Verdict:
Malicious activity
Analysis date:
2024-01-31 14:47:32 UTC
Tags:
opendir stealer redline loader risepro evasion agenttesla amadey stealc phorpiex trojan pushdo cutwail backdoor sinkhole socks5systemz proxy kelihos

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
expand lolbin overlay packed packed pyinstaller
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384076 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 31/01/2024 Architecture: WINDOWS Score: 56 82 raw.githubusercontent.com 2->82 88 Multi AV Scanner detection for submitted file 2->88 90 Machine Learning detection for sample 2->90 15 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 39 2->15         started        signatures3 process4 file5 74 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 15->74 dropped 76 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 15->76 dropped 78 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->78 dropped 80 17 other files (none is malicious) 15->80 dropped 86 Potentially malicious time measurement code found 15->86 19 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 15->19         started        signatures6 process7 dnsIp8 84 raw.githubusercontent.com 185.199.110.133, 443, 49704, 49705 FASTLYUS Netherlands 19->84 22 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 39 19->22         started        process9 file10 58 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 22->58 dropped 60 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 22->60 dropped 62 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 22->62 dropped 64 17 other files (none is malicious) 22->64 dropped 25 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 22->25         started        process11 process12 27 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 39 25->27         started        file13 66 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 27->66 dropped 68 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 27->68 dropped 70 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 27->70 dropped 72 17 other files (none is malicious) 27->72 dropped 30 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 27->30         started        process14 process15 32 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 39 30->32         started        file16 42 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 32->42 dropped 44 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 32->44 dropped 46 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 32->46 dropped 48 17 other files (none is malicious) 32->48 dropped 35 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 32->35         started        process17 process18 37 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 39 35->37         started        file19 50 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 37->50 dropped 52 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 37->52 dropped 54 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 37->54 dropped 56 17 other files (none is malicious) 37->56 dropped 40 SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe 37->40         started        process20
Threat name:
Win64.Trojan.Generic
Status:
Suspicious
First seen:
2024-01-31 12:38:09 UTC
File Type:
PE+ (Exe)
Extracted files:
758
AV detection:
12 of 22 (54.55%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Behaviour
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Unpacked files
SH256 hash:
7db58483ed021cf22b0481ccd5fb97cb543e0737146ed27c1182b88598fec4bf
MD5 hash:
3d628d04ef7a6297788db0f43f74fbf8
SHA1 hash:
028d293fdc1aaf028266ed47c4fc81e65e8af63b
Detections:
PyInstaller SUSP_Imphash_Mar23_3
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:globalnet_files
Author:vmovupd
Description:Detect PE files compiled with PyInstaller with AntiDecompilation string. Observed in GlobalNet botnet campaign.
Reference:https://twitter.com/vmovupd/status/1722548036839072017
Rule name:PyInstaller
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:SUSP_Imphash_Mar23_3
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7db58483ed021cf22b0481ccd5fb97cb543e0737146ed27c1182b88598fec4bf

(this sample)

  
Delivery method
Distributed via web download

Comments