MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e0039e89e08c86ef23875cc3abb955184c389bd51f491218da2fce7b824bdcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e0039e89e08c86ef23875cc3abb955184c389bd51f491218da2fce7b824bdcf
SHA3-384 hash: 03b876d2638078f6008d29787b2d9aeeed9d860fcd70a3bae67924946242b0cc6303656358f54f3ca84e35f0d9ec3f48
SHA1 hash: c7d3eac92ba99c9b2787ed4245e633d708b3603d
MD5 hash: e825565216f6397a04fde97547b5f106
humanhash: november-early-iowa-ten
File name:e825565216f6397a04fde97547b5f106.exe
Download: download sample
File size:24'582 bytes
First seen:2022-01-10 09:31:29 UTC
Last seen:2022-01-10 11:32:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0bf9136bb9c49b909aa5e2a7af9a8048 (1 x RedLineStealer, 1 x DCRat)
ssdeep 192:/TakmpXXpTTpNHmpNp6T1nfqV7iU4aaR9nsqV7iU4a7RPLeI:/TahbnA7iU9Un77iU9BeI
Threatray 17 similar samples on MalwareBazaar
TLSH T1E0B2CD96F5E4509DE189627806A2437A68257C3D5848E84FFF45BF5F2CB42C2B4F0B17
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
150_setupInstaller.bin.exe
Verdict:
Malicious activity
Analysis date:
2022-01-09 21:44:43 UTC
Tags:
evasion trojan rat redline loader opendir stealer vidar
Link:
https://app.any.run/tasks/3e6e2bce-5ed2-4a0e-8e41-8796b158cb9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217978/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.29608.6387.1074.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Sending an HTTP POST request
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
alien overlay
Link:
https://www.filescan.io/uploads/61dbfd1602e388f9fdbd6981/reports/51e75689-b995-4782-93d4-4283d0b6e0ca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/089937c7-9ea4-4b9a-9871-c636202ebb43
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917551
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious values (likely registry only malware)
Found C&C like URL pattern
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 550025 Sample: 6V72tfyDB4.exe Startdate: 10/01/2022 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Potential malicious icon found 2->88 90 Antivirus detection for URL or domain 2->90 92 11 other signatures 2->92 10 6V72tfyDB4.exe 1 2->10         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        process3 dnsIp4 17 powershell.exe 16 22 10->17         started        22 powershell.exe 10->22         started        24 mshta.exe 12->24         started        84 192.168.2.1 unknown unknown 14->84 26 mshta.exe 14->26         started        process5 dnsIp6 76 92.255.57.195, 49752, 49755, 49765 TELSPRU Russian Federation 17->76 62 PowerShell_transcr....20220110103313.txt, UTF-8 17->62 dropped 64 C:\...\Windows Security Tray Application.vbs, UTF-8 17->64 dropped 94 May check the online IP address of the machine 17->94 96 Creates autostart registry keys with suspicious values (likely registry only malware) 17->96 28 conhost.exe 17->28         started        78 ipinfo.io 34.117.59.81, 49764, 49878, 49902 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 22->78 66 C:\Users\user\AppData\Roaming\11.vbs, ASCII 22->66 dropped 30 cmd.exe 22->30         started        32 conhost.exe 22->32         started        34 powershell.exe 24->34         started        38 powershell.exe 24->38         started        41 powershell.exe 26->41         started        43 powershell.exe 26->43         started        file7 signatures8 process9 dnsIp10 45 wscript.exe 30->45         started        48 conhost.exe 30->48         started        68 PowerShell_transcr....20220110103406.txt, UTF-8 34->68 dropped 98 May check the online IP address of the machine 34->98 50 conhost.exe 34->50         started        80 ipinfo.io 38->80 70 PowerShell_transcr....20220110103407.txt, UTF-8 38->70 dropped 52 conhost.exe 38->52         started        82 ipinfo.io 41->82 72 PowerShell_transcr....20220110103416.txt, UTF-8 41->72 dropped 54 conhost.exe 41->54         started        74 PowerShell_transcr....20220110103412.txt, UTF-8 43->74 dropped 56 conhost.exe 43->56         started        file11 signatures12 process13 signatures14 100 Wscript starts Powershell (via cmd or directly) 45->100 58 powershell.exe 45->58         started        process15 process16 60 conhost.exe 58->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e0039e89e08c86ef23875cc3abb955184c389bd51f491218da2fce7b824bdcf/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 21:01:19 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
556dd37a5b9982ef815abb5c7731f8a8eb7f2232bb197b69daf259fb42e4618f
8d0aca1c0b1fd8c9ac8b1ec980616a98ebcb2d037857557fac70094233e20df6
98eade342865b6c1f27721b690496e36a5d4558648cb0db626e18375b2ea78cb
a0e5fcf52f3a1bbb049637fd4ea0dc4e69be607dbf0bfaeffe58baa219037794
bc016ebc1751fe99de886be19c2c3e0baefe69cb046b10838cb15bcff3c7e603
cf16e91a8611d4dfbba4af8164ab661d612e21a4403a62b6fb0d9ad25d065613
d07c227a7d73abe3eb7da6c7f23f5de256be3b1a610a7f620ca64e4f7410f04e
e3df75eda0f3fff88f4ab98a687f7ec50b1adde27dbb1bb0947f96892eebf493
ea342f618a8caa17bae45cd0a55cd404451dd0e589886ae00eb5fc9ff59e79cc
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/220110-lhmfcsedcp/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Blocklisted process makes network request
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Malware Config
Dropper Extraction:
http://92.255.57.195/01/AU.PNG
http://92.255.57.195/01/YES.PNG
Unpacked files
SH256 hash:
7e0039e89e08c86ef23875cc3abb955184c389bd51f491218da2fce7b824bdcf
MD5 hash:
e825565216f6397a04fde97547b5f106
SHA1 hash:
c7d3eac92ba99c9b2787ed4245e633d708b3603d
Link:
https://www.unpac.me/results/d8ae9216-425a-4250-90a2-4323f7471447/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e0039e89e08c86ef23875cc3abb955184c389bd51f491218da2fce7b824bdcf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7e0039e89e08c86ef23875cc3abb955184c389bd51f491218da2fce7b824bdcf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1674390/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1666139/
Cape
Cape
https://www.capesandbox.com/analysis/217978/

Comments