MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Redosdru


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697
SHA3-384 hash: 612d79cb66d6b743ed2b770df57c76622e9e6e9cf5948407b2fb78777758213bf32b39e088df4231b9a214c2bf6e7f3d
SHA1 hash: 21d8aed31b7a2ccd2254a21c940a545693ca5835
MD5 hash: 02ab49305f95f010772aba55ea61744e
humanhash: hydrogen-winner-iowa-spring
File name:02ab49305f95f010772aba55ea61744e
Download: download sample
Signature Redosdru
Create hunting rule
File size:7'168 bytes
First seen:2021-08-01 16:37:01 UTC
Last seen:2021-08-01 17:34:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df4e1b963fa5cdc49c40d711c068a030 (1 x Redosdru)
ssdeep 96:y6WLGnf3+tUxu1ZeJm30hYLhV2TjeOrgY35yC+6rDSANyYCk0DicmXnMigz:y6WC/yeJm30SW33vJyu3VVCk0hr
Threatray 43 similar samples on MalwareBazaar
TLSH T18BE1AFEAB53F4F1BC73C4DB687C5C514788F25609B9F93CA6E0C23A988B955C420C319
Reporter zbetcheckin
Tags:32 exe Redosdru

Intelligence

File Origin
# of uploads :
2
# of downloads :
652
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
02ab49305f95f010772aba55ea61744e
Verdict:
Malicious activity
Analysis date:
2021-08-01 16:46:49 UTC
Tags:
trojan dupzom servstart
Link:
https://app.any.run/tasks/30bb0778-7eef-480e-ba2c-32699710b540

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175580/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GhostCringe
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29965271-5b02-44de-ae1b-15b0a95b635c
Result
Threat name:
Gh0stCringe
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825135
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Creates a Windows Service pointing to an executable in C:\Windows
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Gh0stCringe
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457547 Sample: NqS5Kl0fD1 Startdate: 01/08/2021 Architecture: WINDOWS Score: 100 52 www.baihes.com 2->52 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Antivirus detection for dropped file 2->66 68 9 other signatures 2->68 8 NqS5Kl0fD1.exe 1 20 2->8         started        12 svchost.exe 2->12         started        15 svchost.exe 1 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 58 45.137.182.242, 10086, 49711, 49714 AS40676US Australia 8->58 40 C:\Program Files (x86)\...\Zhfahjg.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...42etSyst96[1].dll, data 8->42 dropped 44 C:\Program Files\AppPatch44etSyst96.dll, data 8->44 dropped 46 C:\...\Zhfahjg.exe:Zone.Identifier, ASCII 8->46 dropped 19 Zhfahjg.exe 1 16 8->19         started        72 Checks if browser processes are running 12->72 74 Contains functionality to detect sleep reduction / modifications 12->74 48 C:\Windows\...\SRDSLSimulation Layer.exe, PE32 15->48 dropped 76 Drops executables to the windows directory (C:\Windows) and starts them 15->76 22 SRDSLSimulation Layer.exe 15->22         started        60 www.baihes.com 127.0.0.1 unknown unknown 17->60 78 Changes security center settings (notifications, updates, antivirus, firewall) 17->78 25 Zhfahjg.exe 2 17->25         started        28 MpCmdRun.exe 1 17->28         started        file6 signatures7 process8 dnsIp9 36 C:\Users\user\AppData\Local\...\helk[1].exe, PE32 19->36 dropped 38 C:\Picture.exe, PE32 19->38 dropped 30 Picture.exe 3 2 19->30         started        54 404xh.com 47.111.28.81, 10086 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 22->54 56 www.baihes.com 25->56 70 Deletes itself after installation 25->70 34 conhost.exe 28->34         started        file10 signatures11 process12 file13 50 C:\Windows\SysWOW64\5673531.txt, PE32 30->50 dropped 80 Antivirus detection for dropped file 30->80 82 Multi AV Scanner detection for dropped file 30->82 84 Machine Learning detection for dropped file 30->84 86 Creates a Windows Service pointing to an executable in C:\Windows 30->86 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-08-01 16:37:10 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pzvxngx4m7s6o2iesihwtkgtcr2vo3xe3q2bcn467jtf3y4po2lq._file
Verdict:
malicious
Similar samples:
06c56274fc1db5ddff596e3c3ba6e332cdb8f2329e295b1515bcc1f9493464bd
Redosdru
50e90a38a2fda1a8a9c6ea93d9aafcb9a97271abf485b778a307e177e670ad4d
Redosdru
7d74db6d7705d15a9a3e25989d7c2983ff9ae2d4fbe561bc8a020c37eb3e2d3b
Redosdru
82c8c241387c128a1d00eb9a96ec415ccad32461600441cb9a6c9176cfebd617
Redosdru
851f2df17ce8673bc0747d4ec64b2904b3749a5e9028acbc65db70613b3e5ad5
Redosdru
9f905e04970d3c86d99ddb67052f2f948605a26891d085d1ab431a693260e155
Redosdru
b19f2c2eec099ce6116313fff9348927a979584c82338f16c4f24231100dbd4b
Redosdru
d494d1c9597021407f9167547604c663e7f70f705b5e70bfa207d346d9de7ae9
Redosdru
f2e9b563cfb903599a87072f6f36d77c02eb4a9c885e7c8da435f4f02801ad15
Redosdru
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210801-2bc9er6th6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Enumerates connected drives
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Sets DLL path for service in the registry
UPX packed file
Unpacked files
SH256 hash:
4cee8edb6ee05696890a44479d0972c0ab3b86c0383c5c9bd746f136a1984165
MD5 hash:
6f4d02101b83c3af9be047e1c09051af
SHA1 hash:
0ce255bd746f469947888e3b52cefbac531b111d
Link:
https://www.unpac.me/results/7d231a60-eaae-4867-8e71-2f87e6b7f3da/
SH256 hash:
7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697
MD5 hash:
02ab49305f95f010772aba55ea61744e
SHA1 hash:
21d8aed31b7a2ccd2254a21c940a545693ca5835
Link:
https://www.unpac.me/results/7d231a60-eaae-4867-8e71-2f87e6b7f3da/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7e6b769afc67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Redosdru

Executable exe 7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1497964/
Cape
Cape
https://www.capesandbox.com/analysis/175580/

Comments


Avatar
zbet commented on 2021-08-01 16:37:02 UTC

url : hxxp://45.137.182.242/agwl.exe