MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80ce75be063e8a3f5f734beff4a7b8a17451a1855254674573ec566a3bd1a293. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	80ce75be063e8a3f5f734beff4a7b8a17451a1855254674573ec566a3bd1a293
SHA3-384 hash:	17f488a47c8ce128fe5576bb7203b29488edc1b53bc8acb953ea4b44452091df561b7bc3c572edde0a7637d5558eaa3a
SHA1 hash:	358df85bfd1f929cb7e6158d88746adf7f7dcf40
MD5 hash:	0cb531172188c6df849189a308431ae2
humanhash:	arizona-seven-charlie-leopard
File name:	0cb531172188c6df849189a308431ae2.exe
Download:	download sample
File size:	706'560 bytes
First seen:	2023-09-03 07:22:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1ebf24c5f43f6b7b8df6a68ef563ac0b (5 x Vidar, 1 x Smoke Loader, 1 x Tofsee)
ssdeep	12288:bn/fVXDLrue44zGSjR0sKGGyrIbJ99XgXJgLUeL/4/:bnHVamzpRqyrygXJgLHL/4/
Threatray	36 similar samples on MalwareBazaar
TLSH	T105E47D4382E1BD58EA254B728F1FCAFC772DF6E08E497BA522189E1F14B1176C263315
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1070c09030301800 (2 x RedLineStealer, 1 x Amadey, 1 x Tofsee)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0cb531172188c6df849189a308431ae2.exe

Verdict:

Malicious activity

Analysis date:

2023-09-03 07:27:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8a109cac-66f1-412e-adc6-f559748fb936

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/445797/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

Ransom.Loki.Generic

Link:

https://www.hybrid-analysis.com/sample/80ce75be063e8a3f5f734beff4a7b8a17451a1855254674573ec566a3bd1a293

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Pitou

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ee3849df-68cb-40ba-8e61-c5c907aa9a44

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1302308

Signature

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80ce75be063e8a3f5f734beff4a7b8a17451a1855254674573ec566a3bd1a293/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-09-02 06:11:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qdhhlpqgh2fd6x3tjpx7jj5yuf2fdimfkjkgorlt5rlguo6rukjq._file

Verdict:

malicious

2daacce8c6db148ea731735dd39f6f3ee71c0e336b7b7e53a44414e864a1f12c

34f9859955791b86dabfc99171fa6ef0e5ae587e4f434a9ef70d2c8d4785c9d7

3bd0e34a07b6a1e6ebd2a0dc9f8cf917d1835a7d770d41a60c83507608dd6f3d

455c0c72d434406bcf575d3957ad7f22f714eee597d8bdee6eacc02cbef1dd2a

bfab1100122c3f2dc52479c08fceab6880bf96a20b355c71482bbc3f1fbd7953

d120531e71e0d9b2ae07e4010c9f822445ea11aeba73d675b318ac67735382cb

d2e1a633f253499a966fd4aad76d255c46fa95821192010c3646a705b33f4186

e440eac7cb52cdaad64e9e46f641e291569789f59aeb2bfa4c6bbc607c2c64e8

fb28c37262eee77bb914cd94b179336b1f458702280e4b611a49edf7599dae74

+ 26 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

bootkit persistence

Link:

https://tria.ge/reports/230903-h7tdesge3t/

Behaviour

Writes to the Master Boot Record (MBR)

Unpacked files

SH256 hash:

34214083ce60696dc171d58c3152856c1a0eb661a4741e22a340bdd52258b130

MD5 hash:

a88a0c4d6e13fae0fe18355522632341

SHA1 hash:

7efeee839a564461fdafc79a3c22d490137a6ef7

Link:

https://www.unpac.me/results/2cc227d1-2107-4d14-8a1c-b76be337f278/

Parent samples :

6c3faa9c54a7d44226623afee69d63114957699330dd576092965999550dd19d
f5ab502850f557c78d1ad09eb855a47ff25ce8aa00e8d67b4144a88228ebca3c
8a4eddeda8fecb5a816a28f0760ee4d0d8bf23edbda384a5913d631d676c7438
6a9ed12c03ce93c32945020a180464af9589be469a9193160f6eb7b45e4ede04
e92de9eadeef273bd294c6eceb92f750768766a79c215843e948f37b95bb6723
b565fe1734ee581763ff75a4e26f262d8268333f675d0a5bc2681950bc4ff6cc
66e164f2a4ea3b37586ceb2d699aa89e8a9475e9cd25c51476fd0a7d307df76a

SH256 hash:

80ce75be063e8a3f5f734beff4a7b8a17451a1855254674573ec566a3bd1a293

MD5 hash:

0cb531172188c6df849189a308431ae2

SHA1 hash:

358df85bfd1f929cb7e6158d88746adf7f7dcf40

Link:

https://www.unpac.me/results/2cc227d1-2107-4d14-8a1c-b76be337f278/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/80ce75be063e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/80ce75be063e8a3f5f734beff4a7b8a17451a1855254674573ec566a3bd1a293

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 80ce75be063e8a3f5f734beff4a7b8a17451a1855254674573ec566a3bd1a293

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2628134/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/445797/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample