MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 8b67cb28a0a22e63372bf6d5ca6693e618f206cd2fd6488f93b2b7eaa33598a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 11
| SHA256 hash: | 8b67cb28a0a22e63372bf6d5ca6693e618f206cd2fd6488f93b2b7eaa33598a3 |
|---|---|
| SHA3-384 hash: | a000a17f5ed667afd5dbe2193a8b193b45e727338b4679aa836d09c2a27e4a523e1caf00300a23d3481cc624a238ccf9 |
| SHA1 hash: | 30962eeb2d7721601e962dad295419095d2a5479 |
| MD5 hash: | 3c8fce07c35c3cf05029085a4b6e946f |
| humanhash: | equal-undress-carbon-speaker |
| File name: | RedFireEXTERNAL.exe |
| Download: | download sample |
| File size: | 2'012'160 bytes |
| First seen: | 2025-05-14 16:46:33 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 15d175679fa6a367d76f63a39a921c63 |
| ssdeep | 49152:iQvSNZRWUyNcP+3RL/mxQhvFDMyvp7gQKGBn+apli:iQvSNZRWUyNcP+3Nm2hTKEpl |
| TLSH | T1FB95AD47B3E142ECC167913882579717E37274021F209BCF67A44BA96F63AE01E7B7A1 |
| TrID | 38.7% (.EXE) Win64 Executable (generic) (10522/11/4) 20.4% (.FON) Windows Font (5545/9/1) 18.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.4% (.EXE) OS/2 Executable (generic) (2029/13) 7.3% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| Reporter | Anonymous |
| Tags: | exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
487
Origin country :
NLVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RedFireEXTERNAL.exe
Verdict:
No threats detected
Analysis date:
2025-05-14 16:51:01 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Verdict:
Malicious
Score:
99.9%
Tags:
dropper emotet virus smtp
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 crypto fingerprint hacktool keylogger lolbin microsoft_visual_cc obfuscated remote
Verdict:
Malicious
Labled as:
Win64/TrojanDownloader.Agent_AGen
Malware family:
Khalesi
Verdict:
Malicious
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Signature
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject threads in other processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win64.Infostealer.Tinba
Status:
Malicious
First seen:
2025-05-14 15:41:53 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
25 of 37 (67.57%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
Malicious
Tags:
Win.Malware.Sabsik-10038319-0
YARA:
n/a
Unpacked files
SH256 hash:
8b67cb28a0a22e63372bf6d5ca6693e618f206cd2fd6488f93b2b7eaa33598a3
MD5 hash:
3c8fce07c35c3cf05029085a4b6e946f
SHA1 hash:
30962eeb2d7721601e962dad295419095d2a5479
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Check_Debugger |
|---|
| Rule name: | Check_OutputDebugStringA_iat |
|---|
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__RemoteAPI |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | dsc |
|---|---|
| Author: | Aaron DeVera |
| Description: | Discord domains |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_SUSPICIOUS_References_SecTools |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many IR and analysis tools |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
exe 8b67cb28a0a22e63372bf6d5ca6693e618f206cd2fd6488f93b2b7eaa33598a3
(this sample)
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (GUARD_CF) | high |
| CHECK_TRUST_INFO | Requires Elevated Execution (level:requireAdministrator) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::ConvertSidToStringSidA ADVAPI32.dll::CopySid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::IsValidSid |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::sndPlaySoundA |
| RPC_API | Can Execute Remote Procedures | RPCRT4.dll::RpcStringFreeA |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteA |
| URL_MONIKERS_API | Can Download & Execute components | urlmon.dll::URLDownloadToFileA |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateRemoteThread KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx KERNEL32.dll::WriteProcessMemory KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW |
| WIN_BASE_EXEC_API | Can Execute other programs | api-ms-win-crt-runtime-l1-1-0.dll::_get_narrow_winmain_command_line |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::MoveFileExA KERNEL32.dll::GetSystemDirectoryA |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::GetUserNameA ADVAPI32.dll::LookupPrivilegeValueA |
| WIN_CRYPT_API | Uses Windows Crypt API | CRYPT32.dll::CertAddCertificateContextToStore CRYPT32.dll::CertCreateCertificateChainEngine CRYPT32.dll::CertEnumCertificatesInStore CRYPT32.dll::CertFindCertificateInStore CRYPT32.dll::CertFindExtension CRYPT32.dll::CertFreeCertificateChainEngine CRYPT32.dll::CertFreeCertificateChain |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegSetValueExW |
| WIN_SOCK_API | Uses Network to send and receive data | WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo WS2_32.dll::WSAIoctl |
| WIN_USER_API | Performs GUI Actions | USER32.dll::EmptyClipboard USER32.dll::FindWindowA USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.