MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41
SHA3-384 hash: 5b21f018555aa261606b8d2cba287276d08d31062068ae3f43720c83ccc0e26521b17eba9de9bdd10d549795b7ab5386
SHA1 hash: cb9fa24d6b48cf65b221df6ffea609f7d5b2185a
MD5 hash: 5589c07b336229bd2dea6454fdd3b021
humanhash: alabama-spaghetti-ohio-violet
File name:5589c07b336229bd2dea6454fdd3b021.exe
Download: download sample
File size:250'880 bytes
First seen:2022-09-21 06:16:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:lrILE1H+CHkFXP4WGzvsuj8Sf5dCuEMa/qunCmtJdh5R555Di:lIWeCHs6bdCjquRr5R555W
Threatray 534 similar samples on MalwareBazaar
TLSH T1A134A4B57643A416F86E46F40E48C97316236E96EA51C20E37DE7F8F3A342EEC560360
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c6c7cbd991b10810 (3 x AsyncRAT, 2 x SnakeKeylogger, 2 x PureMiner)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5589c07b336229bd2dea6454fdd3b021.exe
Verdict:
No threats detected
Analysis date:
2022-09-21 06:26:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/04f52206-a1eb-44ca-8c50-76f7688ef3a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311964/
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.2885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/632aac8812db32f024652b86/reports/dff3e417-db8a-419e-bc9b-557354dcabe6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9513a533-22e0-40c5-a5f7-300007c29467
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074328
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 23:55:22 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgxuefj72korryuygvykuxlcpj6h5344qdbtbifm5o4j7vvcxjaq._file
Verdict:
malicious
Similar samples:
14ae647473cbf4def9becdbbb1f007fd8c96c63be5c88014415ab13e6467168f
151fb5746b08b95408b92e08f4bbeac8c4a1a3fc3ad6f43d237357f10476b33f
21bf3627b1e2a400d46ed681b6791b43b13a3f62615b74c3bdaeef402b11bf81
3be69750b64f87e18bcd6d779fbc9511f17e57b8c7738d9374e262fb377ff56a
643dca310ffa930db9dca8d6690c841d0ec0ab75913646756ebeb1bf2de82584
6897412732ce8f38317aefff9c2bb19b15a91caccb0922c53fe29c36474de665
88b00afd2b4f33893e8ca2dfb3a40cfa15d990d731cb1b15617a8f606b5672d0
8feeb31be2e79fc5c6ddd489dcbfe708c8890f107e32c788ec1b7842feead9d4
fec981d9e6f439dd72ab681e144d5da1302b20bcf45ca98ee15bf029eab135bd
+ 524 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220921-g12wjsfed3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c367a4a8-3b6e-47b2-833f-d51f12e9c150
Unpacked files
SH256 hash:
91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41
MD5 hash:
5589c07b336229bd2dea6454fdd3b021
SHA1 hash:
cb9fa24d6b48cf65b221df6ffea609f7d5b2185a
Link:
https://www.unpac.me/results/ef8dd973-1d8a-429a-b3c2-73e0d4c8d6e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2307201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/311964/

Comments