MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b475868e6aafcb6b81d3c4d92d039987b75ef3829c2a834917698845400199e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 13


Intelligence 13 IOCs YARA 49 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b475868e6aafcb6b81d3c4d92d039987b75ef3829c2a834917698845400199e
SHA3-384 hash: 0544b4c16a9da70f9fa1d8b62a88534aee40ce675833667b7ac2bb79679cbe371940e0d3a8760c2a7d6f1154ef96964e
SHA1 hash: 39047837aee1bae27600349c8070e6cbdd9330d2
MD5 hash: e16601e4d64a0240d8f55d93ff682cbf
humanhash: vegan-earth-pennsylvania-cola
File name:E16601E4D64A0240D8F55D93FF682CBF.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:32'768 bytes
First seen:2023-09-26 22:05:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:GctzdkaK/n7bEbIn+qeD3cugX8P6J8stYcFwVc03KY:Gy+p7bEbIn+9gX8yJptYcFwVc03K
TLSH T11BE20801E7D48272CA79427638B79786C733B79B18468EEE788C510F3F269C582A33D5
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:Adware.Generic exe


Avatar
abuse_ch
Adware.Generic C2:
64.40.154.6:36512

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
E16601E4D64A0240D8F55D93FF682CBF.exe
Verdict:
Malicious activity
Analysis date:
2023-09-26 22:08:12 UTC
Tags:
gcleaner loader stealer redline fabookie smoke asyncrat
Link:
https://app.any.run/tasks/15ad001e-fdfe-4ee9-afa4-a1d3ec9b4051

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451366/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.16607.7898.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Modifying a system file
Creating a file in the %AppData% subdirectories
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a service
Running batch commands
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace tiny upatre
Link:
https://www.filescan.io/uploads/651355ca988a26b6d9711f5d/reports/962bc5f6-25bf-4fb8-afd5-5e06898e30b8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9b475868e6aafcb6b81d3c4d92d039987b75ef3829c2a834917698845400199e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5a3d058-9ac7-47d3-bb4e-6b1e0a47f447
Result
Threat name:
AsyncRAT, Fabookie, Glupteba, RedLine, S
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314840
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected AsyncRAT
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314840 Sample: 7DmcSNdUVT.exe Startdate: 27/09/2023 Architecture: WINDOWS Score: 100 169 Found malware configuration 2->169 171 Malicious sample detected (through community Yara rule) 2->171 173 Antivirus detection for URL or domain 2->173 175 20 other signatures 2->175 10 7DmcSNdUVT.exe 14 502 2->10         started        15 poo.exe 2->15         started        17 DigitalPulseUpdate.exe 2->17         started        process3 dnsIp4 149 85.217.144.143 WS171-ASRU Bulgaria 10->149 151 5.42.64.10 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 10->151 155 30 other IPs or domains 10->155 99 C:\Users\...\zsBYc7n727CpDf21h3QnbdCU.exe, PE32+ 10->99 dropped 101 C:\Users\...\zqRw3a6Z3MoIcGkhxHbd3bL3.exe, PE32 10->101 dropped 103 C:\Users\...\zNdTrD8vyYZzs9rzD1ZY47Ya.exe, PE32 10->103 dropped 105 282 other malicious files 10->105 dropped 205 Drops script or batch files to the startup folder 10->205 207 Writes many files with high entropy 10->207 19 W1rbZ3ikHVtb0oQVizS7Uyyq.exe 10->19         started        24 Vkv2fVunnfuk3Vv7WXaN6wWB.exe 2 10->24         started        26 G9qoTsbGyeuz08ejAIUJxtfN.exe 10->26         started        28 15 other processes 10->28 209 Multi AV Scanner detection for dropped file 15->209 153 35.182.67.195 AMAZON-02US United States 17->153 file5 signatures6 process7 dnsIp8 137 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 19->137 139 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 19->139 145 15 other IPs or domains 19->145 81 C:\Users\...\zYHGsZ0GF3Pft6oAFHTA7Vhi.exe, PE32 19->81 dropped 83 C:\Users\...\u6WZvjMzhhl0mi_SRmI7wsO4.exe, PE32+ 19->83 dropped 85 C:\Users\...\ttiVcFVbY690buVo2vVFHFF4.exe, PE32 19->85 dropped 95 24 other malicious files 19->95 dropped 183 Query firmware table information (likely to detect VMs) 19->183 185 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->185 187 Creates HTML files with .exe extension (expired dropper behavior) 19->187 201 6 other signatures 19->201 87 C:\Users\user\AppData\Local\...\is-SHM77.tmp, PE32 24->87 dropped 30 is-SHM77.tmp 13 22 24->30         started        189 Detected unpacking (changes PE section rights) 26->189 191 Contains functionality to inject code into remote processes 26->191 193 Injects a PE file into a foreign processes 26->193 33 G9qoTsbGyeuz08ejAIUJxtfN.exe 26->33         started        141 107.167.110.217 OPERASOFTWAREUS United States 28->141 143 107.167.125.189 OPERASOFTWAREUS United States 28->143 147 18 other IPs or domains 28->147 89 C:\Users\user\Pictures\360TS_Setup.exe.P2P, PE32 28->89 dropped 91 C:\Users\user\...\360TS_Setup.exe (copy), PE32 28->91 dropped 93 C:\Users\user\AppData\Local\...\360P2SP.dll, PE32 28->93 dropped 97 17 other malicious files 28->97 dropped 195 Detected unpacking (overwrites its own PE header) 28->195 197 Found Tor onion address 28->197 199 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->199 203 4 other signatures 28->203 36 qMFzJF81Yxf0158tu0Zv6F9k.tmp 28->36         started        38 Install.exe 28->38         started        40 cmd.exe 28->40         started        42 3 other processes 28->42 file9 signatures10 process11 file12 111 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->111 dropped 113 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 30->113 dropped 125 11 other files (9 malicious) 30->125 dropped 44 OSHMount.exe 30->44         started        47 net.exe 30->47         started        49 OSHMount.exe 30->49         started        157 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 33->157 159 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->159 161 Maps a DLL or memory area into another process 33->161 167 2 other signatures 33->167 52 explorer.exe 33->52 injected 115 C:\Users\user\AppData\...\unins000.exe (copy), PE32 36->115 dropped 117 C:\Users\user\AppData\...\is-OGRVR.tmp, PE32+ 36->117 dropped 119 C:\Users\user\AppData\...\is-7L3C5.tmp, PE32+ 36->119 dropped 127 4 other files (3 malicious) 36->127 dropped 163 Multi AV Scanner detection for dropped file 36->163 165 Uses schtasks.exe or at.exe to add and modify task schedules 36->165 61 4 other processes 36->61 121 C:\Users\user\AppData\Local\...\Install.exe, PE32 38->121 dropped 55 Install.exe 38->55         started        57 5882252325.exe 40->57         started        59 conhost.exe 40->59         started        123 Opera_installer_2309262207280873052.dll, PE32 42->123 dropped 63 4 other processes 42->63 signatures13 process14 dnsIp15 107 C:\ProgramData\...\Video Fetcher.exe, PE32 44->107 dropped 65 conhost.exe 47->65         started        67 net1.exe 47->67         started        129 195.154.251.99 OnlineSASFR France 49->129 131 51.159.66.125 OnlineSASFR France 49->131 135 2 other IPs or domains 49->135 177 Adds a directory exclusion to Windows Defender 52->177 69 powershell.exe 52->69         started        109 C:\Users\user\AppData\Local\...\ewLkAYP.exe, PE32 55->109 dropped 179 Multi AV Scanner detection for dropped file 55->179 181 Adds extensions / path to Windows Defender exclusion list 55->181 71 forfiles.exe 55->71         started        133 3.98.219.138 AMAZON-02US United States 61->133 73 conhost.exe 61->73         started        75 conhost.exe 61->75         started        77 conhost.exe 61->77         started        file16 signatures17 process18 process19 79 conhost.exe 69->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b475868e6aafcb6b81d3c4d92d039987b75ef3829c2a834917698845400199e/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-09-23 01:57:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tndvq2hgvl6lnoa5hrgzfubztb5xl3zyfhbkqnero2miivaadgpa._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:fabookie family:glupteba family:redline family:smokeloader botnet:21 botnet:pub1 backdoor bootkit dropper evasion infostealer loader persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/230926-1z2zpsdh2s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
.NET Reactor proctector
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Async RAT payload
AsyncRat
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
http://app.nnnaajjjgc.com/check/safe
81.161.229.73:6606
81.161.229.73:7707
81.161.229.73:8808
Unpacked files
SH256 hash:
9b475868e6aafcb6b81d3c4d92d039987b75ef3829c2a834917698845400199e
MD5 hash:
e16601e4d64a0240d8f55d93ff682cbf
SHA1 hash:
39047837aee1bae27600349c8070e6cbdd9330d2
Link:
https://www.unpac.me/results/cbbe6b25-5219-47b8-a656-2e61070f6fa6/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b475868e6aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b475868e6aafcb6b81d3c4d92d039987b75ef3829c2a834917698845400199e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/451366/

Comments