MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0dc657791e6bf1267c8ccb48f337569d9b77f46922c5dd4761010fc7b8f94a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	a0dc657791e6bf1267c8ccb48f337569d9b77f46922c5dd4761010fc7b8f94a6
SHA3-384 hash:	64102f3d90aad369df33a22d3b32488d7ff2d5f5e184a0b865fa26586bd85909719ee2b1c9f6d56ba9684d9f79a16992
SHA1 hash:	e56d996dcf51bffca9b9ba5f0b25965528f97532
MD5 hash:	216064bcf3506cdc18c71b96ed534887
humanhash:	purple-lemon-hydrogen-four
File name:	216064bcf3506cdc18c71b96ed534887.exe
Download:	download sample
File size:	2'140'979 bytes
First seen:	2022-05-24 12:56:05 UTC
Last seen:	2022-05-24 13:48:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ab9ff6e4872ea2766a5f5c6af5649e9d (20 x CryptOne, 13 x RedLineStealer, 6 x RecordBreaker)
ssdeep	24576:gJr8tE+gHq0qC7ecgKGluUHhr8fI2NhzBsTr6PaeQQbVArrXdGjcj2:gJ4N0ZUHpqRyf61ZmNYf
Threatray	342 similar samples on MalwareBazaar
TLSH	T145A52409A147E27BFCEC18E7055181D0C29C7FAA7B528DCDE93AC686101F482F7B6D86
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

23EB.exe

Verdict:

Malicious activity

Analysis date:

2022-05-24 12:00:54 UTC

Tags:

evasion redline trojan socelars stealer loader rat amadey ransomware stop phishing

Link:

https://app.any.run/tasks/711fdfc4-4ad9-4744-9f15-875f493c443b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274096/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19870/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay setupapi.dll shdocvw.dll shell32.dll update.exe

Link:

https://www.filescan.io/uploads/628cd636945ebb7eb178ba01/reports/7a808b6a-449a-47e9-83c2-2cab1863833b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c2f9fc5-06d9-472b-8e19-de707aa3f381

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1000638

Signature

Antivirus detection for dropped file

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0dc657791e6bf1267c8ccb48f337569d9b77f46922c5dd4761010fc7b8f94a6/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-05-24 01:36:16 UTC

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Verdict:

malicious

3d10fa199856942dc50bb810376aa0e06a08ad01699871f945c7e3fe6198266f

48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800

4fc7f1f57853c21506349c98a90fce183a1e68509ea78fbea79e22c13bec4ad2

5c729dcf3f65f1a27e00e7597b5c8897d59c191dc0649718c46cc503abe88148

938c6ed84dd404ed8129ef773cc695ddecfb29203e34189760324caa569dfc97

b9738738d885cb91e88c24692c61f6c1459992420a01bc061239d682cc7eabf6

eba009319ed5e3e7a1350fc1464cc99aafb6405f0db3385c080cd0db10ce97c5

+ 332 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220524-p6x4jsegdk/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

a0dc657791e6bf1267c8ccb48f337569d9b77f46922c5dd4761010fc7b8f94a6

MD5 hash:

216064bcf3506cdc18c71b96ed534887

SHA1 hash:

e56d996dcf51bffca9b9ba5f0b25965528f97532

Link:

https://www.unpac.me/results/36f54868-1c5e-40ba-bb22-a1a494a2659a/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a0dc657791e6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0dc657791e6bf1267c8ccb48f337569d9b77f46922c5dd4761010fc7b8f94a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe a0dc657791e6bf1267c8ccb48f337569d9b77f46922c5dd4761010fc7b8f94a6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2209314/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/274096/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample