MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 19


Intelligence 19 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SHA3-384 hash: ea0a0fd2930126ca2c56e22ce2c4a501fa549e82c87a42dd14495470769c413507e30377fa8950b9a3a3a30d97a98403
SHA1 hash: fc57edeadc23e53610eb75881fc7d2cecc847387
MD5 hash: efa310ffcb46aa3768de9aae3a8fdcda
humanhash: angel-bravo-maryland-louisiana
File name:abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'545'603 bytes
First seen:2024-08-21 08:55:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JDxSfQksG3P/rm5AUfWo7lvZTkKXUx5KyChc2tpi:JDkQbCK5Qo7lviyUocypi
TLSH T100F53305CBC496BBCD369039F52FA14047521F7F2EF5F6264F208BAA7926E5742A42F0
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.142.215.47:27643

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.142.215.47:27643 https://threatfox.abuse.ch/ioc/226593/

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
Verdict:
Malicious activity
Analysis date:
2024-08-21 08:56:42 UTC
Tags:
discord evasion stealer pastebin loader smokeloader onlylogger redline
Link:
https://app.any.run/tasks/a07798a9-6a62-48ba-8885-3497b30459e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c5aba3b2a4681a72966c29
Tags:
Discovery Encryption Execution Generic Injection Network Stealth Trojan Malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66c5aba8aa12eb10615eef5a/reports/a3f4d7df-1c4c-48f3-8504-d10a57cebec0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Fabookie
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/756a44c6-90d1-40b3-9ed9-03810d3c27e2
Result
Threat name:
CryptOne, Nymaim, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1496480
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Submitted sample is a known malware sample
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected CryptOne packer
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1496480 Sample: abc0f6a2936703cd32608e7a0c0... Startdate: 21/08/2024 Architecture: WINDOWS Score: 100 106 pastebin.com 2->106 108 hsiens.xyz 2->108 110 11 other IPs or domains 2->110 132 Multi AV Scanner detection for domain / URL 2->132 134 Suricata IDS alerts for network traffic 2->134 136 Found malware configuration 2->136 142 26 other signatures 2->142 15 abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe 10 2->15         started        18 svchost.exe 2->18         started        signatures3 138 Connects to a pastebin service (likely for C&C) 106->138 140 Performs DNS queries to domains with low reputation 108->140 process4 file5 104 C:\Users\user\AppData\...\setup_installer.exe, PE32 15->104 dropped 20 setup_installer.exe 19 15->20         started        process6 file7 92 C:\Users\user\AppData\...\setup_install.exe, PE32 20->92 dropped 94 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 20->94 dropped 96 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 20->96 dropped 98 14 other files (13 malicious) 20->98 dropped 144 Multi AV Scanner detection for dropped file 20->144 146 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->146 24 setup_install.exe 1 20->24         started        signatures8 process9 dnsIp10 116 127.0.0.1 unknown unknown 24->116 174 Multi AV Scanner detection for dropped file 24->174 176 Adds a directory exclusion to Windows Defender 24->176 28 cmd.exe 1 24->28         started        30 cmd.exe 1 24->30         started        32 cmd.exe 1 24->32         started        34 11 other processes 24->34 signatures11 process12 signatures13 37 Mon17f45359eb9.exe 28->37         started        40 Mon17e1fac3fd3d84b.exe 30->40         started        42 Mon1785436ae78.exe 32->42         started        128 Submitted sample is a known malware sample 34->128 130 Adds a directory exclusion to Windows Defender 34->130 45 Mon179e1058f256.exe 34->45         started        47 Mon17eac6d534bfd22c7.exe 2 34->47         started        49 Mon17948100733a95c58.exe 34->49         started        51 6 other processes 34->51 process14 dnsIp15 148 Antivirus detection for dropped file 37->148 150 Multi AV Scanner detection for dropped file 37->150 152 Detected unpacking (changes PE section rights) 37->152 166 6 other signatures 37->166 53 explorer.exe 37->53 injected 154 Machine Learning detection for dropped file 40->154 58 mshta.exe 40->58         started        118 45.9.20.13, 59968, 59980, 59995 DEDIPATH-LLCUS Russian Federation 42->118 156 Detected unpacking (overwrites its own PE header) 42->156 60 WerFault.exe 42->60         started        62 WerFault.exe 42->62         started        64 WerFault.exe 42->64         started        66 WerFault.exe 42->66         started        120 135.181.129.119, 4805, 59971, 59974 HETZNER-ASDE Germany 45->120 158 Injects a PE file into a foreign processes 47->158 68 Mon17eac6d534bfd22c7.exe 47->68         started        70 Mon17948100733a95c58.exe 49->70         started        122 pastebin.com 172.67.19.24, 443, 59963 CLOUDFLARENETUS United States 51->122 124 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 51->124 126 6 other IPs or domains 51->126 160 Contains functionality to steal Chrome passwords or cookies 51->160 162 Opens the same file many times (likely Sandbox evasion) 51->162 164 Loading BitLocker PowerShell Module 51->164 72 WmiPrvSE.exe 51->72         started        signatures16 process17 dnsIp18 112 gmpeople.com 188.40.141.211, 59977, 80 HETZNER-ASDE Germany 53->112 100 C:\Users\user\AppData\Roaming\bgjifes, PE32 53->100 dropped 168 System process connects to network (likely due to code injection or exploit) 53->168 170 Benign windows process drops PE files 53->170 172 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->172 74 cmd.exe 58->74         started        114 45.142.215.47, 27643, 59936, 59950 CLOUDSOLUTIONSRU Russian Federation 68->114 77 WerFault.exe 70->77         started        file19 signatures20 process21 file22 102 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 74->102 dropped 79 09xU.exE 74->79         started        82 conhost.exe 74->82         started        84 taskkill.exe 74->84         started        process23 signatures24 178 Antivirus detection for dropped file 79->178 180 Multi AV Scanner detection for dropped file 79->180 182 Machine Learning detection for dropped file 79->182 86 mshta.exe 79->86         started        88 mshta.exe 79->88         started        process25 process26 90 cmd.exe 88->90         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-07-30 15:39:04 UTC
File Type:
PE (Exe)
Extracted files:
109
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpapniutm4b42mtarz5aybwnpmo2f4asvv7lnpjbednbyap3djna._file
Verdict:
malicious
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:gcleaner family:nullmixer family:onlylogger family:privateloader family:redline family:sectoprat botnet:ani botnet:media11 botnet:she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
Link:
https://tria.ge/reports/240821-kv1cbazcma/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
OnlyLogger payload
Detect Fabookie payload
Fabookie
GCleaner
NullMixer
OnlyLogger
PrivateLoader
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
http://hsiens.xyz/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
135.181.129.119:4805
91.121.67.60:2151
45.142.215.47:27643
ggg-cl.biz
45.9.20.13
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a5f5191c-c872-445f-bece-b9874c0b6a47
Unpacked files
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Detections:
GCleaner
Create hunting rule
win_gcleaner_auto
Create hunting rule
SUSP_XORed_Mozilla
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
0e2e68dc9724fc97647db64d367e7eed6ecf41b6cfe23fef257260607f86445d
MD5 hash:
91220afa4a880b7fb2d1b6a5117bf30d
SHA1 hash:
486b03728efe58dfbe19078bceb412e43eb153dd
Detections:
redline
Create hunting rule
RedLine_b
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
adfbbb62a2ddea588de91bb2a34aa3ba7248507c01c9142b91f60420d2236a4c
MD5 hash:
c70e3c71f4fec9edaa21bf978d326107
SHA1 hash:
f3c48545ee595f487366a02565a7382b6872252d
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
5565c7f24d0dad9c8b874603cd5386efd81e7ff252706ac150b20f0c2fd9add7
MD5 hash:
c213a2444632ffdf0425e0288bca48b9
SHA1 hash:
cd4985866907bdd1f61ac637eee7323e624d053f
Detections:
PureCrypter_Stage1
Create hunting rule
SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
e74abdf2c13538b33b4a7781e71afd0461a9c561da3e5190c85c21c84bc50a28
MD5 hash:
02f48c1d5b5cc5411f7f3578ebc0a216
SHA1 hash:
8bd968b31a316a743c4a598b73b485fb37f3081d
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
63e4a9190f750a3fa1dbf46d1f34b53d1f353f879f7fba8750b69f3edd069802
MD5 hash:
e43ac241ea055452651171b423565beb
SHA1 hash:
869dde6bb5afc4dcbf862efae8ee5238ec4b11ae
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
3de21af9ce8f15e3e031f0dbcd82c5d3b1b21171b90bc583192da12223a5198d
MD5 hash:
10e9de05f0bceb4d0a7cf3dab99a4556
SHA1 hash:
39621593b0f3bf443000a155fb04f0ee855cbdcb
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
8ce6732b81ca15ad75bd3914540296907e4c9a6c3ebb3e40928bc0478711742f
MD5 hash:
e87d5dbf42cab97691a5ccd9f10eb3e7
SHA1 hash:
1f9578677be3b9b4745234717cb9d8fe0a8cc904
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
551731fe108616c053434fbbfb7a27a06f8c600001ea773beb13f58f181fabf2
MD5 hash:
1444d5cebdff96894df6bed3611ac47c
SHA1 hash:
d8d5b22a923e30f54ab4f156fdf853fda611b3b9
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
615959c2104391930d5edf69581d2eed627cd834a6e64a763223ef2120285314
MD5 hash:
c0e71665f6e43e892b4a62d83f52d8db
SHA1 hash:
562fc96573927af109eb6d44d310b5ee92bc2718
Detections:
redline
Create hunting rule
RedLine_b
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Detections:
redline
Create hunting rule
RedLine_b
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Detections:
redline
Create hunting rule
RedLine_b
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
e4ba726fbd2c56cd2426ba04823637264be89a9807a935d0939dc1578bdd951e
MD5 hash:
be60d71b303f2aae5618315147c7d3f9
SHA1 hash:
3193aa204c2cf5a82ac532ab9fd436acad7953c1
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
c0658b1c3245fdf7c34d69afd2962131243c6b615f53b0a0c85635ddbc15497a
MD5 hash:
0fc8ba6de4099ddc991eade9b86a6f06
SHA1 hash:
7b723301027c1c6979561bc60b2be47d481c7c17
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
8f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838
MD5 hash:
ecc773623762e2e326d7683a9758491b
SHA1 hash:
ad186c867976dc5909843418853d54d4065c24ba
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
MD5 hash:
9aec524b616618b0d3d00b27b6f51da1
SHA1 hash:
64264300801a353db324d11738ffed876550e1d3
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
299d4afc166f5aabfdd48c1477bac071e3be9126756fc7e57925aa49f8d9cf85
MD5 hash:
33d05f6171d18f49edd9c5b1bc5b8c72
SHA1 hash:
dc5ceb79b3e91225ef363ee9baf9a32877bd1fe9
Detections:
win_nullmixer_auto
Create hunting rule
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
52a3147fb68fa2c0354ffb873248a84fdb6234cf21eaff8436c963f61897697c
MD5 hash:
f50fc2acd50a95e5f8288965276db8f0
SHA1 hash:
e6e1b1083a56e46cd510f13f11de71be4a64de82
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
f1116b838ed4b953843e6470459df7d0920dc09aaf1b8168267aa823cedfc8e0
MD5 hash:
43c4ad3920401be35a98cd27333a3f00
SHA1 hash:
3313ed1d29feca26273c816e399ac5a509d72e63
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
SH256 hash:
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
MD5 hash:
efa310ffcb46aa3768de9aae3a8fdcda
SHA1 hash:
fc57edeadc23e53610eb75881fc7d2cecc847387
Link:
https://www.unpac.me/results/f1d11ae9-a226-4869-9048-d70db3fb6826/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abc0f6a29367/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments


Avatar
Kasibe commented on 2024-08-21 09:23:24 UTC

GootLoader