MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af5086d88a322f101c7f772e1af59652a8170038b9935aa677e26ae3f2ba43b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af5086d88a322f101c7f772e1af59652a8170038b9935aa677e26ae3f2ba43b0
SHA3-384 hash: 2598ab6107beb64cb8d3818db9ca1767a818221664c04a0a534f07a84b1cce77f39a0f4aa53520edd37c802b8b05b028
SHA1 hash: 7ee7fa3252f06af4c114af46f2ecbf33392c33c2
MD5 hash: 547e4fb629a2249d9c123254ef3042e0
humanhash: chicken-bakerloo-fruit-oregon
File name:e.exe
Download: download sample
File size:188'416 bytes
First seen:2024-03-16 16:06:17 UTC
Last seen:2024-03-16 17:26:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 3072:tMobR7ezAjLOZvmX1S5GWp1icKAArDZz4N9GhbkrNEkkO8YQ:KeR7eammqp0yN90QEk
TLSH T12F046C1927E62166F0B22B7099F602834E367CA3AF7592BF1784947E0D33A84D571F23
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Anonymous
Tags:erg exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
355
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af5086d88a322f101c7f772e1af59652a8170038b9935aa677e26ae3f2ba43b0.exe
Verdict:
Suspicious activity
Analysis date:
2024-03-16 16:06:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbe6ff75-66cf-408c-b12f-4a53615e8930

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/479250/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.21405.2571.7351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Creating a window
Moving a file to the Program Files subdirectory
Replacing files
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
78%
Tags:
advpack CAB certutil cmd dropper explorer installer lolbin powershell rundll32 schtasks setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65f5c3a7fc3fe20efe67de5b/reports/c7211854-5409-4038-aae2-678aab8f78df/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/af5086d88a322f101c7f772e1af59652a8170038b9935aa677e26ae3f2ba43b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/07ae4bd2-c34b-4761-88d7-097e45a78f42
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1410200
Signature
Antivirus detection for URL or domain
Drops PE files to the startup folder
Excessive usage of taskkill to terminate processes
Powershell drops PE file
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410200 Sample: e.exe Startdate: 16/03/2024 Architecture: WINDOWS Score: 92 67 filetransfer.io 2->67 69 store9.gofile.io 2->69 71 6 other IPs or domains 2->71 81 Antivirus detection for URL or domain 2->81 83 Sigma detected: Potentially Suspicious PowerShell Child Processes 2->83 85 Sigma detected: Legitimate Application Dropped Script 2->85 87 2 other signatures 2->87 9 cmd.exe 1 2->9         started        12 data.exe 2->12         started        15 e.exe 1 3 2->15         started        signatures3 process4 dnsIp5 101 Suspicious powershell command line found 9->101 17 powershell.exe 14 23 9->17         started        22 conhost.exe 9->22         started        79 store9.gofile.io 206.168.190.239, 443, 49746 MASSIVE-NETWORKSUS United States 12->79 103 Tries to harvest and steal browser information (history, passwords, etc) 12->103 105 Excessive usage of taskkill to terminate processes 12->105 24 conhost.exe 12->24         started        26 taskkill.exe 12->26         started        28 taskkill.exe 12->28         started        32 17 other processes 12->32 30 cmd.exe 2 15->30         started        signatures6 process7 dnsIp8 65 filetransfer.io 104.21.13.139, 443, 49729, 49730 CLOUDFLARENETUS United States 17->65 59 C:\Users\user\AppData\Local\Temp\data.exe, PE32+ 17->59 dropped 89 Powershell drops PE file 17->89 34 data.exe 37 17->34         started        39 conhost.exe 17->39         started        41 schtasks.exe 1 17->41         started        61 C:\Users\user\AppData\Local\...\KgZvPA3S.bat, ASCII 30->61 dropped 91 Suspicious powershell command line found 30->91 93 Uses schtasks.exe or at.exe to add and modify task schedules 30->93 43 conhost.exe 30->43         started        45 certutil.exe 3 2 30->45         started        47 cmd.exe 1 30->47         started        49 schtasks.exe 1 30->49         started        file9 signatures10 process11 dnsIp12 73 store3.gofile.io 136.175.10.233, 443, 49742 PINELLAS-COUNTYUS Reserved 34->73 75 api.gofile.io 151.80.29.83, 443, 49739, 49745 OVHFR Italy 34->75 77 3 other IPs or domains 34->77 63 C:\Users\user\AppData\Roaming\...\data.exe, PE32+ 34->63 dropped 95 Drops PE files to the startup folder 34->95 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->97 99 Excessive usage of taskkill to terminate processes 34->99 51 powershell.exe 19 34->51         started        53 powershell.exe 9 34->53         started        55 taskkill.exe 1 34->55         started        57 17 other processes 34->57 file13 signatures14 process15
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/af5086d88a322f101c7f772e1af59652a8170038b9935aa677e26ae3f2ba43b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af5086d88a322f101c7f772e1af59652a8170038b9935aa677e26ae3f2ba43b0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5iinwekgixrahd7o4xbv5mwkkuboabyxgjvvjtx4jvoh4v2ioya._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/240316-tkmsxagc75/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Unpacked files
SH256 hash:
af5086d88a322f101c7f772e1af59652a8170038b9935aa677e26ae3f2ba43b0
MD5 hash:
547e4fb629a2249d9c123254ef3042e0
SHA1 hash:
7ee7fa3252f06af4c114af46f2ecbf33392c33c2
Link:
https://www.unpac.me/results/86fc3432-e800-4325-b060-343a0ac124a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af5086d88a322f101c7f772e1af59652a8170038b9935aa677e26ae3f2ba43b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/479250/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments