MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
SHA3-384 hash: 45873a23710743a1a6b1a9a65535ecd6c269d40286fe0e8a085aaaacc6ab1d2083f560efc96b2cbd8f9da38b445265b8
SHA1 hash: 47086c8421d2334568a255f0bcb60534d8cab9c5
MD5 hash: fe2b1a79a7f65eb5b07820eccc72a6c4
humanhash: green-network-bulldog-autumn
File name:B07BE8360DD11E81F6830AE467BEC71CB6058523B3594.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:4'317'752 bytes
First seen:2023-01-08 07:10:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JWkGfjqM9LYjjHyLkou1ncTXF4TpU/oco+XYzm0:JlEjq0RLkoqcjuOYzm0
Threatray 4'022 similar samples on MalwareBazaar
TLSH T10116331B4AF8A913E1D538F544782732F9B9B3A6C871566C61FC423836E78CF124EB85
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
167.235.156.206:6218

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
B07BE8360DD11E81F6830AE467BEC71CB6058523B3594.exe
Verdict:
Malicious activity
Analysis date:
2023-01-08 07:12:50 UTC
Tags:
evasion loader smoke trojan opendir sinkhole socelars stealer rat redline miner
Link:
https://app.any.run/tasks/b94c5215-caab-4626-a47c-514876cc41f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
onlyLogger Loader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/350689/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mokes overlay packed shell32.dll zusy
Link:
https://www.filescan.io/uploads/63ba6c890e926711fd77b0e0/reports/5bea9e63-3656-4d65-875b-09fe9172862c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13929c67-9a95-4ab4-850a-42e21ceebbea
Result
Threat name:
Nymaim, RedLine, Socelars, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1147275
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 780007 Sample: B07BE8360DD11E81F6830AE467B... Startdate: 08/01/2023 Architecture: WINDOWS Score: 100 128 t.gogamec.com 2->128 130 xv.yxzgamen.com 2->130 132 8 other IPs or domains 2->132 164 Multi AV Scanner detection for domain / URL 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 Antivirus detection for URL or domain 2->168 170 25 other signatures 2->170 15 B07BE8360DD11E81F6830AE467BEC71CB6058523B3594.exe 10 2->15         started        signatures3 process4 file5 122 C:\Users\user\AppData\...\setup_installer.exe, PE32 15->122 dropped 18 setup_installer.exe 22 15->18         started        process6 file7 84 C:\Users\user\AppData\...\setup_install.exe, PE32 18->84 dropped 86 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 18->86 dropped 88 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 18->88 dropped 90 16 other files (15 malicious) 18->90 dropped 172 Multi AV Scanner detection for dropped file 18->172 174 Creates HTML files with .exe extension (expired dropper behavior) 18->174 22 setup_install.exe 1 18->22         started        signatures8 process9 dnsIp10 152 wensela.xyz 22->152 154 all-mobile-pa1ments.com.mx 22->154 156 2 other IPs or domains 22->156 194 Multi AV Scanner detection for dropped file 22->194 196 Performs DNS queries to domains with low reputation 22->196 198 Adds a directory exclusion to Windows Defender 22->198 200 Disables Windows Defender (via service or powershell) 22->200 26 cmd.exe 22->26         started        28 cmd.exe 22->28         started        30 cmd.exe 1 22->30         started        32 16 other processes 22->32 signatures11 process12 signatures13 35 Fri18363edf54e.exe 26->35         started        40 Fri180437e69021.exe 28->40         started        42 Fri189280e2380c13399.exe 30->42         started        158 Adds a directory exclusion to Windows Defender 32->158 160 Disables Windows Defender (via service or powershell) 32->160 44 Fri1830fb709aaba9b0.exe 32->44         started        46 Fri18141d19a0b68d79.exe 32->46         started        48 Fri18071fb95e4cc4.exe 32->48         started        50 9 other processes 32->50 process14 dnsIp15 138 3 other IPs or domains 35->138 92 C:\Users\...\qyBA8tEutTaksyEXs900nG0E.exe, PE32+ 35->92 dropped 94 C:\Users\...\neuK8da_urMznftlqhK40pFm.exe, PE32 35->94 dropped 96 C:\Users\...\jdZz1ts6i73KjXB9oa0D9jv0.exe, PE32 35->96 dropped 106 11 other malicious files 35->106 dropped 176 Antivirus detection for dropped file 35->176 178 Multi AV Scanner detection for dropped file 35->178 180 May check the online IP address of the machine 35->180 192 3 other signatures 35->192 134 ipinfo.io 40->134 140 14 other IPs or domains 40->140 98 C:\Users\...\mKtb6Fc6iuLiyWsjrb5RBluE.exe, PE32 40->98 dropped 100 C:\Users\...\VuNuI99Jz6fle6L1SxPAguQZ.exe, PE32 40->100 dropped 102 C:\Users\...\K1QDOWFjtek_zGMs_qFsyY6k.exe, PE32+ 40->102 dropped 108 8 other malicious files 40->108 dropped 182 Machine Learning detection for dropped file 40->182 104 C:\Users\user\...\Fri189280e2380c13399.tmp, PE32 42->104 dropped 184 Obfuscated command line found 42->184 52 Fri189280e2380c13399.tmp 42->52         started        186 Sample uses process hollowing technique 44->186 188 Injects a PE file into a foreign processes 44->188 142 3 other IPs or domains 46->142 190 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 46->190 55 WerFault.exe 46->55         started        144 4 other IPs or domains 48->144 136 t.gogamec.com 50->136 146 5 other IPs or domains 50->146 57 mshta.exe 50->57         started        59 explorer.exe 50->59 injected 61 WerFault.exe 50->61         started        file16 signatures17 process18 file19 110 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 52->110 dropped 112 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->112 dropped 114 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 52->114 dropped 63 Fri189280e2380c13399.exe 52->63         started        67 cmd.exe 57->67         started        process20 file21 124 C:\Users\user\...\Fri189280e2380c13399.tmp, PE32 63->124 dropped 162 Obfuscated command line found 63->162 69 Fri189280e2380c13399.tmp 63->69         started        126 C:\Users\user\AppData\...\A9FTEC7EEQfCT.EXE, PE32 67->126 dropped 73 A9FTEC7EEQfCT.EXE 67->73         started        76 conhost.exe 67->76         started        78 taskkill.exe 67->78         started        signatures22 process23 dnsIp24 148 ppgggb.com 69->148 150 g.agametog.com 69->150 116 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 69->116 dropped 118 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 69->118 dropped 120 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 69->120 dropped 202 Multi AV Scanner detection for dropped file 73->202 80 mshta.exe 73->80         started        file25 signatures26 process27 process28 82 cmd.exe 80->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5/
Threat name:
Win32.Downloader.Zenlod
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 03:50:10 UTC
File Type:
PE (Exe)
Extracted files:
114
AV detection:
31 of 41 (75.61%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wb56qnqn2epid5udblsgppwhds3albjdwnmupi4zw6v5xkmfzg2q._file
Verdict:
malicious
Similar samples:
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
RecordBreaker
0d4368fe0864955aeacea92040ae9dc1ad4e1c6e597f774855a7a0e19776c478
RecordBreaker
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
RecordBreaker
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
RecordBreaker
753af2d8bf00ab52d0fbf3dff9ea24e439277174b4b8a9f67eb492f157837575
RecordBreaker
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
RecordBreaker
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
RecordBreaker
+ 4'012 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:nullmixer family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:tofsee family:vidar botnet:24 botnet:@new@2023 botnet:chrisnew botnet:logsdiller cloud (tg: @logsdillabot) botnet:media21 botnet:newyear aspackv2 backdoor discovery dropper evasion infostealer loader main persistence spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/230108-hzx2msgd21/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Unexpected DNS network traffic destination
Uses the VBS compiler for execution
ASPack v2.12-2.42
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
OnlyLogger payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
Modifies Windows Defender Real-time Protection settings
NullMixer
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Tofsee
Vidar
Malware Config
C2 Extraction:
http://wensela.xyz/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
91.121.67.60:23325
194.104.136.5:46013
51.210.137.6:47909
77.73.133.62:22344
https://t.me/year2023start
https://steamcommunity.com/profiles/76561199467421923
svartalfheim.top
jotunheim.name
109.107.191.169:34067
Dropper Extraction:
http://62.204.41.194/me.png
http://62.204.41.194/F1.exe
http://62.204.41.194/go.png
Unpacked files
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
9adde66952d0364f76c40d793e925053cd1732df0e6ce029d94dec9cb14dfa01
MD5 hash:
e86d3c24179f6c80ee40bbfe2af94977
SHA1 hash:
c67ac9ca9054f180edf12b650042fed11196b244
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
6bcca33a599532917b446f07952719fa7a70edf6646c14b13e64686ff2c6d44c
MD5 hash:
7af76a6cff6996241b9d85558848e6c8
SHA1 hash:
a8df8a22e003849550c2e6827bf17a5edbec5524
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
ee0319835bb84494dd251024c82580fab59682a5cb7e3840544f5a15bfa4b119
MD5 hash:
868caedcb8bf1d90b5861a19c0452ef9
SHA1 hash:
78468e3b72f29d9640f8c5be6a0e4bd96c37ad22
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
2cd292cd3a0744a85fb3713449e7979c4d8614a7fd8f35f762d093fa663e89b5
MD5 hash:
6bd023db4fdd247c0165fa73206d8962
SHA1 hash:
6ef791b5f4cf92a01cce8f691b548adb99ca9fa3
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
fc1628c0017183eeb979a6e5799e74dc3ec53684aacc1ba6b94531eaf65d8e47
MD5 hash:
c3fdb44e808f31781e17a3b1dc68356f
SHA1 hash:
50fb4945668068ed19629aff5a3aa40abb917838
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
a5ee7424d3057bf1cb71771bdff879d85dd4fb7a95fa7b06c65b489ef179a65c
MD5 hash:
bf5b83f0a0989c3753ae6cfa05dd5e7e
SHA1 hash:
4807824f59d6d660b7779e91756cea04b08f6a39
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
506b0cc7f58ad4882d8ceef6d88e2a2f4e31f6c67968d66501c46f66264f0814
MD5 hash:
0a91dc63882cb813200a39bdf4f36c28
SHA1 hash:
3c2c1388dfa72d131e3e5025a753638f5aa2ebc4
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
a66bf332eab3d4153d03454f661adf5b98afabb119bbe9069a871125ab190a3f
MD5 hash:
177d13a7bf5ae8cb3aa31bc60567f52c
SHA1 hash:
235206d85cb4093ac35adf1be5cb5b686fdd737e
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
997acdabb46d85057e781b6165e7492163c9a46076c086a3f4f9ea3320367b8d
MD5 hash:
5b5e9fb631ae6ca50bfe15a3f3c0b92b
SHA1 hash:
0f38f5b83f221ea9a5390005d97221373c0055b5
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
6af147d4e5657d40227257a33a849dbac39786af4fc40227f889e84e15d5de71
MD5 hash:
ea0a50376e9034d931bc44e9e295c0d1
SHA1 hash:
04b5763f2210091e45c808b2624fff91368f2dac
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
c4b9130d8318ea827e67d4a0bc760ff10bd7933dfbe36a943477d7ba6dff264f
MD5 hash:
b049cba0b638d868f88a816153f989de
SHA1 hash:
6d0cf8d101e49b89ac31636acd28259e5c55e86b
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
5f0b8203aa3721553b6de2f1a4c2243ad6a324f8817cf8a17e6f0968e16e1753
MD5 hash:
b840862085ee24884ffe5052cf8d8438
SHA1 hash:
9417720327bf821fb5c88b09f9d7bcc6ccf09a8e
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
e07353baabb9c287093629bdbe00c5721f3b130a2bf337cba5cf475d857681e9
MD5 hash:
a46e4985a6592cad27270c965643b752
SHA1 hash:
89188cb0f9c715848b71b162916e0c88e956f08a
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3
MD5 hash:
42c09e2ff1923e01e6b465436b1d176f
SHA1 hash:
6fc4b58ff71392865812ba14a6b469ddec5df7d4
Detections:
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
Parent samples :
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
ad540bc7da5d7d09a4721dda2471a02a60652a97bd5721d57abc56663c70af17
MD5 hash:
7a6e4c9f6b6bfb5c2cbd10d1714b65cf
SHA1 hash:
48af627f6f723dfcabb7fbf7c604061cf890a12a
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
40a82dc86583c4386217a3c1da8393dd4bd221b644862fcdbc8c85f448db28a4
MD5 hash:
d7096bcfae6d9366a5cccee81e7cb130
SHA1 hash:
5754911c4a44423ce7ea5466840dbee2f7cf5ba4
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
3fca9e54fd86a38e288466cb592e7f9010785dc2769b7b36f0126ec7ce2c825c
MD5 hash:
497880dabd72f8395cd20a56e79d4cb2
SHA1 hash:
673a4a39683b8002ccc4fec6d00b797c551ddee7
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
SH256 hash:
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
MD5 hash:
fe2b1a79a7f65eb5b07820eccc72a6c4
SHA1 hash:
47086c8421d2334568a255f0bcb60534d8cab9c5
Link:
https://www.unpac.me/results/44718e46-0f45-4531-956d-f5da665d5508/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Windows_Trojan_RedLineStealer_3d9371fd
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/350689/

Comments