MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b649dec72a9272fed5d4b7bae97ee80ea37044aea6e2fbcf94923b54c792d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	b0b649dec72a9272fed5d4b7bae97ee80ea37044aea6e2fbcf94923b54c792d9
SHA3-384 hash:	f08d61f628f52fcb1f4a19ef82646290b903947d77099ae2c2fb967e146f103780912da8c947b9ee68e7665df0030864
SHA1 hash:	9ee861e571accd26231f7f57fcd4188f30fc791f
MD5 hash:	f54931aaae6cff496f607d6991cc1437
humanhash:	nineteen-mississippi-mexico-colorado
File name:	helpscientistpro.exe
Download:	download sample
File size:	1'012'736 bytes
First seen:	2023-10-10 17:37:14 UTC
Last seen:	2023-10-10 18:35:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep	24576:gkyp1JoBUuGY53v4uMg9nSYo9Mfl0eVuYWQ3P:8nJoBVT53QqJoKfueVK
Threatray	23 similar samples on MalwareBazaar
TLSH	T1F22523462BE91266E4F4A3754CF202879A32B8A14F3583FF22C5997D5E327C17931B1B
TrID	83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 4.4% (.EXE) Win64 Executable (generic) (10523/12/4) 2.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	Anonymous
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0b9498e7fc5fea387150376b5f997525

Verdict:

Malicious activity

Analysis date:

2023-10-09 13:12:29 UTC

Tags:

opendir

Link:

https://app.any.run/tasks/8474df3c-9d31-4d83-9476-99851e8fd3af

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/452956/

Detection(s):

SecuriteInfo.com.Win64.Malware-gen.26317.22980.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

DNS request

Sending an HTTP POST request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b0b649dec72a9272fed5d4b7bae97ee80ea37044aea6e2fbcf94923b54c792d9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/43d9cbf1-96bb-4fc4-b8d6-5bde7151c0bc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0b649dec72a9272fed5d4b7bae97ee80ea37044aea6e2fbcf94923b54c792d9/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2023-10-09 13:06:05 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 36 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wc3etxwhfkjhf7wv2s33v2l65ahkg4cev2tof66pssjdwvghslmq._file

Verdict:

malicious

02522d0f348287c34fe5151fcd556f2f9fb9efe532af705638ea0f2a39dd2434

06578cd5ced41347d5629f398a9806ac509eb7a799e020994d349effd5a9194c

257891b32e5b952cf172a11affd291e4964ec9c1b24e51e174a4146503f8164a

37d9c4e523e17ea2111fa669884bf215b4103ebaa1b3cf93fa0b7cde3bbcef63

54a730e5183a57a65dc6fa64170a3d75fa870677fb54d563b3b867a2d6208548

92f94ba0c124a7a8158ce117d838c026035116e2ab2565ebc437575ddf87eeea

9554e7ef83f9c1aabed52be7a308d7e25c99e7d71e006146aee045d29784f92d

b3d56a631e43676eda5b849e86b422b690faea632161e5dee989b4836ab4574a

e3918d1a379ce63babeab599ef8897ce97001017680702dfc8b5ca8ff1808b54

+ 13 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery persistence spyware stealer

Link:

https://tria.ge/reports/231010-v7p28afa7v/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

b0b649dec72a9272fed5d4b7bae97ee80ea37044aea6e2fbcf94923b54c792d9

MD5 hash:

f54931aaae6cff496f607d6991cc1437

SHA1 hash:

9ee861e571accd26231f7f57fcd4188f30fc791f

Link:

https://www.unpac.me/results/ae5b1739-d3ec-427f-a2f7-31584fc22ed7/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/452956/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample