MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b37f7be1a4d8373425660e726dbeb8ab32be2b94ea36ae2481db6f1c144e9735. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b37f7be1a4d8373425660e726dbeb8ab32be2b94ea36ae2481db6f1c144e9735
SHA3-384 hash: c1ecba0ef87f05b577848f05a8034f90dd662a19348b362a72e452b4cc85465beaa637a581d8e17a440760b7bfb576cd
SHA1 hash: a2e31ca07adcd051da30204fc00f1c746336b64d
MD5 hash: 79de5ff2273d613a14ca4c8edff7d5ec
humanhash: cold-zulu-ink-speaker
File name:discoversophisticatedpro.exe
Download: download sample
File size:687'616 bytes
First seen:2023-10-10 17:37:25 UTC
Last seen:2023-10-10 18:35:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 12288:riPy90bci5kC6Ohme946BoFYZ7uW9ow1mgESL0rDXOn3Cy3szC5:rUyCci5L6OhLCmv7hetSSXO3CKz
Threatray 46 similar samples on MalwareBazaar
TLSH T168E4124963E911FAE0B607B499F3039359317C769B2483EF22C0D66E4E33AD1A472B57
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
discoversophisticatedpro.exe
Verdict:
Malicious activity
Analysis date:
2023-10-10 17:38:38 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/07658067-8a23-4545-9661-63229a61e242

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452957/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.24977.5642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack CAB control explorer installer lolbin lolbin packed replace rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/65258bfce509ddb6cd20408d/reports/0ece7a08-4bdb-4f60-ab1c-585186fad772/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b37f7be1a4d8373425660e726dbeb8ab32be2b94ea36ae2481db6f1c144e9735
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01e2f0be-69a6-421b-89a5-fddfd3353751
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b37f7be1a4d8373425660e726dbeb8ab32be2b94ea36ae2481db6f1c144e9735/
Threat name:
Win64.Spyware.Lummastealer
Create hunting rule
Status:
Suspicious
First seen:
2023-10-09 18:54:20 UTC
File Type:
PE+ (Exe)
Extracted files:
63
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wn7xxyne3a3tijlgbzzg3pvyvmzl4k4u5i3k4jeb3nxryfcos42q._file
Verdict:
malicious
Similar samples:
5c7e18764c02e02117f91213a2f66e63265d3ed30c0ea8ae1c9be8ff5ee4ba43
820e1b2bff7decc1832bc8804a8329eb79278bcffce98a525fd12de46f89fffb
89bc9fdb7d1d93a49c7cf3ccfff8ec5c174a44dd580e63e3cb47de448e9daefc
8ca0436b72f946ce0c6c5613e991444c69c2e3cc79a43da4e54d49c95ac362d2
b835220d18074195e2df569e8088470b7f400c334aef1dd54dfe30e2019dab7a
c0f5b22257f6ca8bd61739371c6431f50a5bd80e2091c30888046bf981b9f006
db6d0d7d8fbb083af05032fa8d3d516cf789f2f81fc651749e77bb4f7ba4e5ee
f4ec042b3b9d605d34a32d37c19a100e50f1ab5242f02f826d683ee6f742810a
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/231010-v7p28afa7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b37f7be1a4d8373425660e726dbeb8ab32be2b94ea36ae2481db6f1c144e9735
MD5 hash:
79de5ff2273d613a14ca4c8edff7d5ec
SHA1 hash:
a2e31ca07adcd051da30204fc00f1c746336b64d
Link:
https://www.unpac.me/results/b28405f6-8d64-4da5-b7ec-0bd2c61328cf/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/452957/

Comments