MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b92954435c64b6f4866b55f050c60b5cde23752839399bc7939a928f68c97125. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b92954435c64b6f4866b55f050c60b5cde23752839399bc7939a928f68c97125
SHA3-384 hash: 0a58bf2252daae1e8cf87f7734383589117f82e85649ced4ecb920a8552afbbef4ee36c4e348d8610dbd1a0e2e6a495c
SHA1 hash: 53ddd82744110f6d8197efdb02b8384a8244b702
MD5 hash: 1c4536318dd22418a7c404f2706f76b8
humanhash: yellow-michigan-yankee-triple
File name:rolle.exe
Download: download sample
File size:660'480 bytes
First seen:2022-02-24 07:19:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 917b0dc587f632b60bbe39ab8c418265 (2 x RedLineStealer, 1 x ArkeiStealer, 1 x DanaBot)
ssdeep 12288:zKy0Y6vmX/lgJyQgmi2H9RWo916B7lytxh7k5of:zKy0Y6v8Vmi2H9RWoIqQmf
Threatray 904 similar samples on MalwareBazaar
TLSH T1D2E402E0F6919875C001323D89D2CEE1497EAC61CDA44B4772B93B9F2E222D177AD24F
File icon (PE):PE icon
dhash icon 367e7c7d727e6e72 (2 x Gozi, 1 x RedLineStealer, 1 x RaccoonStealer)
Reporter adm1n_usa32
Tags:AHK exe packer RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rolle.exe
Verdict:
Malicious activity
Analysis date:
2022-02-24 07:18:42 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/62e75413-8cf8-4b5d-8d4d-13d93ac8e6ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244085/
Detection(s):
Win.Dropper.Stop-9938042-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7245/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/621731aea6f52d32f17e7e79/reports/ef78edde-1d65-4d5b-853d-bdedbd4db2da/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b153e119-5d10-405c-b72a-d9b2fc189fe7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/945427
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
May check the online IP address of the machine
Sample or dropped binary is a compiled AutoHotkey binary
Yara detected Autohotkey Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b92954435c64b6f4866b55f050c60b5cde23752839399bc7939a928f68c97125/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 07:20:17 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2c49fcbd5eda5275d8d2ef98ee7e0c63d978b6d904e3e750ea9d01e52fe16ce9
53284c3dc0078ff9aa534d3401a7cb1235e10a301d84dc362d6d2384cfbf7b64
56288aa7af61d7110f116681c6785f3ac6ffc269bd7a6a5051040b803c4dbea4
63116a7686b86bf85bfc4e27fa6f465f8dea270f165c431cac19dd647579fbc5
649e5e1c05c2ff3fccd6e395b30c8d7ff097f3dbcc201f5752da152b5c2c4466
8fcfdca4fec3425766fc7a684dbfbb471766633a288d5d449ebe4c0e0bc0431f
a8065894783bc05b961b4ce6a0d8a3dd0d1edcc83b294b18df7af0dab0db430a
c0c99503cd7560d2ddc3d77662e298d4cc123b358e84d5972ef6b8eba02d0520
fa38a8bfa024e668a67198bb86add37c4c3b080295b078f9b5e5fe92709b8adc
+ 894 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220224-h54rdadebn/
Behaviour
Checks processor information in registry
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
86cec2665ff431668f274fecddf883fb5b532c06ee1a495ce60d5fbbb90c3a33
MD5 hash:
f7246b8631cad60d643fe3625a823397
SHA1 hash:
3aabf69029480970b338bb37a511d307aaf40c79
Link:
https://www.unpac.me/results/1ec49e41-cd45-415f-9938-c7bf52b94094/
SH256 hash:
b92954435c64b6f4866b55f050c60b5cde23752839399bc7939a928f68c97125
MD5 hash:
1c4536318dd22418a7c404f2706f76b8
SHA1 hash:
53ddd82744110f6d8197efdb02b8384a8244b702
Link:
https://www.unpac.me/results/1ec49e41-cd45-415f-9938-c7bf52b94094/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b92954435c64b6f4866b55f050c60b5cde23752839399bc7939a928f68c97125

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/62e75413-8cf8-4b5d-8d4d-13d93ac8e6ee/
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/244085/
  
URLhaus
https://urlhaus.abuse.ch/url/1942109/

Comments


Avatar
Adm1n 32 USA commented on 2022-03-03 05:04:26 UTC

based on intezer analysis

gets redlinestealer from contacted url, packed with some AHK scripts