MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 17


Intelligence 17 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
SHA3-384 hash: 297879797f8094c7eca067f0bfbe4e4cb1a22e804b97977d4daa73a9dd3ebd4f1f3c52306943683c3747344d965d638f
SHA1 hash: 23c5bb5b6f242ed1ab39e8fb9fb392725c127a86
MD5 hash: 363a8a59588691360395d90df358516a
humanhash: papa-colorado-alpha-juliet
File name:HEUR-Trojan.Win32.Agent.gen-c5bf77877c8b8254f.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:3'518'498 bytes
First seen:2023-01-16 12:30:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:Jycrib2sDbwRe5CFRihsPix1u1BCiJtv3LykrEfeI:JQDDbwA5ARih4i1u3LykrqL
Threatray 1'745 similar samples on MalwareBazaar
TLSH T103F533A04DFA5C07FEEF8BB40F3A12763EFD440F3198A2046B54EA3A7670597898C559
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://62.204.41.27/9djZdj09/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
HEUR-Trojan.Win32.Agent.gen-c5bf77877c8b8254f.exe
Verdict:
Malicious activity
Analysis date:
2023-01-16 12:33:06 UTC
Tags:
evasion trojan socelars stealer loader
Link:
https://app.any.run/tasks/632f2aa7-7881-4cad-a54a-c08a26fa5c65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie Infostealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353408/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Trojan.Jaik-9862229-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Trojanx-9873669-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Trojan.SmokeLoader-9874731-1
Create hunting rule

Win.Packed.Trojanx-9881947-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Moving a recently created file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Reading critical registry keys
Launching a process
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60677/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult barys emotet graftor overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c54387e40648ad3ece39f9/reports/2a1e09c5-dc3b-45e5-a206-4fd327592cfb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ca16893-828a-4c1f-958f-1d199aaeaf3b
Result
Threat name:
Amadey, PrivateLoader, Raccoon Stealer v
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152359
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 785091 Sample: HEUR-Trojan.Win32.Agent.gen... Startdate: 16/01/2023 Architecture: WINDOWS Score: 100 158 Snort IDS alert for network traffic 2->158 160 Multi AV Scanner detection for domain / URL 2->160 162 Malicious sample detected (through community Yara rule) 2->162 164 20 other signatures 2->164 12 HEUR-Trojan.Win32.Agent.gen-c5bf77877c8b8254f.exe 10 2->12         started        process3 file4 108 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->108 dropped 15 setup_installer.exe 14 12->15         started        process5 file6 110 C:\Users\user\AppData\Local\...\sotema_6.txt, PE32 15->110 dropped 112 C:\Users\user\AppData\Local\...\sotema_5.txt, PE32 15->112 dropped 114 C:\Users\user\AppData\Local\...\sotema_4.txt, PE32 15->114 dropped 116 9 other files (8 malicious) 15->116 dropped 154 Multi AV Scanner detection for dropped file 15->154 156 Writes a notice file (html or txt) to demand a ransom 15->156 19 setup_install.exe 1 15->19         started        signatures7 process8 dnsIp9 144 razino.xyz 19->144 146 127.0.0.1 unknown unknown 19->146 100 C:\Users\user\AppData\...\sotema_6.exe (copy), PE32 19->100 dropped 102 C:\Users\user\AppData\...\sotema_5.exe (copy), PE32 19->102 dropped 104 C:\Users\user\AppData\...\sotema_4.exe (copy), PE32 19->104 dropped 106 3 other malicious files 19->106 dropped 202 Antivirus detection for dropped file 19->202 204 Multi AV Scanner detection for dropped file 19->204 206 Detected unpacking (changes PE section rights) 19->206 208 2 other signatures 19->208 24 cmd.exe 1 19->24         started        26 cmd.exe 1 19->26         started        28 cmd.exe 1 19->28         started        30 6 other processes 19->30 file10 signatures11 process12 dnsIp13 33 sotema_5.exe 24->33         started        38 sotema_2.exe 1 26->38         started        40 sotema_1.exe 5 28->40         started        152 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->152 42 sotema_4.exe 1 30->42         started        44 sotema_6.exe 30->44         started        46 sotema_3.exe 12 30->46         started        process14 dnsIp15 130 212.193.30.115 SPD-NETTR Russian Federation 33->130 132 136.144.41.133, 80 WORLDSTREAMNL Netherlands 33->132 140 15 other IPs or domains 33->140 84 C:\Users\...\vZy4y2eEf7UoQ5tHHQV68SYt.exe, PE32 33->84 dropped 86 C:\Users\...\u5r4gxRkI_bA2pc929IvaSsH.exe, PE32+ 33->86 dropped 88 C:\Users\...\l_bCfNGv9xKhuV5p_QJeYgm0.exe, PE32 33->88 dropped 98 13 other malicious files 33->98 dropped 180 Drops PE files to the document folder of the user 33->180 182 Creates HTML files with .exe extension (expired dropper behavior) 33->182 184 Tries to harvest and steal browser information (history, passwords, etc) 33->184 186 Disable Windows Defender real time protection (registry) 33->186 90 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 38->90 dropped 188 DLL reload attack detected 38->188 190 Detected unpacking (changes PE section rights) 38->190 192 Renames NTDLL to bypass HIPS 38->192 200 3 other signatures 38->200 48 explorer.exe 38->48 injected 92 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 40->92 dropped 53 rundll32.exe 40->53         started        134 99.83.154.118 AMAZON-02US United States 42->134 136 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 42->136 142 3 other IPs or domains 42->142 94 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 42->94 dropped 194 May check the online IP address of the machine 42->194 55 jfiag3g_gg.exe 42->55         started        57 jfiag3g_gg.exe 42->57         started        96 C:\Users\user\AppData\Local\...\sotema_6.tmp, PE32 44->96 dropped 196 Obfuscated command line found 44->196 59 sotema_6.tmp 44->59         started        138 74.114.154.18 AUTOMATTICUS Canada 46->138 198 Detected unpacking (overwrites its own PE header) 46->198 61 WerFault.exe 46->61         started        file16 signatures17 process18 dnsIp19 118 204.11.56.48 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 48->118 120 206.119.99.162 COGENT-174US United States 48->120 122 45.200.38.91 Africa-on-Cloud-ASZA Seychelles 48->122 76 C:\Users\user\AppData\Roaming\dfgiahb, PE32 48->76 dropped 166 System process connects to network (likely due to code injection or exploit) 48->166 168 Benign windows process drops PE files 48->168 170 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->170 172 Writes to foreign memory regions 53->172 174 Allocates memory in foreign processes 53->174 176 Creates a thread in another existing process (thread injection) 53->176 63 svchost.exe 53->63 injected 66 svchost.exe 53->66 injected 68 svchost.exe 53->68 injected 70 9 other processes 53->70 178 Multi AV Scanner detection for dropped file 55->178 124 194.163.135.248 NEXINTO-DE Germany 59->124 126 idowload.com 185.227.110.219, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 59->126 78 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 59->78 dropped 80 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 59->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 59->82 dropped 128 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 61->128 file20 signatures21 process22 signatures23 212 System process connects to network (likely due to code injection or exploit) 63->212 214 Sets debug register (to hijack the execution of another thread) 63->214 216 Modifies the context of a thread in another process (thread injection) 63->216 72 svchost.exe 63->72         started        process24 dnsIp25 148 email.yg9.me 35.241.7.66 GOOGLEUS United States 72->148 150 192.168.2.1 unknown unknown 72->150 210 Query firmware table information (likely to detect VMs) 72->210 signatures26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 00:25:30 UTC
File Type:
PE (Exe)
Extracted files:
201
AV detection:
29 of 39 (74.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yw7xpb34robfj73dgibzoqauir4iw37466yppvgdd7xs2aqtfzgq._file
Verdict:
malicious
Similar samples:
045a93ee4aa61fd3bb2c7f706085a249b9664876b7a2e5d8282129ac6df15be2
RecordBreaker
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
RecordBreaker
4618fb57958c19496e668916d769cb40e6bb0a0af0fbb1ff73ee89e701f3fe9b
RecordBreaker
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
RecordBreaker
84b3387d512191b0764fde9a03d827cb42ffe33d864b115b959c61a0147aa64d
RecordBreaker
c576f31c42f0b76fdfa15f578e94b29d8d41e9960075d4f603a825aa4c67f77a
RecordBreaker
fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
RecordBreaker
+ 1'735 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:nullmixer family:privateloader family:raccoon family:redline family:smokeloader family:vidar botnet:1 botnet:1111223333 botnet:64b445f2d85b7aeb3d5c7b23112d6ac3 botnet:706 botnet:@new@2023 botnet:andriii_ff botnet:gula botnet:logsdiller cloud (tg: @logsdillabot) botnet:medi2 aspackv2 backdoor dropper evasion infostealer loader spyware stealer themida trojan upx vmprotect
Link:
https://tria.ge/reports/230116-pp2emsfa29/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops Chrome extension
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Unexpected DNS network traffic destination
Uses the VBS compiler for execution
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Amadey
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
Modifies Windows Defender Real-time Protection settings
NullMixer
PrivateLoader
Raccoon
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://razino.xyz/
https://sergeevih43.tumblr.com/
77.73.133.62:22344
185.244.181.112:33056
51.210.137.6:47909
62.204.41.27/9djZdj09/index.php
http://45.15.156.209/
62.204.41.211:4065
167.235.156.206:6218
librchichelpai.shop:81
rniwondunuifac.shop:81
82.115.223.9:15486
Unpacked files
SH256 hash:
f25fc786c068e7fb8d328a6d0314d448a455cc40d4bae93b850bd7921a92565a
MD5 hash:
9e5af49adebd237165adc274659a751a
SHA1 hash:
558087e9f632c5b7863f3e88f05fa5dec178915d
Detections:
win_pseudo_manuscrypt_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
Parent samples :
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7236d2230905b8b69837f4771afd6cfedf8f53fa370bc6e40adde9d29a0b7153
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
796e9d8fb1b6857dccc422e0e1d40b365f87bc2cd15cd2a9c0b76a129fe9766d
MD5 hash:
21660edd8eb4141e734f65d0fe6e513a
SHA1 hash:
caa11e8c2a45c7dcc79f642bd5d97b59a0de67a0
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
Parent samples :
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7236d2230905b8b69837f4771afd6cfedf8f53fa370bc6e40adde9d29a0b7153
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
8b5a4e40ae69a6a40919083275f37fc759ab609f0aa9d2269135c34a3fe3f053
SH256 hash:
fcb8d43635aa485c8b25f1140ba4e56f6f0cbf3054d5dedc96a851d4731a2a6f
MD5 hash:
695c2eff3b7705b6a2d4d25a2692c132
SHA1 hash:
73c2dffcf2e7170d8bfda8cc7282b2bf7bb5f199
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
Parent samples :
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
e79f148128e425bd5353039f515bd64a9b562ac0897306d81dad0b529ffbea3a
SH256 hash:
91c3938f8f907e2736a829ada89ae22471ebf464b971f45ebac9cbd5fcb9890f
MD5 hash:
a1c636ef83b200ca7ca1be84a896f2c7
SHA1 hash:
f371d08a15d6ba6392e554e2b1fb0ab4f8db1f2a
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
MD5 hash:
5668cb771643274ba2c375ec6403c266
SHA1 hash:
dd78b03428b99368906fe62fc46aaaf1db07a8b9
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
MD5 hash:
89c739ae3bbee8c40a52090ad0641d31
SHA1 hash:
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
1867e84c30240cc2834f75f38ba3e34ea28ee287128ed694039be7b38a4bde0c
MD5 hash:
f7358e0eb2be6f33b7b472216a1b9af9
SHA1 hash:
809f6e6f7cb8d9333a16126221f1bc291fd09477
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
ba2e7b2b3be8430306f3f4c6ed3e16e9d11787e3e9ae00ceb58a790602e8d065
MD5 hash:
72b50ef11d6af5f78130843b725774d9
SHA1 hash:
6bc06fa5204c0d601304cad54275ab2c5d6396e0
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
d43979eb205824fed0c5c37b95d93d090268ecde76e1ba2cb6b67733b0592c62
MD5 hash:
96af2c79a790d9fae18c6caffd2a9aff
SHA1 hash:
4b0fed687fb10a3d10f9812969e6da0586b790c4
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b
MD5 hash:
51e7f03ae54c977764c32b0dedf0b9ac
SHA1 hash:
03cf8e81b1b8a96097c9e3da11f925e7dc6819b7
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
Parent samples :
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
8c0dd05d1c913914ab648112742f0aebd967ca4ae90f0795830003440251f112
MD5 hash:
2bdd647c1a6da68d0554a22172ba4b9e
SHA1 hash:
127e6299339e9e07b1f3bc982f65a0bfee242595
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
SH256 hash:
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
MD5 hash:
363a8a59588691360395d90df358516a
SHA1 hash:
23c5bb5b6f242ed1ab39e8fb9fb392725c127a86
Link:
https://www.unpac.me/results/c6a9d1e7-3e7e-4f89-a2c8-8ba26fbf0336/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5bf77877c8b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_114258d5
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_9007feb2
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353408/

Comments