MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5d6bf421eb175009a46f849dd72aedbd1a2c23315d9de26c8643b2b45bc2ee2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5d6bf421eb175009a46f849dd72aedbd1a2c23315d9de26c8643b2b45bc2ee2
SHA3-384 hash: 36df92097f926f934017329f41fbae29b2dfde4b6490ebe124df53a9525d37036163d07f9d9ab82911e83ccbe1626eb3
SHA1 hash: 886acc6ba9b0e3bc4769c339362f40714cf184fa
MD5 hash: cd18db1724b079ed3a5728ce02f83396
humanhash: don-quiet-queen-michigan
File name:cd18db1724b079ed3a5728ce02f83396.exe
Download: download sample
File size:706'560 bytes
First seen:2023-09-03 07:21:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 77330eefb2fa8730bad1029411677376 (3 x Vidar, 2 x Smoke Loader, 1 x Tofsee)
ssdeep 12288:Z6EfT7iH5Ixu1JUfhubzLPFC5QJY3pgLUeL/:Z6UT78IeJUfhubzLdr2gLHL/
Threatray 29 similar samples on MalwareBazaar
TLSH T1B6E48D4382D17D58FA258B729F1FCAFC770DF6A18E497BA922189E2F04B1076C263715
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 000828280e0b0600
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd18db1724b079ed3a5728ce02f83396.exe
Verdict:
Malicious activity
Analysis date:
2023-09-03 07:31:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2c728f7-39bf-4611-9ad1-7e78ee3da70d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445782/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c5d6bf421eb175009a46f849dd72aedbd1a2c23315d9de26c8643b2b45bc2ee2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pitou
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1bde39b-40bf-4f24-9470-0683d22f1129
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1302298
Signature
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5d6bf421eb175009a46f849dd72aedbd1a2c23315d9de26c8643b2b45bc2ee2/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-09-02 13:27:29 UTC
File Type:
PE (Exe)
Extracted files:
87
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxll6qq6wf2qbgsg7be524vo3pi2fqrtcxm54jwimq5swrn4f3ra._file
Verdict:
malicious
Similar samples:
0fc4915953e80970249125af9cc467c21477d5165f3f998a6a30275f6ffbd94c
14714772e640f22cb7df3d9527d27ddc07fa75efe0194c90f829911f339e946f
14e03b1aaa7c504927a139a2fcaba8976a7ba95a95d3aec4fb0db7f8dde4c45a
1bba9ae0ebee70298d3d5e5bb02a844e07449c945a3a6b0e744c184f1abbe6dd
201857a59c6dadb4803a329dac1ba8a5d46cfff6eddb9c80edb670cdfd8481a7
21dab36255ac4b3eedab2d41f0792637e764010b8697d057fc8e15133e9ec057
3dc6b086b9a6ad33d9999381349c3cd6509f44b4d78d0c761040dd3796bc3df0
9aded5733ec844d31a675d461968a7f3dffd3b2287cb932e8442d09c8cb2bd20
a6c64807b79ab2877fb41ac58d4d76936bfde0b614cce0862b9b2e6230335d43
cddf2ab61b0857d22423a4eef6ab476831209e7dd096776f284125d9b3162e9f
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
bootkit persistence
Link:
https://tria.ge/reports/230903-h683gsgh45/
Behaviour
Writes to the Master Boot Record (MBR)
Unpacked files
SH256 hash:
34214083ce60696dc171d58c3152856c1a0eb661a4741e22a340bdd52258b130
MD5 hash:
a88a0c4d6e13fae0fe18355522632341
SHA1 hash:
7efeee839a564461fdafc79a3c22d490137a6ef7
Link:
https://www.unpac.me/results/eae00dae-bd4b-41d4-acf5-5fe1c97e08f6/
Parent samples :
6c3faa9c54a7d44226623afee69d63114957699330dd576092965999550dd19d
f5ab502850f557c78d1ad09eb855a47ff25ce8aa00e8d67b4144a88228ebca3c
8a4eddeda8fecb5a816a28f0760ee4d0d8bf23edbda384a5913d631d676c7438
6a9ed12c03ce93c32945020a180464af9589be469a9193160f6eb7b45e4ede04
e92de9eadeef273bd294c6eceb92f750768766a79c215843e948f37b95bb6723
b565fe1734ee581763ff75a4e26f262d8268333f675d0a5bc2681950bc4ff6cc
66e164f2a4ea3b37586ceb2d699aa89e8a9475e9cd25c51476fd0a7d307df76a
SH256 hash:
c5d6bf421eb175009a46f849dd72aedbd1a2c23315d9de26c8643b2b45bc2ee2
MD5 hash:
cd18db1724b079ed3a5728ce02f83396
SHA1 hash:
886acc6ba9b0e3bc4769c339362f40714cf184fa
Link:
https://www.unpac.me/results/eae00dae-bd4b-41d4-acf5-5fe1c97e08f6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5d6bf421eb1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5d6bf421eb175009a46f849dd72aedbd1a2c23315d9de26c8643b2b45bc2ee2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c5d6bf421eb175009a46f849dd72aedbd1a2c23315d9de26c8643b2b45bc2ee2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2628134/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/445782/

Comments