MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7cbb84b16234707d05b1cc73c2070ce6bc67845c17953efac21b90e72d6edce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7cbb84b16234707d05b1cc73c2070ce6bc67845c17953efac21b90e72d6edce
SHA3-384 hash: 2707228be25aafc6cae0b9536e9b95006c1a2812d938794b1f5a238d19275fa34c0bf7e654e33ad02cc5a26f594a59c3
SHA1 hash: b751812754f0f6bf170a3250360636661af09e98
MD5 hash: e00a16df3de4222e5ee137034dc40518
humanhash: mike-west-mountain-rugby
File name:e.exe
Download: download sample
File size:188'416 bytes
First seen:2024-03-16 15:56:50 UTC
Last seen:2024-03-16 17:26:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 3072:QMobR7ezAjLOZvmX1u5GWp1icKAArDZz4N9GhbkrNEkky8YI:leR7eammOp0yN90QEs
TLSH T168046C0923E62066F0B62B7099F602835F367CA3AF7592BF1784947E0D33A849571F63
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Anonymous
Tags:exe golang


Avatar
Anonymous
gererg

Intelligence

File Origin
# of uploads :
2
# of downloads :
392
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7cbb84b16234707d05b1cc73c2070ce6bc67845c17953efac21b90e72d6edce.exe
Verdict:
Malicious activity
Analysis date:
2024-03-16 15:57:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57aaccff-9ccd-4c77-9f56-465936d24c04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/479249/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.21405.31541.27709.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Creating a window
Searching for the window
Forced system process termination
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
89%
Tags:
advpack CAB certutil cmd dropper explorer installer lolbin powershell rundll32 schtasks setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65f5c150fc3fe20efe67dca6/reports/6f2577fd-387b-43fd-b4f3-96fc87dfd94a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/c7cbb84b16234707d05b1cc73c2070ce6bc67845c17953efac21b90e72d6edce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4db4c27f-0829-458b-9821-87f488fdb7c6
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1410196
Signature
Antivirus detection for URL or domain
Drops PE files to the startup folder
Excessive usage of taskkill to terminate processes
Powershell drops PE file
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410196 Sample: e.exe Startdate: 16/03/2024 Architecture: WINDOWS Score: 92 85 filetransfer.io 2->85 87 store9.gofile.io 2->87 89 7 other IPs or domains 2->89 101 Antivirus detection for URL or domain 2->101 103 Sigma detected: Potentially Suspicious PowerShell Child Processes 2->103 105 Sigma detected: Legitimate Application Dropped Script 2->105 107 2 other signatures 2->107 9 cmd.exe 1 2->9         started        12 cmd.exe 2->12         started        14 e.exe 1 3 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 115 Suspicious powershell command line found 9->115 19 powershell.exe 14 23 9->19         started        24 conhost.exe 9->24         started        26 powershell.exe 12->26         started        28 conhost.exe 12->28         started        30 cmd.exe 2 14->30         started        83 store9.gofile.io 206.168.190.239, 443, 49750 MASSIVE-NETWORKSUS United States 16->83 117 Excessive usage of taskkill to terminate processes 16->117 32 powershell.exe 16->32         started        34 conhost.exe 16->34         started        36 conhost.exe 16->36         started        38 20 other processes 16->38 signatures6 process7 dnsIp8 91 filetransfer.io 104.21.13.139, 443, 49729, 49730 CLOUDFLARENETUS United States 19->91 77 C:\Users\user\AppData\Local\Temp\data.exe, PE32+ 19->77 dropped 109 Powershell drops PE file 19->109 40 data.exe 37 19->40         started        45 conhost.exe 19->45         started        47 schtasks.exe 1 19->47         started        49 data.exe 26->49         started        57 2 other processes 26->57 79 C:\Users\user\AppData\Local\...\KgZvPA3S.bat, ASCII 30->79 dropped 111 Suspicious powershell command line found 30->111 113 Uses schtasks.exe or at.exe to add and modify task schedules 30->113 51 conhost.exe 30->51         started        59 3 other processes 30->59 53 conhost.exe 32->53         started        55 schtasks.exe 1 32->55         started        file9 signatures10 process11 dnsIp12 93 api.gofile.io 51.38.43.18, 443, 49744, 49747 OVHFR France 40->93 95 ipinfo.io 34.117.186.192, 443, 49740, 49742 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->95 99 3 other IPs or domains 40->99 81 C:\Users\user\AppData\Roaming\...\data.exe, PE32+ 40->81 dropped 119 Drops PE files to the startup folder 40->119 121 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->121 123 Excessive usage of taskkill to terminate processes 40->123 61 powershell.exe 9 40->61         started        63 taskkill.exe 1 40->63         started        65 taskkill.exe 1 40->65         started        73 17 other processes 40->73 97 store10.gofile.io 31.14.70.252, 443, 49755 LINKER-ASFR Virgin Islands (BRITISH) 49->97 125 Tries to harvest and steal browser information (history, passwords, etc) 49->125 67 conhost.exe 49->67         started        69 tasklist.exe 49->69         started        71 taskkill.exe 49->71         started        75 17 other processes 49->75 file13 signatures14 process15
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c7cbb84b16234707d05b1cc73c2070ce6bc67845c17953efac21b90e72d6edce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7cbb84b16234707d05b1cc73c2070ce6bc67845c17953efac21b90e72d6edce/
Threat name:
Win64.Trojan.Malagent
Create hunting rule
Status:
Malicious
First seen:
2024-03-16 15:57:06 UTC
File Type:
PE+ (Exe)
Extracted files:
36
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7f3qsywendqpuc3dtdtyidqzzv4m6cfyf4vh35meg4q44ww5xha._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/240316-tdxpjaeb6s/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
GoLang User-Agent
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Unpacked files
SH256 hash:
c7cbb84b16234707d05b1cc73c2070ce6bc67845c17953efac21b90e72d6edce
MD5 hash:
e00a16df3de4222e5ee137034dc40518
SHA1 hash:
b751812754f0f6bf170a3250360636661af09e98
Link:
https://www.unpac.me/results/d2512f0b-32e7-4ca9-b773-3323a1e43506/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7cbb84b16234707d05b1cc73c2070ce6bc67845c17953efac21b90e72d6edce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/479249/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments