MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cab876614b0a34bf3534506ef5b37f2e50579488de269eed485d9054711ddf6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	cab876614b0a34bf3534506ef5b37f2e50579488de269eed485d9054711ddf6c
SHA3-384 hash:	6d06c6ccf4781c13fec88cb7471a3438daee565d182432854ac7272e78aa7e613a6ca6921c308201897cbda4435f1ef1
SHA1 hash:	6c5d5b642eb73231455d981e67be542572da5fb9
MD5 hash:	fd147d11f98c8c462facb9cd7df51ee6
humanhash:	pip-cola-mockingbird-autumn
File name:	file
Download:	download sample
File size:	622'592 bytes
First seen:	2023-07-29 15:01:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:Y6LZdMJK/Lg5Y/s+0hj3KKvUv2HoetKFu8hItlCQ+3lFtMYZEQhkEqrHeCcCWk7f:Rdoqg5Y/sbhjKvegZ63elF0SqrHerCD
Threatray	10 similar samples on MalwareBazaar
TLSH	T1D6D4017EBA1E79F3ED5A45BE781470784B60C0FE823DD3CA8ED821A619837909F45217
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	85-217-144-143 exe

andretavare5

Sample downloaded from http://85.217.144.143/files/Ads.exe

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-07-29 16:00:44 UTC

Tags:

lgoogloader gcleaner loader opendir rat redline stealer arkei vidar smoke trojan evasion

Link:

https://app.any.run/tasks/3e49c965-08b9-4b39-bfbf-dc6e5f0c1928

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/437841/

Detection(s):

SecuriteInfo.com.Win64.RATX-gen.20765.4396.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Сreating synchronization primitives

Creating a file in the Windows directory

Creating a process with a hidden window

Launching a process

Using the Windows Management Instrumentation requests

Enabling autorun for a service

Blocking the User Account Control

Forced shutdown of a system process

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64c529f15154a489a459ede2/reports/fbf06490-ee09-46de-93e2-fe7e5d4cca8f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/cab876614b0a34bf3534506ef5b37f2e50579488de269eed485d9054711ddf6c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/98504d77-b72e-458f-9db7-0cf6355e5aa2

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1282267

Signature

.NET source code contains very large array initializations

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cab876614b0a34bf3534506ef5b37f2e50579488de269eed485d9054711ddf6c/

Threat name:

Win64.Trojan.Fsysna

Status:

Malicious

First seen:

2023-07-29 15:02:09 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zk4hmyklbi2l6njukbxplm37fzifpfei3ytj53kilwifi4i535wa._file

Verdict:

malicious

265560df14513c5fdd9779cf5324c68d3f83e275223dd5d467a4dfbf714a3256

312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0

42a4626de8646d49df1c5ffa151c05c724b5b7d32d0131d0228189aff81db945

65831b6a853bb664e7f189003da9cdda832e5bcf647c1e262b3bc80acb715814

8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93

877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7

a5ae679843b00396ed2349a9ce7d3d0dc077defb4f83c89489d4c2065863e0f7

e0d6388ebe45705e7b9bf545aabc2cc83c663849c5653ca2614ddff8e99def12

fbbad7f1ea80336f2d11ec3df5d547fedcca56d3def4eb369f605122b02f3f34

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230729-sefxqsdg48/

Behaviour

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

cab876614b0a34bf3534506ef5b37f2e50579488de269eed485d9054711ddf6c

MD5 hash:

fd147d11f98c8c462facb9cd7df51ee6

SHA1 hash:

6c5d5b642eb73231455d981e67be542572da5fb9

Link:

https://www.unpac.me/results/7789e3f8-a94c-463c-b9a7-d827dc7ff3d9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cab876614b0a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cab876614b0a34bf3534506ef5b37f2e50579488de269eed485d9054711ddf6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2681759/

Cape

https://www.capesandbox.com/analysis/437841/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample