MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbf7a8e7775c9f7341819ffc7d2a2c2519bd87cd1884a527b249a60995f1fb5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbf7a8e7775c9f7341819ffc7d2a2c2519bd87cd1884a527b249a60995f1fb5b
SHA3-384 hash: 2702e50e31d76da9a5d35ee0cb748cc0854145ad493020416fbb8297d39214e4ebea393dbab78b53bc105815b3f4a3db
SHA1 hash: 2dd95f77ca909cb4f0a98187d39f8d86af1df39c
MD5 hash: 55e23e1fe5c4051b85cc6aa7c1399ac8
humanhash: purple-yellow-virginia-mockingbird
File name:file
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:1'110'016 bytes
First seen:2023-05-18 19:27:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcc64241b6c54450be7b9c57ec0906c2 (4 x RedLineStealer, 2 x AsyncRAT, 1 x RecordBreaker)
ssdeep 24576:5mJZW2wSdIHuiCyhuGaD0y13DrmmfVpd+c2ZAa7ZRaH1F+g4:5mJZW2FIOiCIuGaD0yh/zvd+c2ZAafa7
TLSH T175357C4973A441ADFEA7E176C623C607D7B178460277862F01E4AB766F337712A2E321
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter andretavare5
Tags:exe RemoteManipulator


Avatar
andretavare5
Sample downloaded from http://vtope.info/app/files/dc/id27315001/compan.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-18 19:28:11 UTC
Tags:
loader redline stealer arkei vidar rat rurat evasion miner
Link:
https://app.any.run/tasks/d65824e3-3a82-4d8b-9f6c-f0a7294fed21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67000300.24557.32058.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Creating a process with a hidden window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
71%
Tags:
autoit greyware keylogger lolbin packed shell32.dll
Link:
https://www.filescan.io/uploads/64667c42c65707af6442f8e9/reports/33a3d621-67fa-40f1-8129-2ac596a30935/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cbf7a8e7775c9f7341819ffc7d2a2c2519bd87cd1884a527b249a60995f1fb5b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Remote Utilities RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c5d93ee-9c30-401e-bd58-5ba38a8e867c
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236308
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869301 Sample: file.exe Startdate: 18/05/2023 Architecture: WINDOWS Score: 100 118 Snort IDS alert for network traffic 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Found malware configuration 2->122 124 15 other signatures 2->124 10 file.exe 25 2->10         started        process3 dnsIp4 96 ilonamaska.info 193.42.108.63, 49701, 49705, 80 THREE-W-INFRA-AS--TRANSIT--NL Russian Federation 10->96 98 api.ip.sb 10->98 70 C:\Users\user\AppData\Local\...\68926097.exe, PE32 10->70 dropped 72 C:\Users\user\AppData\...\1867886717.exe, PE32 10->72 dropped 74 C:\Users\user\AppData\...\1867799330.exe, PE32 10->74 dropped 76 3 other malicious files 10->76 dropped 128 Contains functionality to modify clipboard data 10->128 15 1867886717.exe 2 10->15         started        19 1867799330.exe 15 4 10->19         started        22 1867886717.exe 10->22         started        24 2 other processes 10->24 file5 signatures6 process7 dnsIp8 78 C:\Users\user\AppData\...\1867886717.tmp, PE32 15->78 dropped 100 Obfuscated command line found 15->100 26 1867886717.tmp 3 12 15->26         started        86 operalan.info 193.42.110.84, 49702, 80 THREE-W-INFRA-AS--TRANSIT--NL Russian Federation 19->86 88 192.168.2.1 unknown unknown 19->88 90 api.ip.sb 19->90 102 Antivirus detection for dropped file 19->102 104 Multi AV Scanner detection for dropped file 19->104 106 Detected unpacking (changes PE section rights) 19->106 114 9 other signatures 19->114 80 C:\Users\user\AppData\...\1867886717.tmp, PE32 22->80 dropped 29 1867886717.tmp 22->29         started        92 t.me 149.154.167.99, 443, 49706 TELEGRAMRU United Kingdom 24->92 94 5.75.234.140, 49707, 8333 HETZNER-ASDE Germany 24->94 108 Detected unpacking (overwrites its own PE header) 24->108 110 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->110 112 Tries to harvest and steal browser information (history, passwords, etc) 24->112 file9 signatures10 process11 file12 58 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->58 dropped 60 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 26->60 dropped 31 1867886717.exe 2 26->31         started        62 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->62 dropped 64 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 29->64 dropped 35 1867886717.exe 29->35         started        process13 file14 82 C:\Users\user\AppData\...\1867886717.tmp, PE32 31->82 dropped 116 Obfuscated command line found 31->116 37 1867886717.tmp 5 21 31->37         started        84 C:\Users\user\AppData\...\1867886717.tmp, PE32 35->84 dropped 40 1867886717.tmp 35->40         started        signatures15 process16 file17 46 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 37->46 dropped 48 C:\ProgramData\Usoris\...\ssleay32.dll (copy), PE32 37->48 dropped 50 C:\ProgramData\Usoris\...\msimg32.dll (copy), PE32 37->50 dropped 56 9 other files (8 malicious) 37->56 dropped 42 Silverlight.Configuration.exe 37->42         started        52 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->52 dropped 54 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 40->54 dropped process18 file19 66 C:\ProgramData\...\MSIMG32.dll.bak (copy), PE32 42->66 dropped 68 C:\ProgramData\Usoris\LogsOld\MSIMG32.dll, PE32 42->68 dropped 126 Detected unpacking (creates a PE file in dynamic memory) 42->126 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbf7a8e7775c9f7341819ffc7d2a2c2519bd87cd1884a527b249a60995f1fb5b/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-11 23:23:08 UTC
File Type:
PE+ (Exe)
Extracted files:
22
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zp32rz3xlspxgqmbt76h2krmeum33b6ndcckkj5sjgtatfpr7nnq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:e6f100c218428ad878a776e2586defcf discovery evasion infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230518-x6mxksce4s/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Sets DLL path for service in the registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine payload
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost
Unpacked files
SH256 hash:
cbf7a8e7775c9f7341819ffc7d2a2c2519bd87cd1884a527b249a60995f1fb5b
MD5 hash:
55e23e1fe5c4051b85cc6aa7c1399ac8
SHA1 hash:
2dd95f77ca909cb4f0a98187d39f8d86af1df39c
Link:
https://www.unpac.me/results/bb8dc8f8-898d-4596-af79-abfb7e8b11f0/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbf7a8e7775c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbf7a8e7775c9f7341819ffc7d2a2c2519bd87cd1884a527b249a60995f1fb5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:possible_trojan_banker
Create hunting rule
Author:@johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2636839/

Comments