MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Spambot.Kelihos


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d
SHA3-384 hash: 3257f6e9d1ac7dd2484c3776e44a70d0a7daf4df30f9b79fc3dee0582d4ecb0b605e4d29825249ec39a40af332e61852
SHA1 hash: e0a757fde5d8f0fbb3793c4b94ee0277cdc33c05
MD5 hash: edb9fc093a8a62a8d566b026d8691055
humanhash: moon-golf-twelve-sad
File name:EDB9FC093A8A62A8D566B026D8691055.exe
Download: download sample
Signature Spambot.Kelihos
Create hunting rule
File size:2'450'717 bytes
First seen:2021-09-13 15:50:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBrYpjXCXYEcksfFOb1aTZEh63rEvc4OTNUl4RNBtvlc8zaHYCrnR8:xk8bCIFga1EAQv/Oal4HBty8zaHYE8
Threatray 544 similar samples on MalwareBazaar
TLSH T111B53321B6FA81F3C54AB0369E019FB674FEC3541E3A61C72328930A6F7E451D13679A
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe Spambot.Kelihos


Avatar
abuse_ch
Spambot.Kelihos C2:
http://94.158.245.117/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.117/ https://threatfox.abuse.ch/ioc/221022/

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EDB9FC093A8A62A8D566B026D8691055.exe
Verdict:
No threats detected
Analysis date:
2021-09-13 15:51:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5561457-42d6-4698-b09e-13cd02640445

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187516/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Multiple-9891170-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61750342db358dd15ed91c9b/reports/592d0515-874d-4ea5-aac2-62540f4e0559/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b052ba76-5fed-4261-acfe-c1718318b419
Result
Threat name:
BitCoin Miner RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849960
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482393 Sample: h6q2kNIiiD.exe Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 101 162.248.225.172 HOSTING-SOLUTIONSUS United States 2->101 103 104.21.20.198 CLOUDFLARENETUS United States 2->103 127 Antivirus detection for URL or domain 2->127 129 Antivirus detection for dropped file 2->129 131 Multi AV Scanner detection for dropped file 2->131 133 13 other signatures 2->133 11 h6q2kNIiiD.exe 14 2->11         started        signatures3 process4 file5 71 C:\Users\user\AppData\...\setup_install.exe, PE32 11->71 dropped 73 C:\Users\user\...\Fri08fda10c4d5969db5.exe, PE32 11->73 dropped 75 C:\Users\user\...\Fri08d15ff103dae43ff.exe, PE32 11->75 dropped 77 9 other files (4 malicious) 11->77 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 123 172.67.142.91 CLOUDFLARENETUS United States 14->123 125 127.0.0.1 unknown unknown 14->125 151 Adds a directory exclusion to Windows Defender 14->151 18 cmd.exe 1 14->18         started        20 cmd.exe 1 14->20         started        22 cmd.exe 14->22         started        24 6 other processes 14->24 signatures8 process9 signatures10 27 Fri08d15ff103dae43ff.exe 14 5 18->27         started        32 Fri082fd8a753084ada8.exe 2 20->32         started        34 Fri08fda10c4d5969db5.exe 22->34         started        135 Adds a directory exclusion to Windows Defender 24->135 137 Creates processes via WMI 24->137 36 Fri08406ed7b48e8.exe 24->36         started        38 Fri088483a22e2c921ca.exe 2 24->38         started        40 Fri088af9b7f085bf4.exe 3 24->40         started        42 powershell.exe 25 24->42         started        process11 dnsIp12 109 8.8.8.8 GOOGLEUS United States 27->109 111 162.159.135.233 CLOUDFLARENETUS United States 27->111 79 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 27->79 dropped 139 Antivirus detection for dropped file 27->139 141 Machine Learning detection for dropped file 27->141 44 LzmwAqmV.exe 27->44         started        81 C:\Users\user\...\Fri082fd8a753084ada8.tmp, PE32 32->81 dropped 143 Multi AV Scanner detection for dropped file 32->143 49 Fri082fd8a753084ada8.tmp 32->49         started        113 88.99.66.31 HETZNER-ASDE Germany 34->113 145 Detected unpacking (changes PE section rights) 34->145 147 Creates processes via WMI 38->147 51 Fri088483a22e2c921ca.exe 38->51         started        115 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 40->115 file13 signatures14 process15 dnsIp16 117 192.168.2.1 unknown unknown 44->117 83 C:\Users\user\AppData\Local\...\Pubdate.exe, PE32 44->83 dropped 85 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 44->85 dropped 87 C:\Users\user\AppData\Local\...\BearVpn 3.exe, PE32 44->87 dropped 99 6 other files (2 malicious) 44->99 dropped 149 Machine Learning detection for dropped file 44->149 53 Chrome 5.exe 44->53         started        119 162.0.213.132 ACPCA Canada 49->119 89 C:\Users\user\AppData\Local\...\zab2our.exe, PE32 49->89 dropped 91 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 49->91 dropped 93 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 49->93 dropped 95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 49->95 dropped 56 zab2our.exe 49->56         started        121 172.67.146.70 CLOUDFLARENETUS United States 51->121 97 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 51->97 dropped 59 conhost.exe 51->59         started        file17 signatures18 process19 dnsIp20 61 C:\Users\user\AppData\...\services64.exe, PE32+ 53->61 dropped 105 162.0.210.44 ACPCA Canada 56->105 107 162.0.220.187 ACPCA Canada 56->107 63 C:\Users\user\AppData\...\Haecepydeti.exe, PE32 56->63 dropped 65 C:\Users\user\AppData\...\Mujolaraha.exe, PE32 56->65 dropped 67 C:\Program Files (x86)\...\Vifubolyju.exe, PE32 56->67 dropped 69 4 other files (3 malicious) 56->69 dropped file21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 07:12:00 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zv2ekrsodd6yeyhgvesoa6k4tmews3vs3pd53h3cpffwkmhmzkoq._file
Verdict:
malicious
Similar samples:
051c5d064ba3816e2eb061b2f1b96c8bf3609b038831464596c3a8436d3415eb
Spambot.Kelihos
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
Spambot.Kelihos
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
Spambot.Kelihos
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
Spambot.Kelihos
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
Spambot.Kelihos
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
Spambot.Kelihos
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
Spambot.Kelihos
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
Spambot.Kelihos
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
Spambot.Kelihos
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
Spambot.Kelihos
+ 534 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:vidar botnet:706 botnet:pab777 botnet:pub aspackv2 backdoor discovery dropper evasion infostealer loader persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210913-tagh5shbcl/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Tnega Activity (GET)
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
193.56.146.78:51487
185.215.113.15:6043
Dropper Extraction:
http://shellloader.com/welcome
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
817382962f45ece306adcbb33fce5e9dfc524d3629f58ad410521d3c1602672e
MD5 hash:
bef346aff7da715c81230e84f6c5f5e6
SHA1 hash:
5a6a9956eb72df57629a10391f6d78fb95e9542e
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
36d36bf735b2ab1079c6ca72d24f1491d47c122804046f1c7f86f544d09b01cc
MD5 hash:
71cf2841f2e39282e1051510082c4b35
SHA1 hash:
b67839763b177433c86ff9eaaa703c5607d3a843
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
Parent samples :
baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6
5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27
cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
15061ab0032c103fffe8783b1ec84b4a70d6fa5cc12b4b4c338847fbbe070bd1
MD5 hash:
9a7363c4af2f5f93582570ba7f013f07
SHA1 hash:
e20845767ff8a704f2b1c9f2220fde7dee06ca1e
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
MD5 hash:
f0cddb85d1f6e01372db9988700b1849
SHA1 hash:
b561eab96075434a5405459cf2cd947c9cda78fa
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
ecd50fb75feb3b385075209401daa13bfbd00f0e1fbb5d3b06ebf94a702c2d92
MD5 hash:
f6d8389bc6db3e94e7d5170f21bcebf7
SHA1 hash:
adc6674f0db68bc394d4d172a0b32b48f54ad95d
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
e9b7b6e0c2ad75b35c6ec4d914d7ae0ea61efa89748ec657ab3b7dfc612d0dd6
MD5 hash:
bde059c8ea984efeae50450308fdd103
SHA1 hash:
80d3c2e4efed869431facf60ca76163a5d5f4217
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
3ac09ad4f06c17b068ade2e3e0557c439e6cd39d10eabc083fb27311dc349caf
MD5 hash:
324e775753a3d5f75acdef6ae4cf2dbd
SHA1 hash:
4b5e2ce362f4eb261dc4ba20b4b63e678d996a9a
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
0652a2a727bb9cb3ad7dbdfebfe9551a7a9e3ef512760989b5c579cb1c2064e9
MD5 hash:
e5b6bcd579168b8e38920fd0ec5c27d4
SHA1 hash:
0a4161f766d7299b450c294ed246ee9b5e45c40a
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
544774090f4500877c9dd4a97dbfbacc0e5c64d0550c6a70547b7901f64071df
MD5 hash:
5e6bcd3864746c745b3f62d743416284
SHA1 hash:
4f0473a784c4b16ccf8e88e8f7df445f32c295a7
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
1745e45dbd0b61311764db5bf9c5a075b2913e136dc574c875743a10d3474e04
MD5 hash:
baafedb43a6ade7f1aa97e9ff2e38441
SHA1 hash:
a5a8209b8371864734ec7cad1ec1ef245ad21212
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
28b24e7f2e4c1c152d45356557831aa5636dc8c61c5f318c119c3be45b5e6918
MD5 hash:
9ec141a08df6cdb17323dba29eb233d2
SHA1 hash:
df1a3ccdc5805148876af60049ff9252e19a77c0
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
SH256 hash:
cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d
MD5 hash:
edb9fc093a8a62a8d566b026d8691055
SHA1 hash:
e0a757fde5d8f0fbb3793c4b94ee0277cdc33c05
Link:
https://www.unpac.me/results/143db903-9447-4f35-9ecf-29a796f72d77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187516/

Comments