MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce3019db616597bb3e1571189c69c4490bda1ef48db83bf35410d2e0f89cf9b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce3019db616597bb3e1571189c69c4490bda1ef48db83bf35410d2e0f89cf9b0
SHA3-384 hash: 9af93d1944023db98548457099d2dc32ab88e6e7017370d3cd5f2fda5750504b054b9ac6b19995cb658f4a48f4921a2d
SHA1 hash: 4183cb0328514c0277b5e1f209acba04e73f562b
MD5 hash: 91e968b26532368f666d1160f56ef5bb
humanhash: berlin-edward-single-hawaii
File name:91e968b26532368f666d1160f56ef5bb
Download: download sample
File size:3'535'569 bytes
First seen:2022-07-14 04:32:13 UTC
Last seen:2022-07-15 03:25:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2bd4b8620ae035f6bf279b34fa17fcf7 (23 x RedLineStealer, 2 x Formbook, 1 x RecordBreaker)
ssdeep 98304:gjUS94raWZ1+NeOYGJaCNoInAG1VZ6SLXGinC:gjUS9YPZ1eeOYGJaCNoInAG1VZb6R
TLSH T128F56C135A8B0E75DDD237B4A1CB633AA734FE30CA2A9B3BF709C52559532C46C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter openctibr
Tags:exe OpenCTI.BR Sandboxed

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
91e968b26532368f666d1160f56ef5bb
Verdict:
No threats detected
Analysis date:
2022-07-14 04:40:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e850d4c-9461-494d-8f34-dc9984e2e942

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/287964/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye
Link:
https://www.filescan.io/uploads/62cf9c89ec671b846f906acd/reports/39d502ff-ac0d-4fc9-840d-435a5cdae88c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c99d7c7-afef-42bb-89e1-d83197c9b968
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1032052
Signature
Found API chain indicative of debugger detection
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 664546 Sample: ZOeSsyaXTi Startdate: 15/07/2022 Architecture: WINDOWS Score: 52 11 Multi AV Scanner detection for submitted file 2->11 6 ZOeSsyaXTi.exe 1 2->6         started        process3 signatures4 13 Found API chain indicative of debugger detection 6->13 9 conhost.exe 6->9         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce3019db616597bb3e1571189c69c4490bda1ef48db83bf35410d2e0f89cf9b0/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 17:12:00 UTC
File Type:
PE (Exe)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zyybtw3bmwl3wpqvoemjy2oejef5uhxurw4dx42ucdjob6e47gya._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220714-e6khcadffl/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
84e8ff0ec71918c12be1f0eac312d229aab84fc1339500ffd08325f135770fbf
MD5 hash:
acb0598766f083fa33c7e4efe1c86460
SHA1 hash:
46f2411ce45a76bfceab213ad73dc05f11d502c7
Link:
https://www.unpac.me/results/929fdfae-35c2-4103-b6b5-4651d1926786/
SH256 hash:
ce3019db616597bb3e1571189c69c4490bda1ef48db83bf35410d2e0f89cf9b0
MD5 hash:
91e968b26532368f666d1160f56ef5bb
SHA1 hash:
4183cb0328514c0277b5e1f209acba04e73f562b
Link:
https://www.unpac.me/results/929fdfae-35c2-4103-b6b5-4651d1926786/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ce3019db616597bb3e1571189c69c4490bda1ef48db83bf35410d2e0f89cf9b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/287964/

Comments