MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d188f505ff2702722bf5ccd43eb3451025e8312fc38cea0d6d47131d0c870ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d188f505ff2702722bf5ccd43eb3451025e8312fc38cea0d6d47131d0c870ec8
SHA3-384 hash: ef69ac6a90355a21393c86c358780cf1232b592f645691901dfd108786e493e5bb42398792b80b98b81f840e833a7a69
SHA1 hash: 0f3a999d04713f2e87e960e88ac3f38ea55d19e6
MD5 hash: 06444db708f2251f8f7ec251b046097e
humanhash: alabama-california-lithium-jersey
File name:06444db708f2251f8f7ec251b046097e.exe
Download: download sample
File size:933'696 bytes
First seen:2022-01-10 15:18:20 UTC
Last seen:2022-01-10 16:43:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d123a69e1a76a1d4c228975990208112 (4 x RedLineStealer, 1 x TVRat, 1 x ArkeiStealer)
ssdeep 24576:8SNcUtoKY6kMHE36g6MM/nF2Iub5x2oFI8:CfKY6/EsC5BI8
TLSH T12B152342F7E2DB12C8A1BA7A8D4DD6D937BB7C221885970575D2DF1F7E8E2018C8E124
File icon (PE):PE icon
dhash icon 762769496363734b (1 x RedLineStealer, 1 x LummaStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06444db708f2251f8f7ec251b046097e.exe
Verdict:
Malicious activity
Analysis date:
2022-01-10 15:33:24 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/6631479d-2753-4b32-856b-8ecea7baf207

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218038/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47849742.23279.1231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug greyware overlay packed
Link:
https://www.filescan.io/uploads/61dc4e6b1c0d769df9dec105/reports/19a297be-2401-4c87-a112-6a2cc43d87fc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33de9ffc-980b-4f91-b141-63340573ba15
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/917770
Signature
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d188f505ff2702722bf5ccd43eb3451025e8312fc38cea0d6d47131d0c870ec8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-10 13:59:04 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
20 of 43 (46.51%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/220110-sp6wxaegbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Unpacked files
SH256 hash:
52066f44a097e6989c00fd58446fc7d4f2359c581ea335137a59f0662264c2d4
MD5 hash:
13f0a8d61d360a7cb41fb0e78f0571c9
SHA1 hash:
9193d454e66d56346c476ead2a275cbbb2cf314d
Link:
https://www.unpac.me/results/e95e4c44-fc34-49d3-aaa4-e894b6f3054d/
SH256 hash:
65f581e0106af11d2e3646ee64659e310ac68b44b78917930362dce9ef7f6ea0
MD5 hash:
ce9ee21dc70bcfb6dfe61142b7e80492
SHA1 hash:
5a1b154d9006fb03c3b7aa346f26fbdaa301ac93
Link:
https://www.unpac.me/results/e95e4c44-fc34-49d3-aaa4-e894b6f3054d/
SH256 hash:
7654e7bf26cc3efaca02042b0f580035cbd8ab5ee95cff28813dce7363b244b4
MD5 hash:
8b92deb2b039cf269e9690f0ffc7c382
SHA1 hash:
3f88bb49f7c37f02e9e2f3fc4ae1a1d24f01a169
Link:
https://www.unpac.me/results/e95e4c44-fc34-49d3-aaa4-e894b6f3054d/
SH256 hash:
d188f505ff2702722bf5ccd43eb3451025e8312fc38cea0d6d47131d0c870ec8
MD5 hash:
06444db708f2251f8f7ec251b046097e
SHA1 hash:
0f3a999d04713f2e87e960e88ac3f38ea55d19e6
Link:
https://www.unpac.me/results/e95e4c44-fc34-49d3-aaa4-e894b6f3054d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d188f505ff2702722bf5ccd43eb3451025e8312fc38cea0d6d47131d0c870ec8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d188f505ff2702722bf5ccd43eb3451025e8312fc38cea0d6d47131d0c870ec8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1866299/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/218038/

Comments