MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d27809504464823d84d0b88ac03760fa68d8a361e9709ded0b3f5cd17ab4edeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Spambot.Kelihos


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d27809504464823d84d0b88ac03760fa68d8a361e9709ded0b3f5cd17ab4edeb
SHA3-384 hash: bd25657bd5346014936dbb4d05a1e249af48348fa35a8ef3231704364386730b7408933bad7e67e6d23cb191e608dec2
SHA1 hash: 0643d567aa8e5e451af11e5d15257df4db2e2736
MD5 hash: 99cffe97a251670b6c06faafa3ae91d7
humanhash: juliet-asparagus-nine-kilo
File name:file
Download: download sample
Signature Spambot.Kelihos
Create hunting rule
File size:1'429'312 bytes
First seen:2023-09-10 20:29:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 24576:8C8CWsXnF0SlyI9rj5RDKjMaguXL3EJTaQFJCuOj3IlOfpUfML2d1s:X8CWcjyU3Kjrz0JCeOqOM1s
Threatray 1'065 similar samples on MalwareBazaar
TLSH T1C2651282F4C0B8B6D0731D7209F4DB745FA2B8A04B054EAF779C4A9E4B2CAD0F621756
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe Spambot.Kelihos


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-09-10 20:31:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e9bdd7e-6e68-4cf6-97d9-6b5c86df2b71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447765/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.3710.30717.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/64fe274c3d1763f261586725/reports/230294e0-9b97-44fd-9071-8a4706b1027d/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/d27809504464823d84d0b88ac03760fa68d8a361e9709ded0b3f5cd17ab4edeb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/74dae01f-70d9-46ec-b7f0-25651be319d2
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306919
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306919 Sample: file.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 153 Snort IDS alert for network traffic 2->153 155 Found malware configuration 2->155 157 Malicious sample detected (through community Yara rule) 2->157 159 13 other signatures 2->159 14 file.exe 1 2->14         started        17 rundll32.exe 2->17         started        19 abvwutj 2->19         started        process3 signatures4 201 Contains functionality to inject code into remote processes 14->201 203 Writes to foreign memory regions 14->203 205 Allocates memory in foreign processes 14->205 207 Injects a PE file into a foreign processes 14->207 21 AppLaunch.exe 1 4 14->21         started        24 WerFault.exe 21 9 14->24         started        26 conhost.exe 14->26         started        28 AppLaunch.exe 14->28         started        process5 file6 99 C:\Users\user\AppData\Local\...\v3785319.exe, PE32 21->99 dropped 101 C:\Users\user\AppData\Local\...\f3486249.exe, PE32 21->101 dropped 30 v3785319.exe 1 4 21->30         started        process7 file8 111 C:\Users\user\AppData\Local\...\v8925292.exe, PE32 30->111 dropped 113 C:\Users\user\AppData\Local\...\e6026308.exe, PE32 30->113 dropped 209 Antivirus detection for dropped file 30->209 211 Machine Learning detection for dropped file 30->211 34 v8925292.exe 1 4 30->34         started        signatures9 process10 file11 95 C:\Users\user\AppData\Local\...\v2634169.exe, PE32 34->95 dropped 97 C:\Users\user\AppData\Local\...\d2099677.exe, PE32 34->97 dropped 161 Antivirus detection for dropped file 34->161 163 Machine Learning detection for dropped file 34->163 38 v2634169.exe 1 4 34->38         started        41 d2099677.exe 34->41         started        signatures12 process13 dnsIp14 103 C:\Users\user\AppData\Local\...\v4232659.exe, PE32 38->103 dropped 105 C:\Users\user\AppData\Local\...\c3844151.exe, PE32 38->105 dropped 45 c3844151.exe 38->45         started        48 v4232659.exe 1 4 38->48         started        127 77.91.124.82, 19071, 49709, 49717 ECOTEL-ASRU Russian Federation 41->127 185 Antivirus detection for dropped file 41->185 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->187 189 Machine Learning detection for dropped file 41->189 191 2 other signatures 41->191 file15 signatures16 process17 file18 193 Multi AV Scanner detection for dropped file 45->193 195 Writes to foreign memory regions 45->195 197 Allocates memory in foreign processes 45->197 199 Injects a PE file into a foreign processes 45->199 51 AppLaunch.exe 45->51         started        54 conhost.exe 45->54         started        56 WerFault.exe 45->56         started        91 C:\Users\user\AppData\Local\...\b8394839.exe, PE32 48->91 dropped 93 C:\Users\user\AppData\Local\...\a1982206.exe, PE32 48->93 dropped 58 a1982206.exe 1 48->58         started        60 b8394839.exe 1 48->60         started        signatures19 process20 signatures21 165 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->165 167 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->167 169 Maps a DLL or memory area into another process 51->169 179 2 other signatures 51->179 62 explorer.exe 51->62 injected 171 Multi AV Scanner detection for dropped file 58->171 173 Writes to foreign memory regions 58->173 175 Allocates memory in foreign processes 58->175 67 AppLaunch.exe 9 1 58->67         started        69 WerFault.exe 19 9 58->69         started        71 conhost.exe 58->71         started        177 Injects a PE file into a foreign processes 60->177 73 AppLaunch.exe 13 60->73         started        75 WerFault.exe 60->75         started        77 conhost.exe 60->77         started        process22 dnsIp23 129 79.137.192.18, 49730, 80 PSKSET-ASRU Russian Federation 62->129 131 77.91.68.29, 49710, 49712, 49718 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 62->131 137 2 other IPs or domains 62->137 115 C:\Users\user\AppData\Roaming\abvwutj, PE32 62->115 dropped 117 C:\Users\user\AppData\Local\Temp\B19D.exe, PE32 62->117 dropped 119 C:\Users\user\AppData\Local\Temp\8C08.exe, PE32 62->119 dropped 121 3 other malicious files 62->121 dropped 139 System process connects to network (likely due to code injection or exploit) 62->139 141 Benign windows process drops PE files 62->141 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 62->143 79 B19D.exe 62->79         started        83 rundll32.exe 62->83         started        85 rundll32.exe 62->85         started        145 Disable Windows Defender notifications (registry) 67->145 147 Disable Windows Defender real time protection (registry) 67->147 133 5.42.92.211, 49704, 49719, 49733 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 73->133 135 192.168.2.1 unknown unknown 75->135 file24 signatures25 process26 file27 123 C:\Users\user\AppData\Local\...\x7114254.exe, PE32 79->123 dropped 125 C:\Users\user\AppData\Local\...\k5162123.exe, PE32 79->125 dropped 149 Antivirus detection for dropped file 79->149 151 Machine Learning detection for dropped file 79->151 87 x7114254.exe 79->87         started        signatures28 process29 file30 107 C:\Users\user\AppData\Local\...\x4874352.exe, PE32 87->107 dropped 109 C:\Users\user\AppData\Local\...\j2107678.exe, PE32 87->109 dropped 181 Antivirus detection for dropped file 87->181 183 Machine Learning detection for dropped file 87->183 signatures31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d27809504464823d84d0b88ac03760fa68d8a361e9709ded0b3f5cd17ab4edeb/
Threat name:
Win32.Trojan.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 19:02:55 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2j4asucemsbd3bgqxcfman3a7junri3b5fyj33ilh5onc6vu5xvq._file
Verdict:
malicious
Similar samples:
15b5e85db3255b5984baeefc6baea2fbe1bacb772b3002bbd69df33fdb57833a
Spambot.Kelihos
2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368
Spambot.Kelihos
2432f37cfbe720ce2f627a725367676d71bb944d2306c1eab9bab6b0cab5e01d
Spambot.Kelihos
4663b4277cecac818e54c11c72e9cf1ad537fe10a266e09ebb9f0026ab9a96a5
Spambot.Kelihos
7bb4b4e59bed18df15eca7ecd0f926c219148cb1437596f29e04ede43455ad07
Spambot.Kelihos
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
Spambot.Kelihos
a65bbeacb8d8b1c313b78f6a2271c7d422e9a24d1fec755609559f09d7a45cc8
Spambot.Kelihos
d5959835f49e857df7464a105909b237768ba59b9d8d9629ee966a45defbc4db
Spambot.Kelihos
e7f7aba3aa560f0e301fb6d8451914efd3c86c88be4cd1f8a8eb994d58ceb3c5
Spambot.Kelihos
fd2b0909ced11d7035e1fce18874b95256b3b5ae9939e535aacef92fccc91d0f
Spambot.Kelihos
+ 1'055 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:healer family:redline family:smokeloader botnet:amadey_api botnet:virad backdoor dropper evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230910-y95ggabd3s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Uses the VBS compiler for execution
Downloads MZ/PE file
Stops running service(s)
Amadey
Detect Fabookie payload
Detects Healer an antivirus disabler dropper
Fabookie
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
77.91.124.82:19071
http://77.91.68.29/fks/
http://5.42.65.80/8bmeVwqx/index.php
amadapi.tuktuk.ug:11290
Unpacked files
SH256 hash:
d27809504464823d84d0b88ac03760fa68d8a361e9709ded0b3f5cd17ab4edeb
MD5 hash:
99cffe97a251670b6c06faafa3ae91d7
SHA1 hash:
0643d567aa8e5e451af11e5d15257df4db2e2736
Link:
https://www.unpac.me/results/25ae1b7b-8d18-4f7f-99a5-29efe616e69d/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d27809504464/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/d27809504464823d84d0b88ac03760fa68d8a361e9709ded0b3f5cd17ab4edeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/447765/
  
URLhaus
https://urlhaus.abuse.ch/url/2710216/

Comments