MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbeac36e7de274df245cf4965fcdbeedd57ef1637a9cb8c5bd8686645a9ee9fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbeac36e7de274df245cf4965fcdbeedd57ef1637a9cb8c5bd8686645a9ee9fd
SHA3-384 hash: 9bfb7a01e67eb122b8ebb44dc69b4e1ca6b92f04ac05409c2a10d06ff7e9bb45b1674b4ea5396d6df940ed063678cb8b
SHA1 hash: 9c6af373adfb47cba923f4d18e7e44742864ec57
MD5 hash: aaf0f0b5a7a737a1e364f66325644ba5
humanhash: oscar-tennessee-ohio-arkansas
File name:aaf0f0b5a7a737a1e364f66325644ba5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'327'030 bytes
First seen:2022-04-16 02:40:52 UTC
Last seen:2022-04-20 10:23:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xgZaA8VdOJ7dJ0E8dKr6YINW6IpJKvnz7pfPi7YC/XdBTUc0o3rln:xkaAQdOZdJEP9NW6ISvz7RiTvoc5bt
Threatray 7'916 similar samples on MalwareBazaar
TLSH T165A6336239B050FBF2522271A5843E78DF2AC71C0B39D6976A400D1DEF3EE4195AEDC9
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.255.57.249:17606

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.255.57.249:17606 https://threatfox.abuse.ch/ioc/520337/

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aaf0f0b5a7a737a1e364f66325644ba5.exe
Verdict:
No threats detected
Analysis date:
2022-04-16 02:41:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d1e84da-8edd-420e-a25c-b0f3de5212a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264046/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9890303-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.36246775.27485.2482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/14012/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/625a2cc2eab80a7a6c21ac0d/reports/18be6691-5c2c-4301-9416-b71c964e676b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6bbc303-0a32-4c60-b3b5-71fb125e30bd
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977581
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disables Windows Defender (via service or powershell)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 610069 Sample: 5qwvf3Yn37.exe Startdate: 16/04/2022 Architecture: WINDOWS Score: 100 72 183.78.205.92 YOUNGDOONG-AS-KRLGHelloVisionCorpKR Korea Republic of 2->72 74 187.170.243.113 UninetSAdeCVMX Mexico 2->74 76 10 other IPs or domains 2->76 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 17 other signatures 2->96 11 5qwvf3Yn37.exe 23 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\setup_install.exe, PE32 11->50 dropped 52 C:\Users\...\62555d09973a8_Tue11ecbb407f.exe, PE32 11->52 dropped 54 C:\Users\...\62555d0875b49_Tue119ddeb89.exe, PE32 11->54 dropped 56 18 other files (12 malicious) 11->56 dropped 14 setup_install.exe 1 11->14         started        process6 signatures7 130 Adds a directory exclusion to Windows Defender 14->130 17 cmd.exe 14->17         started        19 cmd.exe 14->19         started        21 cmd.exe 1 14->21         started        23 14 other processes 14->23 process8 signatures9 26 62555d066997c_Tue114ab650595.exe 17->26         started        31 62555ce7a9eb3_Tue115e6b45.exe 19->31         started        33 62555cde5f98e_Tue117978ca9160.exe 1 21->33         started        98 Adds a directory exclusion to Windows Defender 23->98 100 Disables Windows Defender (via service or powershell) 23->100 35 62555cdfe452b_Tue1186c009dcc.exe 3 23->35         started        37 62555cdf44f5b_Tue11c3bea354.exe 15 6 23->37         started        39 62555ced3a63b_Tue11bd7ee9e21.exe 23->39         started        41 10 other processes 23->41 process10 dnsIp11 78 172.105.52.100 LINODE-APLinodeLLCUS United States 26->78 80 5.101.153.227 BEGET-ASRU Russian Federation 26->80 58 C:\Users\user\AppData\Local\Temp\J7E9F.exe, PE32 26->58 dropped 60 C:\Users\user\AppData\Local\Temp\DDEB5.exe, PE32 26->60 dropped 62 C:\Users\user\AppData\Local\Temp\35915.exe, PE32 26->62 dropped 70 2 other files (1 malicious) 26->70 dropped 104 Detected unpacking (changes PE section rights) 26->104 106 Query firmware table information (likely to detect VMs) 26->106 124 3 other signatures 26->124 108 Multi AV Scanner detection for dropped file 31->108 126 5 other signatures 31->126 110 Disables Windows Defender (via service or powershell) 33->110 43 cmd.exe 33->43         started        112 Antivirus detection for dropped file 35->112 128 2 other signatures 35->128 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->114 116 Tries to harvest and steal browser information (history, passwords, etc) 37->116 82 208.95.112.1 TUT-ASUS United States 39->82 118 Tries to detect virtualization through RDTSC time measurements 39->118 84 212.192.246.217 RHC-HOSTINGGB Russian Federation 41->84 86 148.251.234.83 HETZNER-ASDE Germany 41->86 88 4 other IPs or domains 41->88 64 C:\Users\...\62555d05e2cfb_Tue11abd101d.tmp, PE32 41->64 dropped 66 C:\Users\...\62555ce5d3376_Tue117735d5e6.tmp, PE32 41->66 dropped 68 C:\Users\user\AppData\Local\Temp\xFqE.cpl, PE32 41->68 dropped 120 Detected unpacking (overwrites its own PE header) 41->120 122 Obfuscated command line found 41->122 46 62555ceea8d51_Tue11d05b8a75e.exe 41->46         started        file12 signatures13 process14 signatures15 102 Disables Windows Defender (via service or powershell) 43->102 48 powershell.exe 43->48         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbeac36e7de274df245cf4965fcdbeedd57ef1637a9cb8c5bd8686645a9ee9fd/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 08:58:00 UTC
File Type:
PE (Exe)
Extracted files:
352
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pvmg3t54j2n6jc46slf7tn65xkx54ldpkolrrn5q2dgiwu65h6q._file
Verdict:
malicious
Similar samples:
0063b80315ee40172ad671a0ffc408f27fe56d716749cc996b271601fd0a2a2c
RedLineStealer
022e85b0301517e90423006b4ea98ace33f914820228f0e5f2fab9d66219ac98
RedLineStealer
4618fb57958c19496e668916d769cb40e6bb0a0af0fbb1ff73ee89e701f3fe9b
RedLineStealer
4eebc9db13bf3a2bbae7f56ecdb4be388610bff9cdb4931f9d776762597286a6
RedLineStealer
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
RedLineStealer
8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9
RedLineStealer
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
RedLineStealer
ebfe121f28f0cde253640238d03009c79d392a6bf5adfdb9aff509787505f88d
RedLineStealer
+ 7'906 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:media20207 botnet:same1 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/220416-c6e7hsgcgn/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/vsdh41/
http://hanfinvest.at/upload/
http://phunilbeauty.com/upload/
http://spbdg.ru/upload/
http://tnt-az.com/upload/
http://casagenaro.com/upload/
http://girneotel.com/upload/
http://zennclinic.com/upload/
http://mordo.ru/forum/
http://piratia-life.ru/upload/
http://pkodev.net/upload/
92.255.57.249:17606
116.202.106.111:9582
Unpacked files
SH256 hash:
b7a32e5264a139fe6e45d395b61e0877039728f46242d32c6b1b4529dd9dce26
MD5 hash:
033328e67e74157911356755eabe4a21
SHA1 hash:
aec0696e1f9871b9d3a418bd0060d2cd11dad1df
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
054067ba23ab9f74d41afa919e7894800b8f93c992e8e40d6ad019e7cce9da63
MD5 hash:
9726d464ba60894a412adc78d541c0c2
SHA1 hash:
9a00e428610d20b925d7dd4249a5fddf6dd389df
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
8e7054b68ad1258fc328af2feecfb37e78954e81f57758b7dafb19008463b751
MD5 hash:
729b9ee6cf416ecb81f9f0e6b29c29e9
SHA1 hash:
e4365a80a6153216e4ce5770c1cd766177bcc7e3
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
7dd366506a08d8f81e92a69adb67fcae30656dd27c3f1a96d17427b7aa4ac251
MD5 hash:
970a586e6ecd0f6af2dadd873684ebdd
SHA1 hash:
cd9561efd0869aab089e1702134ff6a87c859e56
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
2cc2b00b84d0ce2159297a7c33a8f38847d96e93dbfe7bb23724173886f99e6c
MD5 hash:
6b8b520c9ca2c721c5628a592d06f4a2
SHA1 hash:
cae37468adcdb03be8e990bba7c9f60cb74b977b
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
ee556cb79b0a5b09a2615b7c50f7296ccc1f0af4b04496cea58b0be457dbb05b
MD5 hash:
84e439f37a9fc07030f06ed990bf327f
SHA1 hash:
7db36f9760bd030333ad4f15f25c4c8d0681e6e3
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
1c2818e60d15e1e486d03a9e7641b4e6f99f09d3c04e87037bebe19f6896d61b
MD5 hash:
1ae68c1c920dcbc29cb3ce6c1cf8100e
SHA1 hash:
6b624d460e5ffb643e0713f9dccca09f15792265
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
a89c1aa2ea74c762d66a3f3d313234ab81fccf9723f8e0915348ca4f13445c35
MD5 hash:
02052bfa13ccf9b9b7c9aec8a7b86bb1
SHA1 hash:
44a0c7d287a7ae87c5e070c6f5af25bfc257447b
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
a09a6e18d792c443ed76f03b5b04a025e50dfdf2e8f57e82c88874a8abb2d5ea
MD5 hash:
e04b35bd14db0c44a26705806ed27267
SHA1 hash:
4485f2a5108cc0d2c6e11528e4baddbd89f177cb
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
7183baba201f898c29a685f2a09d2be6b286dec8b105249141efcad40241a191
MD5 hash:
0a54676211c974590e42ad0c966f6191
SHA1 hash:
1b2c65f6f3e2340284d458b77d8cd03255ee0673
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
f0faee67bfe75d62b6b9c57d5f19887c869d8d8aa4041d61ccda31ff5100c722
MD5 hash:
34cb8398a38e7569daf8cc5b2d290eaa
SHA1 hash:
0f2ff995eb9ca5a141adcfb54589dfec10d03f7c
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
d2dbeb783504070450e3e5d2495ce8c6ffca0296e561d8ee875f1daf47e0ccb5
MD5 hash:
2a59bd2836d2f0474334cfc9b9d7522c
SHA1 hash:
076d35f892184fe9e3b64e9c5c3266c27b3079de
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
51822e99ece18ac31a193079f264f10940417e7d65c8e16d55ceee7f743dc309
MD5 hash:
11d58bcdf92faf51179d2daaf99e11b3
SHA1 hash:
0c6ffc8f9db015ec1bd01e11420695faadf2c845
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
94b1a1928663783d55d18e068691d41fda717aec2b8c139cbeec537baf590cf1
MD5 hash:
dbe67324ed2ee469fb8cc030ffaa3448
SHA1 hash:
c99473f88d6e73360fe671ef0eb624b71b94315f
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
9e8672806ae567225100d33ab88fc570c045249c4fabf16460e25ed2132ddca5
MD5 hash:
209101ef2701aaebe731102f939ebd65
SHA1 hash:
2d8254a277faa5cbfaf1dd9730bd08b014cc90a1
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
6206b2abd0c001cbc7ed90f8c5b405a98c499afa8263d3ff001c491862822ce6
MD5 hash:
aa0d9442b871b159081fa26c2f9777b7
SHA1 hash:
d53ac52230bb4e2b791ca2f2466ab6773b019309
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
7f18fffe67464d22a42dff9058b38db108d8503d6fc7f45f4b06c40e5c201e1d
MD5 hash:
76011d40c66fbc3f8400801c386d4059
SHA1 hash:
c34daf2ae5471a8c24341c1dd54d22ff044bdecd
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
5fc9d1641fcff1f7b77e7f68671bb2d24b0240c32c4acf73ca4fb704b5a803c3
MD5 hash:
e2ea11433c1dcb7977794cb117ac8723
SHA1 hash:
ebd4de64f29f894ae3047fc19f90565a31cd4dd4
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
3f4f3f9461c11365097b310c172d2d3d6517a77237090a0db39b716946a871e6
MD5 hash:
252b8ab28b112309ab15574dbdaf4c74
SHA1 hash:
84dbd4b2539e81a514b7e6d0985461cb14a56c12
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
f3bb5bb6c825a6be8363ea702e60e3fcd3a76b835475440cb09ea9a6e15f9ecf
MD5 hash:
f553b2de55544f8899c929438e4ad761
SHA1 hash:
4cb949c455d749b649c0d2872f3fd81ffe6660ba
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
17e4d04979aa1dcf1ec6963532a0b803f91c46cf79e5348b63607fc0833bf427
MD5 hash:
be747ca462bc8ae0d0c5c7f6c614c731
SHA1 hash:
c85000746a1d6443519c7ff3c8f3f9878fe51106
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
SH256 hash:
dbeac36e7de274df245cf4965fcdbeedd57ef1637a9cb8c5bd8686645a9ee9fd
MD5 hash:
aaf0f0b5a7a737a1e364f66325644ba5
SHA1 hash:
9c6af373adfb47cba923f4d18e7e44742864ec57
Link:
https://www.unpac.me/results/2c5e78a8-c518-4e38-bd07-34b56ddbb64a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbeac36e7de274df245cf4965fcdbeedd57ef1637a9cb8c5bd8686645a9ee9fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264046/

Comments