MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e154e1ff9dceb6b46e7e21f3e4a1aea55f3125de8cadd674be73e94e44266409. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e154e1ff9dceb6b46e7e21f3e4a1aea55f3125de8cadd674be73e94e44266409
SHA3-384 hash: c2b6309a109f6e9b54bfc5f970f735ed6273286951a9dd15139b6efbc1a16d721036925644a6b06319c0b69aaa0b282e
SHA1 hash: a4f0e3895466362fb4a55b8999c607e79ddb6b41
MD5 hash: 0c4346dc906f7667addce2a657d391b8
humanhash: wyoming-mirror-black-ink
File name:0c4346dc906f7667addce2a657d391b8.bin
Download: download sample
File size:154'992 bytes
First seen:2023-03-11 08:02:54 UTC
Last seen:2023-03-11 09:34:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0cab0170722ba12b99e4419aa79e51bd (6 x RedLineStealer)
ssdeep 3072:nBKG/JfLhKoda3fk2q4qAyvf2sGx6QblK/lSTh2:nBv/9L49qQsc6QQS8
TLSH T1EDE39D13318C4176F81AC5FA48D5DA7948BDB5B027EF11DFA3CC05679A1A3E0A6A831F
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:bin exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0c4346dc906f7667addce2a657d391b8.bin
Verdict:
Malicious activity
Analysis date:
2023-03-11 08:03:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65d0a3ec-0f8b-4ed8-ac98-001737546b40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373495/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.227640.9235.2116.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Reading critical registry keys
Sending a custom TCP request
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72621/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/640c35b8b65c45d06f7384ff/reports/fcf4220b-6f76-4432-a9c6-5d2c52c694dc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e154e1ff9dceb6b46e7e21f3e4a1aea55f3125de8cadd674be73e94e44266409
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3c59a44-b17b-4a70-bf7b-e7130235362f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1191607
Signature
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e154e1ff9dceb6b46e7e21f3e4a1aea55f3125de8cadd674be73e94e44266409/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-03-11 08:20:34 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fkod745z23li3t6ehz6jinouvptcjo6rsw5m5f6opuu4rbgmqeq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230311-jxn7dsag4y/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e154e1ff9dceb6b46e7e21f3e4a1aea55f3125de8cadd674be73e94e44266409
MD5 hash:
0c4346dc906f7667addce2a657d391b8
SHA1 hash:
a4f0e3895466362fb4a55b8999c607e79ddb6b41
Link:
https://www.unpac.me/results/923e171e-8d4c-4802-9f3b-9a8e6618fcbb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e154e1ff9dce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e154e1ff9dceb6b46e7e21f3e4a1aea55f3125de8cadd674be73e94e44266409

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373495/

Comments