MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e381d2ff39b4396f61397eb75ab10ba5002c3ae50c4062aee82d7ea444e59917. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	e381d2ff39b4396f61397eb75ab10ba5002c3ae50c4062aee82d7ea444e59917
SHA3-384 hash:	dc59cb2a7ccca58515888bbdda4b39b1fac9df05755ded380ee0a27ceedd672d100b67b9fb302b64f04d221658e8d12d
SHA1 hash:	b4767c039689a64bc532da8423b78d50273d0b82
MD5 hash:	a9a3109bdf4f21f50c8669b1ccd5b272
humanhash:	mountain-steak-kitten-december
File name:	1843933170.exe
Download:	download sample
File size:	4'223'488 bytes
First seen:	2022-05-20 13:07:33 UTC
Last seen:	2022-05-20 13:40:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:h79wEAiUeI7wlefyPHv/5MTltHwFjDVx2gHfDe:vzqA/5MTltHO9x2AfC
Threatray	127 similar samples on MalwareBazaar
TLSH	T12B1633F7C14F96D8E0D7C43C6AEFB111EE39AC9A90E02597A122CDB65D6B0CE1840F59
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	JaffaCakes118
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

setup.exe.exe

Verdict:

Malicious activity

Analysis date:

2022-05-20 12:45:40 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/c4d82202-097f-4067-8f49-2e36f4838d0c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/273048/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop20.5458.22124.24422.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Changing a file

Creating a file in the %AppData% subdirectories

Running batch commands

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug packed redline wacatac

Link:

https://www.filescan.io/uploads/628792d03ec49f83a6b999f6/reports/56f5c82f-934b-4acf-ba45-b3706eed878f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/74281356-7fc7-4b9e-9437-6a06409299d0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/998593

Signature

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e381d2ff39b4396f61397eb75ab10ba5002c3ae50c4062aee82d7ea444e59917/

Threat name:

Win64.Spyware.RedLine

Status:

Malicious

First seen:

2022-05-18 18:47:11 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

23 of 41 (56.10%)

Threat level:

2/5

Verdict:

unknown

5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2

8101c71c2c31df8da09ed7dd55da9bbd949b028f8f54f0e1cbffab82b192ed87

84858e95dcf7fe3cb43f819f8b496ecc1b44e6f4ea938fb00b0b5c117e9b4075

a5453a830d01639ad537320c94e68565341328c872a8f2d3456221a0bec6f3e9

bec113f52e725b1e43720bb9ab1faece1043fc4562f1de3c3d43c1cfc97f2ada

c1eae8655ba2f8afc1fdba12f836ad4ba4d26057109b8f70519aba2b88c9b92b

cfbac2647ebe2341242d1c6375d766e4490c9d16fdbf100301e9e8102aeba62c

d66c835ffce7413ed28d1252c814787083aab6fcdc20df38120b5da13991f9c3

e69716b0ea13b412bf6e3ac4f9a0bca987d99788f9d20cedd8fcacee0a7c3f38

+ 117 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer upx

Link:

https://tria.ge/reports/220520-qc7xbsfhhl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Deletes itself

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

460b7dafd0c0c665b5c8fc4f5437ca9b76808d8cd95d457dc97007558cec548e

MD5 hash:

24757ec52223415d4b02681fc281ce46

SHA1 hash:

15821c1d3e59f2fb64366df0e99f1e837694363a

Link:

https://www.unpac.me/results/a7420627-4dc1-4eac-b892-e5612f138ad4/

SH256 hash:

e381d2ff39b4396f61397eb75ab10ba5002c3ae50c4062aee82d7ea444e59917

MD5 hash:

a9a3109bdf4f21f50c8669b1ccd5b272

SHA1 hash:

b4767c039689a64bc532da8423b78d50273d0b82

Link:

https://www.unpac.me/results/a7420627-4dc1-4eac-b892-e5612f138ad4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e381d2ff39b4396f61397eb75ab10ba5002c3ae50c4062aee82d7ea444e59917

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe e381d2ff39b4396f61397eb75ab10ba5002c3ae50c4062aee82d7ea444e59917

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/273048/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample