MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e51c6aaeedb70a59c6fa06badecb8b56282561e5cad6925257a1bae99ea37845. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e51c6aaeedb70a59c6fa06badecb8b56282561e5cad6925257a1bae99ea37845
SHA3-384 hash: 1f7e36cbc9ba9dfcc06a61e30cbe30a3f9738d02dc4ff53b22b1037fc06f0e36a82b38e400c2f63e3720be14e458f1d9
SHA1 hash: 3705daeb07581e12da9b4314b2b24d3be591e14f
MD5 hash: 4320c4418fdbd5b344c9eac1c9399019
humanhash: don-fix-golf-orange
File name:4320c4418fdbd5b344c9eac1c9399019
Download: download sample
File size:2'069'497 bytes
First seen:2022-03-05 22:19:09 UTC
Last seen:2022-03-05 23:37:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:H6/6u8zWZ70+vyUNrdcOJbFJVu/CJtl19dSn:H6/SCZxvyUNrlJJD7rl/O
Threatray 1'270 similar samples on MalwareBazaar
TLSH T169A503089147E27BFCED08A3445090D0C39C7FAA7B528DCEE97AD58A151F482F7B6D86
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
i864x__setup__62237fb8332e3.exe
Verdict:
Malicious activity
Analysis date:
2022-03-05 15:46:01 UTC
Tags:
loader trojan rat redline evasion stealer opendir
Link:
https://app.any.run/tasks/828c5bb7-69e3-489d-b235-37bd3b204e65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247611/
Detection(s):
SecuriteInfo.com.Heur.27396.32172.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8356/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d6bb5ff-7058-4eb5-b02b-cf082bd22a19
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/951304
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Shell32 DLL Execution in Suspicious Directory
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 583785 Sample: SLOBlu7OI7 Startdate: 05/03/2022 Architecture: WINDOWS Score: 56 22 Multi AV Scanner detection for submitted file 2->22 24 Sigma detected: Suspicious Call by Ordinal 2->24 26 Sigma detected: Shell32 DLL Execution in Suspicious Directory 2->26 9 SLOBlu7OI7.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\...\HQFZxAfS.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e51c6aaeedb70a59c6fa06badecb8b56282561e5cad6925257a1bae99ea37845/
Threat name:
Win32.Trojan.Qshell
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 22:19:47 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1ba812e8f200b18b8f04bf694314c9b5127aa8a3ce5351ac389639fb69d6d528
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
51e380e872b007b342e94119d6665cc15ce492964c82799117e50e2f103a5ac3
6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0
abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc
b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d
c21002370700932f744db40abd356df44e0a665459f20fa62b7703b865c48318
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
+ 1'260 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220305-185f7abbcq/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
e51c6aaeedb70a59c6fa06badecb8b56282561e5cad6925257a1bae99ea37845
MD5 hash:
4320c4418fdbd5b344c9eac1c9399019
SHA1 hash:
3705daeb07581e12da9b4314b2b24d3be591e14f
Link:
https://www.unpac.me/results/7eae805a-261a-4816-b75c-d1500b1f7328/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e51c6aaeedb70a59c6fa06badecb8b56282561e5cad6925257a1bae99ea37845

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e51c6aaeedb70a59c6fa06badecb8b56282561e5cad6925257a1bae99ea37845

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/247611/
  
URLhaus
https://urlhaus.abuse.ch/url/2078807/

Comments


Avatar
zbet commented on 2022-03-05 22:19:12 UTC

url : hxxp://duoproc.xyz/6/data64_6.exe