MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8e45a62cd2eabe03565eed183aa37b6c2e320565e32ce6b6df1ea0825897b39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8e45a62cd2eabe03565eed183aa37b6c2e320565e32ce6b6df1ea0825897b39
SHA3-384 hash: 97519f299afdbf44da0e8e47ef68f5af24344f0013908365e8ee1575737e9e8dd716efaf8c1f2aacccd60dd37bf417fe
SHA1 hash: 4f859e3882732f265376d0ebf139a065909f74f5
MD5 hash: 16d5574261f9687345e346d82d445f48
humanhash: nineteen-sink-north-mockingbird
File name:OYqcYh.exe
Download: download sample
File size:2'601'984 bytes
First seen:2023-05-06 12:19:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:44OQKz2hZfs+53wyDN2Y0jtnPvYHpYKFsB0nJCa8B2GQgyK:ZOQKz2z5P895wlsCnDG
Threatray 793 similar samples on MalwareBazaar
TLSH T11EC52341336AB772ECA183F4620CF4419FA12D51B7B6F6E48CCBF0D88558B19B6907A7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
LV LV
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OYqcYh.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-06 12:20:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5b77f491-9d98-47fc-b7c1-a1a3efe24a4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387108/
Detection(s):
SecuriteInfo.com.Variant.Tedy.359331.27181.19049.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/645645f34ee0a73c0f8fc70b/reports/2c57facd-3308-41cf-a104-323a13719ef2/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/e8e45a62cd2eabe03565eed183aa37b6c2e320565e32ce6b6df1ea0825897b39
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f93869e-cf0b-4500-975c-47424086d0a9
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1227490
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 860454 Sample: OYqcYh.exe Startdate: 06/05/2023 Architecture: WINDOWS Score: 60 19 Multi AV Scanner detection for submitted file 2->19 21 .NET source code contains potential unpacker 2->21 23 Machine Learning detection for sample 2->23 25 Yara detected Generic Downloader 2->25 6 OYqcYh.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\OYqcYh.exe.log, ASCII 6->17 dropped 9 OYqcYh.exe 1 2 6->9         started        11 OYqcYh.exe 6->11         started        13 OYqcYh.exe 6->13         started        15 OYqcYh.exe 6->15         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8e45a62cd2eabe03565eed183aa37b6c2e320565e32ce6b6df1ea0825897b39/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-06 07:28:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dsfuywnf2v6anlf53iyhkrxw3bogicwlyzm423n6hvaqjmjpm4q._file
Verdict:
malicious
Similar samples:
19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37
6118fb1f75058c3bd77040399fad44126181a9b131396a4f1ab7e6622c826dda
62f1922f673fdb34aea18eac783649154f1bdc646410052e3b72c4ebe6c78f37
aa3a5e3035f1281d3a412956e0a0273d33e0f07500abc909eb5d9dad6524b588
ab463de3b695c5e6a4f163c156ad7ef4949a728481711627de738b6a9d84d1f3
c4478ee4d7e4a2c94c2ab27ed4bf7e6ae88e88a218c5d6adce8cd8911d0977bc
d1c42fef143e11679953bccf17e53229b292184c675da25ebc1023b84baf745e
d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0
+ 783 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230506-phq1bsbd31/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2
MD5 hash:
d4b6893a5512534104c6c7403be60897
SHA1 hash:
d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d
Link:
https://www.unpac.me/results/b5d3c2be-85aa-41b6-8fa7-e2980964f884/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/b5d3c2be-85aa-41b6-8fa7-e2980964f884/
SH256 hash:
132ae685763c5b96d3647c2b4fabb35a6c124c419bdf3212f5d1831a6904a533
MD5 hash:
378e6c74038795994120b1f2f50b9fe4
SHA1 hash:
380e9213c1ffeb12bba469eccde750a46a2e5b1c
Link:
https://www.unpac.me/results/b5d3c2be-85aa-41b6-8fa7-e2980964f884/
SH256 hash:
eeda3664709a04565bbed2a155a95b4bae028ef5f19a5a394ea7cd84b3db6a88
MD5 hash:
90bfdb120719bfb1be8eb8397acd27db
SHA1 hash:
308fd7c85bfc2e7f00948c49d08b9833f69163b8
Link:
https://www.unpac.me/results/b5d3c2be-85aa-41b6-8fa7-e2980964f884/
SH256 hash:
c8dc8b734f4629351824f4e8f8bd91dcbbc20acc58e83ddcf499c03bc979b3be
MD5 hash:
25fdd08fb4e05d37591ac1a8cb63a469
SHA1 hash:
1d57d677c840094aed19f23ec72db806f5ef5e57
Link:
https://www.unpac.me/results/b5d3c2be-85aa-41b6-8fa7-e2980964f884/
SH256 hash:
e8e45a62cd2eabe03565eed183aa37b6c2e320565e32ce6b6df1ea0825897b39
MD5 hash:
16d5574261f9687345e346d82d445f48
SHA1 hash:
4f859e3882732f265376d0ebf139a065909f74f5
Link:
https://www.unpac.me/results/b5d3c2be-85aa-41b6-8fa7-e2980964f884/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.78
Link:
https://yomi.yoroi.company/submissions/e8e45a62cd2eabe03565eed183aa37b6c2e320565e32ce6b6df1ea0825897b39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe e8e45a62cd2eabe03565eed183aa37b6c2e320565e32ce6b6df1ea0825897b39

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387108/

Comments