MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs 5 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SHA3-384 hash: 013181e33f551600c1be7e60a3385968098ad3324f35ca861a3c76461cff31a777b68a1fd3fc9365a4bf13301c9be377
SHA1 hash: 0de63f57cc605470c584cd4b2eeaa5100e30a670
MD5 hash: 65c3dba524c72f89b18636c8da76a6b3
humanhash: carpet-two-carpet-mango
File name:F1E1B516A83F303659E53D513C9C3DA9DFD466F40B96F.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:3'496'874 bytes
First seen:2022-08-13 06:25:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xeYFpDJjhb6gU/u8EWZhsXC/uS2isCvLUBsKaIKI:xXljhAW8/sXmuS2qLUCKae
TLSH T1AEF53371B2E449F2EA4210309BA87F7A55FEC3CD072509DB7368D11E6F2D16AC63B816
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
176.113.115.146:9582

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.113.115.146:9582 https://threatfox.abuse.ch/ioc/842688/
109.107.180.76:37989 https://threatfox.abuse.ch/ioc/842692/
65.108.44.89:42630 https://threatfox.abuse.ch/ioc/842693/
185.106.92.228:24221 https://threatfox.abuse.ch/ioc/842765/
157.90.234.4:6229 https://threatfox.abuse.ch/ioc/842878/

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/298374/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Jaik-9883713-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Moving a file to the %temp% subdirectory
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28846/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62f74439810e2831b7410c9d/reports/64e8edc9-01d3-47d8-8e62-bdf4cdffc1dc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c38249db-83cf-4443-9a13-81c0963e1d59
Result
Threat name:
BitCoin Miner, RedLine, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050938
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Disable Windows Defender real time protection (registry)
DNS related to crypt mining pools
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found C&C like URL pattern
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 683448 Sample: F1E1B516A83F303659E53D513C9... Startdate: 13/08/2022 Architecture: WINDOWS Score: 100 132 s.lletlee.com 2->132 134 xmr-eu2.nanopool.org 2->134 136 29 other IPs or domains 2->136 172 Snort IDS alert for network traffic 2->172 174 Multi AV Scanner detection for domain / URL 2->174 176 Malicious sample detected (through community Yara rule) 2->176 182 22 other signatures 2->182 13 F1E1B516A83F303659E53D513C9C3DA9DFD466F40B96F.exe 17 2->13         started        16 services64.exe 2->16         started        signatures3 178 May check the online IP address of the machine 132->178 180 Connects to a pastebin service (likely for C&C) 134->180 process4 file5 102 C:\Users\user\AppData\...\setup_install.exe, PE32 13->102 dropped 104 C:\Users\user\AppData\Local\...\sahiba_7.txt, PE32 13->104 dropped 106 C:\Users\user\AppData\Local\...\sahiba_6.txt, PE32 13->106 dropped 108 12 other files (5 malicious) 13->108 dropped 18 setup_install.exe 1 13->18         started        process6 dnsIp7 138 watira.xyz 18->138 140 s.lletlee.com 18->140 142 127.0.0.1 unknown unknown 18->142 94 C:\Users\user\AppData\...\sahiba_7.exe (copy), PE32 18->94 dropped 96 C:\Users\user\AppData\...\sahiba_2.exe (copy), PE32 18->96 dropped 98 C:\Users\user\AppData\...\sahiba_9.exe (copy), PE32+ 18->98 dropped 100 6 other files (none is malicious) 18->100 dropped 194 Performs DNS queries to domains with low reputation 18->194 23 cmd.exe 1 18->23         started        25 cmd.exe 18->25         started        27 cmd.exe 1 18->27         started        29 9 other processes 18->29 file8 signatures9 process10 process11 31 sahiba_4.exe 4 23->31         started        34 sahiba_7.exe 25->34         started        38 sahiba_2.exe 27->38         started        40 sahiba_1.exe 2 29->40         started        42 sahiba_5.exe 6 29->42         started        44 sahiba_3.exe 14 29->44         started        46 3 other processes 29->46 dnsIp12 110 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 31->110 dropped 112 C:\Users\user\AppData\Local\...\chrome2.exe, PE32+ 31->112 dropped 48 setup.exe 31->48         started        53 chrome2.exe 31->53         started        144 212.193.30.115, 49737, 49816, 49822 SPD-NETTR Russian Federation 34->144 150 5 other IPs or domains 34->150 114 C:\Users\...\jcmuNiHcm8NlCR3UO5sh7tul.exe, PE32 34->114 dropped 116 C:\Users\...GnsSeH7EB0CFwbddhRuRZzV.exe, PE32 34->116 dropped 118 C:\Users\user\AppData\Local\...\6523[1].exe, PE32 34->118 dropped 120 C:\Users\user\AppData\...\Service[1].exe, PE32 34->120 dropped 184 Drops PE files to the document folder of the user 34->184 186 May check the online IP address of the machine 34->186 188 Disable Windows Defender real time protection (registry) 34->188 190 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->190 192 Checks if the current machine is a virtual machine (disk enumeration) 38->192 55 explorer.exe 38->55 injected 57 sahiba_1.exe 1 40->57         started        146 s.lletlee.com 42->146 152 2 other IPs or domains 42->152 154 3 other IPs or domains 44->154 148 s.lletlee.com 46->148 156 5 other IPs or domains 46->156 59 sahiba_8.exe 46->59         started        file13 signatures14 process15 dnsIp16 122 www.w7dslkipoja.com 48->122 124 s.lletlee.com 48->124 88 C:\Windows\winnetdriv.exe, PE32 48->88 dropped 90 C:\Users\user\AppData\Local\...\Login Data1, SQLite 48->90 dropped 166 Drops executables to the windows directory (C:\Windows) and starts them 48->166 168 Tries to harvest and steal browser information (history, passwords, etc) 48->168 61 winnetdriv.exe 48->61         started        92 C:\Users\user\AppData\...\services64.exe, PE32+ 53->92 dropped 64 services64.exe 53->64         started        68 cmd.exe 53->68         started        126 live.goatgame.live 57->126 128 s.lletlee.com 57->128 130 derioswinf.org 57->130 70 conhost.exe 57->70         started        file17 170 May check the online IP address of the machine 126->170 signatures18 process19 dnsIp20 158 s.lletlee.com 61->158 160 www.wpdsfds23x.com 172.105.27.61, 49728, 49730, 49731 LINODE-APLinodeLLCUS United States 61->160 84 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 64->84 dropped 86 C:\Users\user\AppData\...\sihost64.exe, PE32+ 64->86 dropped 162 Sample is not signed and drops a device driver 64->162 72 cmd.exe 64->72         started        74 sihost64.exe 64->74         started        164 Uses schtasks.exe or at.exe to add and modify task schedules 68->164 76 conhost.exe 68->76         started        78 schtasks.exe 68->78         started        file21 signatures22 process23 process24 80 conhost.exe 72->80         started        82 schtasks.exe 72->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234/
Threat name:
Win32.Downloader.ShortLoader
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 23:09:49 UTC
File Type:
PE (Exe)
Extracted files:
475
AV detection:
20 of 24 (83.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hq3kfvih4ydmwpfhvitzhb5vhp5izxubolprxugzi345fke2i2a._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:redline botnet:5 botnet:5076357887 botnet:@tag12312341 botnet:nam3 botnet:olkani botnet:ruxarr_gg aspackv2 discovery evasion infostealer loader spyware stealer trojan
Link:
https://tria.ge/reports/220813-g67zraefan/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
PrivateLoader
RedLine
RedLine payload
Malware Config
C2 Extraction:
ataninamei.xyz:80
103.89.90.61:34589
176.113.115.146:9582
195.54.170.157:16525
insttaller.com:40915
62.204.41.144:14096
Unpacked files
SH256 hash:
ae959e9dc0562881247af83cd330f46759060c7745a6987af10eb3914a18b4f8
MD5 hash:
28a3abdad396827642f2c67e33137c3d
SHA1 hash:
85adbe13594e1dbf562fb2063b872e97e15334ef
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
875b8ccdf7909cba02cf4fd8adbf0a7ff91d93f7c5f3b83b3b33c903d9c91d8e
MD5 hash:
8beec33a93b1f6c8223c1fc34449037d
SHA1 hash:
5131c64127c289f0cf6c5ab932e09f8579af4551
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
e774e5309f3cd09767e6767b04a2aed1310943ba1f03413f12143c4262d9e141
MD5 hash:
52f7a8d8e1711098ba912407687c5982
SHA1 hash:
2bcc6d88c391a6ec0bfe5ef1c9d613b0ca7d6bb8
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
7480620e70764fb206ff7dfb106bdf4c88a4b4188da15cb64e61ccc0e75223e0
MD5 hash:
654f4b5a7079b36688de21003cf4e51d
SHA1 hash:
28cb1c7d13da4f1a887dfa5198422ed389d7dd48
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
18deb5e03d654b96bcebb00097a118a6c940c1b99ee36005cd47f750f5ad09e6
MD5 hash:
d1555b52fe08c7dfabf985f0cd49f92c
SHA1 hash:
fb3734d185ab08e64affbee74f3a20b5ad0a03e7
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
MD5 hash:
13a289feeb15827860a55bbc5e5d498f
SHA1 hash:
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
5dbe764c587a5a27b0daaa1b3a56a2ac4047cc78c2b878ae49589c2ec55c350a
MD5 hash:
62ca6931bc7a374f80ff8541138baa9e
SHA1 hash:
d36e63034bddf32d3c79106a75cfa679cfdd336a
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
4e394c0df7ddc8a3a1d44590c7c0c4439f42043ae4a40e75bf9525fadf9abac0
MD5 hash:
82cc16a9bc00b60d9a3a5fda43788339
SHA1 hash:
c1f2ecb5e24421c0e419ff449d998bc37495d2fa
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
df84b63afd16f5495a7d1d6d0938c8518096cdcae19033a717ef0d0e532b6c0b
MD5 hash:
9c1078454dd6c41b852df15b5999d044
SHA1 hash:
3dff4b3ed38b5e8ccd7a59e62ab0bc1c7cc2fa00
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
de67bb06f8462526665e4b791f5b90f3e2c248eec21f4cab5954b322eed25d46
MD5 hash:
7c61996bdaf647b491d88063caecbf0c
SHA1 hash:
38f6448a659e294468ee40f7dfebf1277c3771f1
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
08c4bdf2284b49c422ebca09d8e65ec80ab7e76e1fab67fde6c7b9087f3ebd75
MD5 hash:
cfa20720efc964bf9d0cdae7bff5efad
SHA1 hash:
363db521f6faf8b3b343226a4304cab4b7d763b3
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
SH256 hash:
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
MD5 hash:
65c3dba524c72f89b18636c8da76a6b3
SHA1 hash:
0de63f57cc605470c584cd4b2eeaa5100e30a670
Link:
https://www.unpac.me/results/2e239748-c8ad-4000-88c6-893bb3bec1ef/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1e1b516a83f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298374/

Comments