MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1fdac82e4e4da91ba2a9d8122a5f27e11a8342308b18376b189d2cc7468557b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1fdac82e4e4da91ba2a9d8122a5f27e11a8342308b18376b189d2cc7468557b
SHA3-384 hash: e4be37d278a5df9ddb60d3f5e93374f53607bb96c66a088f8550837bddfa8a172566b3f4ca0a6174a2cf2ec1592b1815
SHA1 hash: df96b0206e9222af2b26ec7fd55e8c254430a51f
MD5 hash: 7e8557bba47693b92aa8b325b588e4cb
humanhash: jersey-may-twelve-berlin
File name:setup_x86_x64_install.exe
Download: download sample
File size:1'830'080 bytes
First seen:2021-01-29 15:26:36 UTC
Last seen:2021-01-29 16:58:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:TC1G84m29YLwiZJQU6AFkKSRS8YUp+PW058:Tnw296wQJQ3xKSww+PW058
Threatray 37 similar samples on MalwareBazaar
TLSH C7852303A2EC4C77D47B6BB425F69153223A735176B8C20B322E865899B03F5B63D35B
Reporter struppigel
Tags:AutoIT CryptBot packed

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-01-29 15:31:52 UTC
Tags:
autoit stealer trojan phishing loader
Link:
https://app.any.run/tasks/0bdca85a-8abf-40cd-b960-4ab05d990604

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114757/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Sending a custom TCP request
Sending a UDP request
Creating a process from a recently created file
Deleting a recently created file
DNS request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594098
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Certutil Command
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346095 Sample: setup_x86_x64_install.exe Startdate: 29/01/2021 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 8 other signatures 2->66 10 setup_x86_x64_install.exe 1 6 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 cmd.exe 1 10->14         started        16 cmd.exe 1 10->16         started        signatures5 19 cmd.exe 2 14->19         started        22 conhost.exe 14->22         started        24 certutil.exe 2 14->24         started        58 Submitted sample is a known malware sample 16->58 26 conhost.exe 16->26         started        process6 signatures7 68 Obfuscated command line found 19->68 70 Uses ping.exe to sleep 19->70 28 Ricuperato.com 19->28         started        30 PING.EXE 1 19->30         started        33 findstr.exe 1 19->33         started        36 certutil.exe 2 19->36         started        process8 dnsIp9 38 Ricuperato.com 28->38         started        56 127.0.0.1 unknown unknown 30->56 46 C:\Users\user\AppData\...\Ricuperato.com, Targa 33->46 dropped file10 process11 dnsIp12 48 fUDJryBrtEZWLtoFP.fUDJryBrtEZWLtoFP 38->48 72 Uses nslookup.exe to query domains 38->72 74 Writes to foreign memory regions 38->74 76 Injects a PE file into a foreign processes 38->76 42 nslookup.exe 47 38->42         started        signatures13 process14 dnsIp15 50 abruskasm01.xyz 62.113.115.181, 49704, 49705, 80 VDSINA-ASRU Russian Federation 42->50 52 morrssiasft05.xyz 94.103.92.80, 49702, 49703, 80 VDSINA-ASRU Russian Federation 42->52 54 acrssiasfq55.xyz 42->54 78 Tries to harvest and steal ftp login credentials 42->78 80 Tries to harvest and steal browser information (history, passwords, etc) 42->80 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1fdac82e4e4da91ba2a9d8122a5f27e11a8342308b18376b189d2cc7468557b/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 11:07:19 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
1c421e6eea0c7d28016da05e2be26a099f94bb355e05ed1088c2098c024760b1
1db0242b6f7de2919880e833801ce2b48bbf83c136235a537b17211e1193d611
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210129-ecylst2jnj/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f44cb1e2672ce93bfa48711d8cc5af8ad77728150f0cf66494bc0e9e5492a0d7
MD5 hash:
b20d9ecb140d57602eb8d48b822cbe84
SHA1 hash:
745632ba99974ef4bd366f20117abaa85c8f425a
Link:
https://www.unpac.me/results/a741d4f1-573a-4cd8-a9df-6facd22ecaae/
SH256 hash:
f1fdac82e4e4da91ba2a9d8122a5f27e11a8342308b18376b189d2cc7468557b
MD5 hash:
7e8557bba47693b92aa8b325b588e4cb
SHA1 hash:
df96b0206e9222af2b26ec7fd55e8c254430a51f
Link:
https://www.unpac.me/results/a741d4f1-573a-4cd8-a9df-6facd22ecaae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/f1fdac82e4e4da91ba2a9d8122a5f27e11a8342308b18376b189d2cc7468557b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f1fdac82e4e4da91ba2a9d8122a5f27e11a8342308b18376b189d2cc7468557b

(this sample)

  
Link
https://www.reddit.com/r/antivirus/comments/l7r770/need_help_clearing_malware/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114757/

Comments