MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5
SHA3-384 hash: 7271234c0293b5567b35df849e71e40ef6c736b4d717d5836b7cb6421ac85f4f2905f5da5cd99edb3ff3caf74658c125
SHA1 hash: afd7485b1313cc54c321cc18c4b1c19e5ae415af
MD5 hash: 50e9958bb2a5b6ae6ed8da1b1d97a5bb
humanhash: spaghetti-helium-fish-uncle
File name:50e9958bb2a5b6ae6ed8da1b1d97a5bb
Download: download sample
File size:144'896 bytes
First seen:2023-03-24 02:58:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 74e5927a780c3f10f31d5185179b2079
ssdeep 3072:ca+7cuLPeNoqEcBwokMUHb8uwX6SVjfLq3fNh9kPfe3:ca0vL2HEcmokbzEVzeVgfe3
Threatray 296 similar samples on MalwareBazaar
TLSH T18EE37D1575C0C0B3E56719314870EBB56E7EF8300F246D9F63990A7A9F306C19A3AA7B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-23 23:47:15 UTC
Tags:
rat redline trojan amadey loader kelihos
Link:
https://app.any.run/tasks/de3a6480-26c8-4362-aa51-557aa9bcdfbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377000/
Detection(s):
SecuriteInfo.com.Variant.Doina.26970.16014.20479.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Running batch commands
Launching a process
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74529/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe fingerprint greyware shell32.dll
Link:
https://www.filescan.io/uploads/641d11f89c109cf74b2f03c6/reports/8f3cb484-549d-45db-a1a6-348bc867a333/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fa9c21f8-af5e-477e-ad1d-8cb9a7771236
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1200950
Signature
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 833855 Sample: CWMP8FKHFo.exe Startdate: 24/03/2023 Architecture: WINDOWS Score: 60 52 Multi AV Scanner detection for submitted file 2->52 7 CWMP8FKHFo.exe 15 2->7         started        11 chrome.exe 2->11         started        13 chrome.exe 2->13         started        process3 dnsIp4 42 techcosupportservice.com 198.251.84.36, 49695, 80 PONYNETUS United States 7->42 54 Self deletion via cmd or bat file 7->54 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 chrome.exe 14 1 7->20         started        23 chrome.exe 11->23         started        25 chrome.exe 13->25         started        signatures5 process6 dnsIp7 56 Uses ping.exe to sleep 15->56 58 Uses ping.exe to check the status of other devices and networks 15->58 27 taskkill.exe 1 15->27         started        29 conhost.exe 15->29         started        31 PING.EXE 1 18->31         started        34 conhost.exe 18->34         started        38 192.168.2.1 unknown unknown 20->38 40 239.255.255.250 unknown Reserved 20->40 60 Self deletion via cmd or bat file 20->60 36 chrome.exe 20->36         started        signatures8 process9 dnsIp10 44 1.1.1.1 CLOUDFLARENETUS Australia 31->44 46 accounts.google.com 142.250.180.141, 443, 49696, 49700 GOOGLEUS United States 36->46 48 www.google.com 142.251.209.4, 443, 49697, 49701 GOOGLEUS United States 36->48 50 2 other IPs or domains 36->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5/
Threat name:
Win32.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 23:20:53 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jcdrxrzd2wawu4mb4xrs2l5v2wos6n7qzl2rpghjw3mwtwlklcq._file
Verdict:
malicious
Similar samples:
22b8eea77c280d8bbfe86c7a3acac4e60f11bfeb5fa03cfef44678513af49600
4fa8e3ed74b9d941888ab229b323154e2a2bdb2274fd7e767e16bb8dadd97365
797c253df096431e69f1aa84f0010f248384fe437cda4bf8df916c48fbb7984f
8fa5ac8d44ea6dceea6a581c52fe4e336be7a60c710c50d405833d2ceed7bcf4
b499cbf56149c33fc6e105f9121d8c985e5dff6f5e4201184a012673a94b98b4
b965e24c6a5a78fa2ca501ce7baaee2e36628608b0307e8c8cee3f32954d0f99
ba484a35c10e0de7b344da174c26560e29bd3fe895216f9d03c0ce1cfc3de706
be989e2f8769f464453807ce5b7a2e104e1a3f7e299952d6c4009019ed31ebb0
d063eec4ec30ecc633469e28b06bf8288a9107cd9f16ea97720877a6f761e248
+ 286 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230324-dgqsdsdh2t/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5
MD5 hash:
50e9958bb2a5b6ae6ed8da1b1d97a5bb
SHA1 hash:
afd7485b1313cc54c321cc18c4b1c19e5ae415af
Link:
https://www.unpac.me/results/5199e3dd-fa2a-4970-ab05-cb869242df76/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/377000/
  
URLhaus
https://urlhaus.abuse.ch/url/2582926/

Comments


Avatar
zbet commented on 2023-03-24 02:58:26 UTC

url : hxxp://62.204.41.88/lend/rc.exe