MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f56c3d4a96415875d7ee39d455be40e5ab3991386e4dfec547620a634196fd1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	f56c3d4a96415875d7ee39d455be40e5ab3991386e4dfec547620a634196fd1c
SHA3-384 hash:	019c786af65e17c5108619fa3af24470db4216beeadaa53a64c034d9f63d33f3fafe808fa9009e5957270ee90b76179b
SHA1 hash:	c1337a2ee75c906158ba60bc3f79613ce894d47d
MD5 hash:	784063819c9a50037086215f91c03750
humanhash:	berlin-nevada-cat-lion
File name:	784063819c9a50037086215f91c03750.exe
Download:	download sample
File size:	744'392 bytes
First seen:	2022-04-04 18:31:00 UTC
Last seen:	2022-04-04 19:49:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b47ad1c462d2e834246d38d78ea3b856
ssdeep	12288:5d1PAG9hcEQdRkBXcGDeOcpN1X8KjyDFUav/rRd8:bFAG9hwABDef1MtF7vjRd8
Threatray	618 similar samples on MalwareBazaar
TLSH	T14AF49C1BA3A8C813D476D475D86BCAFD7220BE05EA23C55B06F43E1FB9F015CE462A46
File icon (PE):
dhash icon	70f0f0e3e2f2f0f0
Reporter	abuse_ch
Tags:	exe signed

Code Signing Certificate

Organisation:	Seagate BarraCuda Compute ST4000DM004 2 Tb 256/5400
Issuer:	Seagate BarraCuda Compute ST4000DM004 2 Tb 256/5400
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-04-03T09:27:16Z
Valid to:	2032-04-04T09:27:16Z
Serial number:	21b8a2f7eccdf09046786e2238129b62
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	5749c07beb3e8ca2869e3f46dfc87c77076bfdd08d33986358e12c646eefdfdb
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

de342b73ab279eccec76de26007344ba122df43f5cb1ded839f75579206f85b0.zip

Verdict:

Malicious activity

Analysis date:

2022-04-05 06:23:52 UTC

Tags:

trojan rat redline loader

Link:

https://app.any.run/tasks/80d028c7-784a-43bf-8235-73346eb67487

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/260723/

Detection(s):

SecuriteInfo.com.W32.Obsidium.A.genEldorado.9810.2653.UNOFFICIAL

Win.Packed.Obsidium-9943095-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

DNS request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/624b398640ce5db9f405a0b7/reports/23dcfa03-5df0-485d-92bf-03a6f4383969/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d5c9200-f0c2-4046-9e05-07709fafbd13

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/970358

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: File Created with System Process Name

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f56c3d4a96415875d7ee39d455be40e5ab3991386e4dfec547620a634196fd1c/

Threat name:

Win32.Infostealer.ClipBanker

Status:

Malicious

First seen:

2022-04-04 09:19:59 UTC

File Type:

PE (Exe)

Extracted files:

331

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Verdict:

unknown

26561f10cc120df745a1bbb4062af13aaf13129002ca36de757d11764849194f

2a0ceaf5ac0039a9409b47ebbe01ba3872726a6b6318bd697b8199396df49301

3c3bf835742e7a36b7a7c7866965e351077c08c48479f2cd988133bf65f22cef

3d616db3bac20e1f2aeb4aa9ad6c53a64fb2ae692ddd4dfbca34e7552a772c13

5df70b6d4395c363a2f97843733996bceabfc71a9b30f6ef7361161b34b45bc6

60fc9267ff51de1c8910f5f4b8a393ab3290838c461eafb8189db587cb33f822

676bbb9a36d0444aafb8f2d4d784a02e5d0246bcab6db076d3985e3af6322b92

7d7391e8020f9e99400c39bf827ebad61954206ae53d7b6e3f42a85948d574e0

f4ca00a988875fb8a01beeadd538610519b23866d0f16d27bb1c7e647d7a5a47

+ 608 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/220404-w5175sedbq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Unpacked files

SH256 hash:

530515d7412a58a629e034cd5f366c7cc8deb60a575ff292885e45cecb9b2090

MD5 hash:

c48835771783e86d5a320d0e0bab8b3f

SHA1 hash:

79e043d88911968eb6770e73f85d5f873409bedc

Link:

https://www.unpac.me/results/27e98dee-560b-4515-85df-70cfcf95968a/

SH256 hash:

f56c3d4a96415875d7ee39d455be40e5ab3991386e4dfec547620a634196fd1c

MD5 hash:

784063819c9a50037086215f91c03750

SHA1 hash:

c1337a2ee75c906158ba60bc3f79613ce894d47d

Link:

https://www.unpac.me/results/27e98dee-560b-4515-85df-70cfcf95968a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.26

Link:

https://yomi.yoroi.company/submissions/f56c3d4a96415875d7ee39d455be40e5ab3991386e4dfec547620a634196fd1c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe f56c3d4a96415875d7ee39d455be40e5ab3991386e4dfec547620a634196fd1c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2129624/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2129617/

URLhaus

https://urlhaus.abuse.ch/url/2117688/

URLhaus

https://urlhaus.abuse.ch/url/2118396/

URLhaus

https://urlhaus.abuse.ch/url/2129618/

Cape

https://www.capesandbox.com/analysis/260723/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample