MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f978ad359add698024287eba93f88d8eabe3c458c62768bc49e3d9e4fa30f2d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash: f978ad359add698024287eba93f88d8eabe3c458c62768bc49e3d9e4fa30f2d9
SHA3-384 hash: ad982b6a3d056e4368b80d06cbe1642a8d1acc9a3bbcf8e1f4ec090fdf0fc1d8e3229b727056b51ecdd8bda49cc580be
SHA1 hash: e6b4d52d408861211307531679479ae3e5ad6546
MD5 hash: e2186c8dfe2bf176ffa180bc8038b45a
humanhash: quiet-nuts-triple-lamp
File name:e2186c8dfe2bf176ffa180bc8038b45a.exe
Download: download sample
File size:4'979'056 bytes
First seen:2023-03-12 17:40:54 UTC
Last seen:2023-03-12 19:42:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0cab0170722ba12b99e4419aa79e51bd (6 x RedLineStealer)
ssdeep 98304:ZrNDnifgPgjhcObmRCevTu6QDiU98WJONhZ9gsb0jJu/2vJYL4ooq:ZFBMuOCTpDLaqiRYLT
Threatray 6 similar samples on MalwareBazaar
TLSH T13436E0D9F13112DDEA274323CF00A68872A594BB451BF9DBAF28D1F2815B15826F6F07
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e2186c8dfe2bf176ffa180bc8038b45a.exe
Verdict:
Malicious activity
Analysis date:
2023-03-12 17:44:54 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Сreating synchronization primitives
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824918 Sample: jEhJqTf6oZ.exe Startdate: 12/03/2023 Architecture: WINDOWS Score: 72 44 Multi AV Scanner detection for submitted file 2->44 46 Machine Learning detection for sample 2->46 9 jEhJqTf6oZ.exe 1 2->9         started        12 dbgSoftwareDistribution-type1.6.8.3.exe 2->12         started        process3 signatures4 48 Writes to foreign memory regions 9->48 50 Allocates memory in foreign processes 9->50 52 Sample uses process hollowing technique 9->52 54 Injects a PE file into a foreign processes 9->54 14 AppLaunch.exe 1 9->14         started        17 AppLaunch.exe 9->17         started        19 conhost.exe 9->19         started        process5 signatures6 56 Injects a PE file into a foreign processes 14->56 21 AppLaunch.exe 6 14->21         started        24 conhost.exe 14->24         started        58 Uses schtasks.exe or at.exe to add and modify task schedules 17->58 process7 file8 42 dbgSoftwareDistribution-type1.6.8.3.exe, PE32+ 21->42 dropped 26 icacls.exe 1 21->26         started        28 icacls.exe 1 21->28         started        30 schtasks.exe 1 21->30         started        32 3 other processes 21->32 process9 process10 34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 conhost.exe 32->40         started       
Threat name:
Win32.Trojan.RedLine
Status:
Malicious
First seen:
2023-03-12 17:41:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Unpacked files
SH256 hash:
dcfd0d602932a5d87edc7432d7021aff23f8cb63b231614485a4690f5181c545
MD5 hash:
942a624dc3142cdb117c51784a6573e2
SHA1 hash:
91aaff76670453891c9d65cf91e5c8b9725833e1
SH256 hash:
f978ad359add698024287eba93f88d8eabe3c458c62768bc49e3d9e4fa30f2d9
MD5 hash:
e2186c8dfe2bf176ffa180bc8038b45a
SHA1 hash:
e6b4d52d408861211307531679479ae3e5ad6546
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Author:Willi Ballenthin
Rule name:pdb_YARAify
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:pe_imphash
Rule name:PE_Potentially_Signed_Digital_Certificate
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:virustotal
Author:Tracel

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments