MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc0cb0682ccc37bdd72fab5106d45ebf7fb014b15004d65d627f6e2aed0750b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc0cb0682ccc37bdd72fab5106d45ebf7fb014b15004d65d627f6e2aed0750b4
SHA3-384 hash: cb9efd09ebdebeb46a58c392d18d046da5504232bf33a6f1c143f9b5a5e62fa6ebc4bdccc7329c5190b5aaac37d1e41e
SHA1 hash: 9c92cde80d982dec72e5a2fb6553bc1cd89e8319
MD5 hash: afd26f223230ad20eb208dbaa0164e43
humanhash: fanta-delaware-quebec-grey
File name:file
Download: download sample
File size:1'415'680 bytes
First seen:2022-12-23 17:00:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ddba7a03349ac386bff226957244704
ssdeep 24576:cfR85lrIXtinFaRYaWZ22CJVf6GvhrRR44gaGVllYVYItTP4au+TK+Mx:cfS55IXluX4t2ID4au+2d
Threatray 17'254 similar samples on MalwareBazaar
TLSH T178652305B6F4D191E41333BA06265680157A3C575E75CB8B73A9FE0E3B32E448A72B3B
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter jstrosch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
15f57d45fe2a1e8da248cf9b3723d775.exe
Verdict:
Malicious activity
Analysis date:
2022-12-23 15:08:09 UTC
Tags:
trojan amadey opendir loader rat redline stealer remcos keylogger
Link:
https://app.any.run/tasks/257c5b6b-5894-44eb-a28a-861672690ddf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Heur.wH0@vr1LDOiin.16491.23509.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Searching for the window
Searching for analyzing tools
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet packed virus
Link:
https://www.filescan.io/uploads/63a5decfcdd311264932fc62/reports/25d363cb-4192-449e-8829-8a21805c0da9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3b938a8c-b60c-4f77-b532-0e4c7d322b68
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140117
Signature
Antivirus / Scanner detection for submitted sample
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc0cb0682ccc37bdd72fab5106d45ebf7fb014b15004d65d627f6e2aed0750b4/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-23 16:56:06 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qgla2bmzq333vzpvniqnvc6x573affrkacnmxlcp5xcv3ihkc2a._file
Verdict:
malicious
Similar samples:
1212ac208df0962b7d1347b0dadbbd54e83b9dd4d30c45f760544f27e9c0f7b5
13d19cf0f53c65faef0b0f569bfe7c0a740c9113a6c5a0441f9509b3db59bc54
2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d
5866f921e4e7d2eef8693f9fefb19ccd46224c02bb46dd51639d8680de185a40
590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052
8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177
c0178dc0e1f125da7b6bab419edc783fdff63a376019140e086e6bc10ec588bd
ce8f55763490d6e40a5f388b796672b32a622235a3a45bb4e850bbb849efaaf5
cf944362d88ca9e50ddba1ac4661c6185e9d2be1727ec4c78bb003fa3f4a9309
dabdfc50cc2a6bc20b098b7feee83bedf463d58e0a9f824831290acefddc703c
+ 17'244 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys bootkit evasion persistence stealer trojan
Link:
https://tria.ge/reports/221223-vjjwasca2t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect rhadamanthys stealer shellcode
Rhadamanthys
Unpacked files
SH256 hash:
fc0cb0682ccc37bdd72fab5106d45ebf7fb014b15004d65d627f6e2aed0750b4
MD5 hash:
afd26f223230ad20eb208dbaa0164e43
SHA1 hash:
9c92cde80d982dec72e5a2fb6553bc1cd89e8319
Link:
https://www.unpac.me/results/466eb8a5-c529-4ed9-9561-94d13cf527c8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc0cb0682ccc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/fc0cb0682ccc37bdd72fab5106d45ebf7fb014b15004d65d627f6e2aed0750b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fc0cb0682ccc37bdd72fab5106d45ebf7fb014b15004d65d627f6e2aed0750b4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2483080/
  
URLhaus
https://urlhaus.abuse.ch/url/2483083/

Comments