MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MetaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37
SHA3-384 hash: 715f20b74e316ba2e847f6b4501e8626b5db71c6ebb88b3fd8909a3d96c1ec5f9405abbfa8eeec5ff81eefec660cd961
SHA1 hash: b71d3c77d96604c904702b45904b72b889808125
MD5 hash: 6cd2bc8e57214a9143084b8cad228c75
humanhash: quiet-fourteen-winter-zulu
File name:xin.exe
Download: download sample
Signature MetaStealer
Create hunting rule
File size:470'904 bytes
First seen:2024-10-02 14:24:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:FRc5LRY9bXsJtSWtTcfgzwOl1YzzDeqiGOXs1fknwgBxwtZ4Z/AHqF8sfmqilXXn:Di2CrfNcaYrwOcVxwtydF0X4xidZ
Threatray 28 similar samples on MalwareBazaar
TLSH T167A42353494869F9F27E4A7632B0C869EF21E3532495F704A31FD60796A33D0372A6F4
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:exe metastealer


Avatar
iamaachum
194.116.215.195/xin.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://194.116.215.195/xin.exe
Verdict:
Malicious activity
Analysis date:
2024-10-02 10:54:35 UTC
Tags:
stealer metastealer evasion
Link:
https://app.any.run/tasks/b3cea1a3-64bc-4e96-9596-ea59297682ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fd57c1780a9b632d22801d
Tags:
injection exploit micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Creating a file in the %temp% directory
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66fd57c0718049dcaee5745d/reports/301af31f-3bc1-42de-b04b-a2aab0dc87cf/overview
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kuhaname
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a92c7a53-ff7c-4a8c-9aa8-bf000c8390f2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1524235
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Reads the System eventlog
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37/
Threat name:
Win32.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2024-10-02 07:09:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uo2k3cw4ekd2cyi72pbhedv3dbntvn2oaixzhxwul46ofizry3q._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119
MetaStealer
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff
MetaStealer
3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe
MetaStealer
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957
MetaStealer
89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44
MetaStealer
error
MetaStealer
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/241002-rq95aavbph/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
redline metastealer
YARA:
n/a
Link:
https://app.threat.zone/submission/ca9f21f1-6db9-4e19-bf18-287a00be0f48
Unpacked files
SH256 hash:
17dccd6e6fa00057ceb2832054ed7612ec2de23a20e6e39c0ca47c734f8a9aa6
MD5 hash:
fcfbb02c3168cf4fc2cc4e365f38d64e
SHA1 hash:
1339b9269c3d147cd3185cd54cd28b5b62ed1171
Detections:
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/bef55e2c-e152-4913-a412-3199f1cea91e/
SH256 hash:
fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37
MD5 hash:
6cd2bc8e57214a9143084b8cad228c75
SHA1 hash:
b71d3c77d96604c904702b45904b72b889808125
Link:
https://www.unpac.me/results/bef55e2c-e152-4913-a412-3199f1cea91e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MetaStealer

Executable exe fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37

(this sample)

  
Link
https://tria.ge/241002-rh7zyszgnj
  
Dropped by
PrivateLoader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3186589/
  
URLhaus
https://urlhaus.abuse.ch/url/3194605/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments