MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a2a1a33841d79dcaf62dfd71becddec0581a725793fb6119f187568ac351794. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a2a1a33841d79dcaf62dfd71becddec0581a725793fb6119f187568ac351794
SHA3-384 hash: f8da17c685d30e1f4b33caa61a2da75f43a298c2d11db7d9aaabe5c873572d1e1dbbc3729e19cacbaf5f3ac5a4b233f2
SHA1 hash: 099d6aaec7f76711d8f64f9010ecc7ae31268250
MD5 hash: abed3af52c03d4518096ef5365734080
humanhash: charlie-alaska-uniform-magnesium
File name:abed3af52c03d4518096ef5365734080
Download: download sample
File size:5'956'308 bytes
First seen:2022-10-15 08:11:00 UTC
Last seen:2023-08-26 21:25:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep 98304:QP/wZh2uW5MI079g+D3O7/Xuy/+7F+7cETACVgKavAk5D7M:QXwZEL2V76+D3c/f/+ScEjQ4yD7M
Threatray 40 similar samples on MalwareBazaar
TLSH T1E056334026600ED1FDAB553AD892841AEE7BB8220799D74F83A0D3A51F733F66D3B750
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320567/
Detection(s):
Win.Trojan.Generic-9962297-0
Create hunting rule

SecuriteInfo.com.W64.S-f7bcf467.Eldorado.13723.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending a UDP request
Launching a process
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43231/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/634a6b174fc319a52d55d9c6/reports/7b7473d0-7647-42a7-b45e-b4b1f6ffa7f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/322b803d-a021-46bc-ad2c-8b9ea48ea4d2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1091158
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Uses STUN server to do NAT traversial
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a2a1a33841d79dcaf62dfd71becddec0581a725793fb6119f187568ac351794/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-06 00:27:34 UTC
File Type:
PE+ (Exe)
Extracted files:
298
AV detection:
12 of 42 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=divbum4edv45zl3c37lrx3g55qcydjzfpe73mem7db2wrlbvc6ka._file
Verdict:
malicious
Similar samples:
29a0ec2958b900db46598043791f3b672c7c62cf3d0ebd44444c208d057d05ce
476a05d5c8ef4444f96cbd02c3a315c56227b7510f75e82249a449bb79e977fc
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
7ff666b15df670047eaa593d038013a5ad809aaef174abe50e85bf4962a1366b
8f6e203a52757cdb71ffbf15b696f0518f17862579863e139af08fafe1e1feb6
acb6ddc1461c0d9e81f482f4e5738f330d01f0365b6f95e44aa5792fbe8d7376
b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae
b8e807fd68dc28227145b1fed9a72e925c24ab76495dce4733e9656740732b1b
c6af2ec456ad02b9eb3faf9fd9384d3dc43a55e7b1a58eec4440ee4bde1e99ce
+ 30 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/221015-j29znafdcq/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e3e3dd00-5cd1-471e-a894-fb390ddd0b57
Unpacked files
SH256 hash:
1a2a1a33841d79dcaf62dfd71becddec0581a725793fb6119f187568ac351794
MD5 hash:
abed3af52c03d4518096ef5365734080
SHA1 hash:
099d6aaec7f76711d8f64f9010ecc7ae31268250
Link:
https://www.unpac.me/results/9c5334c0-e79f-4599-9c79-1572c34b86ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a2a1a33841d79dcaf62dfd71becddec0581a725793fb6119f187568ac351794

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1a2a1a33841d79dcaf62dfd71becddec0581a725793fb6119f187568ac351794

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2305842/
Cape
Cape
https://www.capesandbox.com/analysis/320567/

Comments


Avatar
zbet commented on 2022-10-15 08:11:15 UTC

url : hxxp://146.70.101.97/repackend.exe