MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 359192021d66445d4aad9ab62d4f5c4e80d1f94f03931d95c5f5b2494840e47e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 359192021d66445d4aad9ab62d4f5c4e80d1f94f03931d95c5f5b2494840e47e
SHA3-384 hash: baefa0424912e4fe74a5b729145941efd7d24f29748e5c2bcbfcfa3a252beabb5d7dff8f8307c3f41c8e540da31a6b9d
SHA1 hash: 3db40c7453271147ecaa1e13711a6cd63110c049
MD5 hash: 554d9b7e4f5e8f86f1bf3d3a3c94b729
humanhash: green-robin-zulu-happy
File name:554d9b7e4f5e8f86f1bf3d3a3c94b729
Download: download sample
File size:28'298'827 bytes
First seen:2022-09-25 08:47:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep 786432:oXj+v5vhUgsGessQA/xiVA80wmQpmF7iXi0oy2A9V4HGPqA2bj:sj+v5vhU1eK7wmHEmyxilAc
Threatray 5 similar samples on MalwareBazaar
TLSH T1CE57330A72600AC6FCA6C479C8A6F410D573B50D5744E85B96F90ACE2E433A8ED7D7E3
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
BSOD occurred
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38955/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/633015c826a88abc7d2641af/reports/9754f708-6e60-4e3d-a914-546e2ef790d4/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1076813
Signature
Multi AV Scanner detection for submitted file
Performs an instant shutdown (NtRaiseHardError)
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-23 11:53:57 UTC
File Type:
PE+ (Exe)
Extracted files:
1585
AV detection:
3 of 26 (11.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwizeaq5mzcf2svntk3c2t24j2and6kpaojr3fof6wzessca4r7a._file
Verdict:
malicious
Similar samples:
0f1324eb2f8fdcda4dbdc84d1bc79fce43c52d5a65801761768ddde9c5db440a
45a3cf3b9fe14d68e6e67ba32c9efb36df82cf3435f2ec229fb687f59ab06ebf
61d8c079987aa8413a74dfe56498f9646237250c50b0902755acf3e6136a8309
b2eaa054fc50ea949449ceb4646d52f121d512ebb2586ca76ee0430d7ef9a65f
e3f96b35ef2dcad2ed776cbfabb0ddaf495b2e1b7575f88e49b079f7750b5cbd
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/220925-kqfr4sfceq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/94b9fbd8-a433-4572-8e8f-80c9e5cdd429
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/359192021d66445d4aad9ab62d4f5c4e80d1f94f03931d95c5f5b2494840e47e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 359192021d66445d4aad9ab62d4f5c4e80d1f94f03931d95c5f5b2494840e47e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2313367/

Comments


Avatar
zbet commented on 2022-09-25 08:47:38 UTC

url : hxxps://filebin.net/r1hjr7uo73jxohql/firewall.exe