MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 683ce5a6c98c7214f598ac3a95356f31d9b17f55ca94b292ededb2fe78c7afd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Empyrean


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 683ce5a6c98c7214f598ac3a95356f31d9b17f55ca94b292ededb2fe78c7afd1
SHA3-384 hash: f9c48def11b55e01cade8f5a132d9fc89d977534e9a40557cea3d8d1201afe200ba40ba72bfac1ca3b0bde065499152e
SHA1 hash: 13ee7aad2a761158e72082d22651e634ca91d4b3
MD5 hash: db13bc7146d21a616f51b4799ae2f93f
humanhash: don-angel-eighteen-mississippi
File name:New_Badge_Guide.pdf.exe
Download: download sample
Signature Empyrean
Create hunting rule
File size:18'549'565 bytes
First seen:2023-05-20 17:53:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e92fd54d65284238a0e3b74b2715062 (21 x Empyrean, 4 x Gh0stRAT, 4 x Telemiris)
ssdeep 393216:rqPnLFXlrjQpDOETgsvfGACgIWvEn4DghLSW:+PLFXNjQoEizvQk
Threatray 55 similar samples on MalwareBazaar
TLSH T1AF1733E4529805A2D8E7653E6C0FD8661127FC4623A4EC8F43F096388F63B562D7BF94
TrID 31.2% (.EXE) Win64 Executable (generic) (10523/12/4)
29.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
14.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.1% (.ICL) Windows Icons Library (generic) (2059/9)
6.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter JaffaCakes118
Tags:Empyrean exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New_Badge_Guide.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-20 17:56:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/08ea451c-3001-409d-a402-b8c1585ec2c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Agent.Script.1713931.10438.20114.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/86204/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
alien greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/6469093b48d4b7d3491a0395/reports/53f54afb-a197-42ea-b3a6-60f4728cd8b4/overview
Verdict:
Malicious
Labled as:
Trojan.Stealer.D.Generic
Link:
https://www.hybrid-analysis.com/sample/683ce5a6c98c7214f598ac3a95356f31d9b17f55ca94b292ededb2fe78c7afd1
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bec6055b-83e5-4027-a7f5-b0d854eb1586
Result
Threat name:
Discord Token Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1238177
Signature
Antivirus / Scanner detection for submitted sample
DLL side loading technique detected
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Discord Token Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 871170 Sample: New_Badge_Guide.pdf.exe Startdate: 20/05/2023 Architecture: WINDOWS Score: 92 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 8 New_Badge_Guide.pdf.exe 137 2->8         started        process3 file4 39 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 8->39 dropped 41 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 8->41 dropped 43 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 8->43 dropped 45 87 other files (none is malicious) 8->45 dropped 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->63 12 New_Badge_Guide.pdf.exe 14 8->12         started        signatures5 process6 dnsIp7 47 raw.githubusercontent.com 185.199.108.133, 443, 49714 FASTLYUS Netherlands 12->47 49 www.cloudflare.com 104.16.124.96, 443, 49715 CLOUDFLARENETUS United States 12->49 51 2 other IPs or domains 12->51 65 Tries to harvest and steal browser information (history, passwords, etc) 12->65 16 cmd.exe 1 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        signatures8 process9 process10 24 WMIC.exe 1 16->24         started        27 conhost.exe 16->27         started        29 WMIC.exe 1 18->29         started        31 conhost.exe 18->31         started        33 WMIC.exe 1 20->33         started        35 conhost.exe 20->35         started        37 conhost.exe 22->37         started        signatures11 61 DLL side loading technique detected 24->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/683ce5a6c98c7214f598ac3a95356f31d9b17f55ca94b292ededb2fe78c7afd1/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-20 17:54:07 UTC
File Type:
PE+ (Exe)
Extracted files:
2076
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=na6oljwjrrzbj5myvq5jknlpghm3c72vzkklfexn5wzp46ghv7iq._file
Verdict:
unknown
Similar samples:
062f9b4fed0686cdc5f87598f80787b20d2dff3fae50a8ba57e97f196cb3db84
Empyrean
3ae27a7741a37b5ef68e56dcf589553c6e3516f9cf221a3491a7631f3c028887
Empyrean
4e805f05b321b848e5c8f7d1fd488ca0fb619b0451cf57d82b3b00d883acad75
Empyrean
51e2676b84fe52011ceae619c7417d0099bab47378a8c8aec96288be4d100bd6
Empyrean
6227340282692b6d2787579afad74ac6cd11dad74d6068469f7c132f85cbc2cc
Empyrean
75e9498c9de4ca202f86709a5b58448b64f09ab94440007fe6a9a0ea7c1e633e
Empyrean
7dd7670685a7856ea0675983e14e0e103cb8f189aa0e87dfd1ea984e11c9015f
Empyrean
a20cc7c8887cad9fce369f6b2113b21958926bdef91f6b544f01bbbbd2b12dc7
Empyrean
b442edaab307f4460969d14fe0901493bb6464d46fc36e90ecfa4dfbe056bec9
Empyrean
e712783a06ade3a6680ad0dccb49f3092ecac6c3f62bf78de8e08037f7cb28eb
Empyrean
+ 45 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller upx
Link:
https://tria.ge/reports/230520-wgvqfsge5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
683ce5a6c98c7214f598ac3a95356f31d9b17f55ca94b292ededb2fe78c7afd1
MD5 hash:
db13bc7146d21a616f51b4799ae2f93f
SHA1 hash:
13ee7aad2a761158e72082d22651e634ca91d4b3
Link:
https://www.unpac.me/results/92148b72-79a1-4691-a002-39e033369067/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/683ce5a6c98c7214f598ac3a95356f31d9b17f55ca94b292ededb2fe78c7afd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:empyrean
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Empyrean Payload
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Empyrean

Executable exe 683ce5a6c98c7214f598ac3a95356f31d9b17f55ca94b292ededb2fe78c7afd1

(this sample)

  
Delivery method
Distributed via web download

Comments