MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a12ff043aebb7db997838de6791aa257eb40b357502143ed13b4dd9796f9e20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a12ff043aebb7db997838de6791aa257eb40b357502143ed13b4dd9796f9e20
SHA3-384 hash: f43ef40eff1db1fb868745cda6966145c47ec3efa450796803c33de51ccf408b287fe8e41350ce5fdd8ca548c50341cf
SHA1 hash: 8aa95774aea3f0f17b845db688b2891b0eb1af78
MD5 hash: 6d3902cbac7caa83f2fb1b27c320983e
humanhash: emma-low-oven-summer
File name:6d3902cbac7caa83f2fb1b27c320983e.bin
Download: download sample
File size:6'032'108 bytes
First seen:2023-04-03 08:58:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep 98304:pln68wcqmbxaQBNBU5ytgMwzu+Zkh/tLiclDXc3/Zpjx0bU0XxQHbLY3E:p40xbAQveItwq+ZkiKDIjx0vXxQ7L1
Threatray 46 similar samples on MalwareBazaar
TLSH T1DD563384621048FCE8A6913EC993C415EAF134258795D5CB87B8E6B21F33BE06F3AF51
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6d3902cbac7caa83f2fb1b27c320983e.bin
Verdict:
Malicious activity
Analysis date:
2023-04-03 08:59:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3c108cc-9651-413f-bd15-d5b0b6f6ca85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379541/
Detection(s):
SecuriteInfo.com.FileRepMalware.12574.23298.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76240/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/642a9558155a6f1443f9f3d3/reports/9ff0192e-e559-4068-9f0e-2d92cf13478d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6a12ff043aebb7db997838de6791aa257eb40b357502143ed13b4dd9796f9e20
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ElevenClock
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5260fa84-40cc-4abc-b54f-2840ea7a7e14
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1206898
Signature
Drops PE files to the startup folder
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 839812 Sample: mGB6NmxKSw.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 56 58 Multi AV Scanner detection for submitted file 2->58 60 Machine Learning detection for sample 2->60 8 mGB6NmxKSw.exe 16 2->8         started        12 Google.exe 40 2->12         started        process3 file4 34 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->34 dropped 36 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->36 dropped 38 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 8->38 dropped 46 11 other files (none is malicious) 8->46 dropped 62 Drops PE files to the startup folder 8->62 14 mGB6NmxKSw.exe 4 8->14         started        40 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 12->40 dropped 42 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 12->42 dropped 44 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 12->44 dropped 48 17 other files (none is malicious) 12->48 dropped 18 Google.exe 1 12->18         started        signatures5 process6 dnsIp7 56 transfer.sh 144.76.136.153, 443, 49707 HETZNER-ASDE Germany 14->56 50 C:\Users\user\...behaviorgraphoogle.exesr_e0fmf.tmp, PE32+ 14->50 dropped 52 C:\Users\user\AppData\...behaviorgraphoogle.exe (copy), PE32+ 14->52 dropped 20 Google.exe 40 14->20         started        file8 process9 file10 26 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 20->26 dropped 28 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 20->28 dropped 30 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 20->30 dropped 32 17 other files (none is malicious) 20->32 dropped 23 Google.exe 1 20->23         started        process11 dnsIp12 54 193.124.115.3, 49709, 49711, 80 MTW-ASRU Russian Federation 23->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a12ff043aebb7db997838de6791aa257eb40b357502143ed13b4dd9796f9e20/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nijp6bb25o35xglyhdpgpenkev7liczvoubbipwrhng5s6lptyqa._file
Verdict:
unknown
Similar samples:
414d8e74cdb96fe1e8742018494be41cdebd5c11804a30a7876a5bcd7bf01764
476a05d5c8ef4444f96cbd02c3a315c56227b7510f75e82249a449bb79e977fc
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
6ae3599bcbb951c7fe73ab6060a654b5ced2e83cf3ff15038bec95743232425e
a07afb3f48c05bc311adc6a9473310e6b35e14f14920e543ee8ca032a0af637f
acb6ddc1461c0d9e81f482f4e5738f330d01f0365b6f95e44aa5792fbe8d7376
b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae
b8e807fd68dc28227145b1fed9a72e925c24ab76495dce4733e9656740732b1b
d94deb99e0ee0053e8a256335b445e63d696471ce5f5c337df03ad3e0c7bb13b
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230403-kxqwnadg53/
Behaviour
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
6a12ff043aebb7db997838de6791aa257eb40b357502143ed13b4dd9796f9e20
MD5 hash:
6d3902cbac7caa83f2fb1b27c320983e
SHA1 hash:
8aa95774aea3f0f17b845db688b2891b0eb1af78
Link:
https://www.unpac.me/results/31b80de2-e34c-4f1b-8e6b-f9549e6d5e58/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379541/

Comments