MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dd7670685a7856ea0675983e14e0e103cb8f189aa0e87dfd1ea984e11c9015f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dd7670685a7856ea0675983e14e0e103cb8f189aa0e87dfd1ea984e11c9015f
SHA3-384 hash: 807eba5bfb936fc024726ce1584c938191eabda039547c060dc78b8aac4a2310b422a8ab6517f8fb3957e7a5fd8a1898
SHA1 hash: c6ca655662ba9be4f765c28db5d2e1b384260e58
MD5 hash: 7e959b965c38ccf73416218e2272e098
humanhash: alanine-paris-ack-johnny
File name:VespyGrabber.exe
Download: download sample
File size:14'582'274 bytes
First seen:2023-05-14 18:42:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:/d/lOqPnih8FXj+hYeB0sKYu/PaQgKDnO8NpHzgsAGKaRZtG77CTRzbtqlKMYm0F:mqPnLFCjQpDOETgsv/GvkT6Ko0TEk
Threatray 51 similar samples on MalwareBazaar
TLSH T10BE633F0724409D2DDE6A13E686E844B4576FC0623A4E98F43B5DA398F633265C7BF90
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter JaffaCakes118

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VespyGrabber.exe
Verdict:
Malicious activity
Analysis date:
2023-05-14 21:20:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77addef3-9288-4566-8d01-2022669d6e2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Launching a process
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Launching the process to change network settings
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/84549/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit overlay packed python
Link:
https://www.filescan.io/uploads/64612bc9ed1a1a106592028b/reports/fee4e493-1e78-47f2-8876-40002315e3b5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7dd7670685a7856ea0675983e14e0e103cb8f189aa0e87dfd1ea984e11c9015f
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d5912b21-0113-410d-994e-fbdc4004cfe5
Result
Threat name:
Discord Token Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1232908
Signature
Antivirus / Scanner detection for submitted sample
DLL side loading technique detected
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Yara detected Discord Token Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 865890 Sample: VespyGrabber.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 92 109 api4.ipify.org 2->109 111 api.ipify.org 2->111 133 Antivirus / Scanner detection for submitted sample 2->133 135 Multi AV Scanner detection for dropped file 2->135 137 Multi AV Scanner detection for submitted file 2->137 139 2 other signatures 2->139 10 VespyGrabber.exe 108 2->10         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        signatures3 process4 file5 101 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 10->101 dropped 103 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 10->103 dropped 105 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 10->105 dropped 107 85 other malicious files 10->107 dropped 147 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->147 149 May check the online IP address of the machine 10->149 18 VespyGrabber.exe 16 10->18         started        22 dat.txt 14->22         started        24 conhost.exe 14->24         started        26 dat.txt 108 16->26         started        29 conhost.exe 16->29         started        signatures6 process7 dnsIp8 113 api4.ipify.org 173.231.16.77, 443, 49700, 49703 WEBNXUS United States 18->113 115 raw.githubusercontent.com 185.199.110.133, 443, 49702 FASTLYUS Netherlands 18->115 117 2 other IPs or domains 18->117 83 C:\Users\user\AppData\Roaming\...\dat.txt, PE32+ 18->83 dropped 31 cmd.exe 1 18->31         started        34 cmd.exe 1 18->34         started        36 cmd.exe 1 18->36         started        43 4 other processes 18->43 85 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 22->85 dropped 87 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 22->87 dropped 89 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 22->89 dropped 97 85 other malicious files 22->97 dropped 38 dat.txt 22->38         started        91 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 26->91 dropped 93 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 26->93 dropped 95 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 26->95 dropped 99 85 other files (none is malicious) 26->99 dropped 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->143 145 May check the online IP address of the machine 26->145 41 dat.txt 26->41         started        file9 signatures10 process11 dnsIp12 151 Uses cmd line tools excessively to alter registry or file data 31->151 51 2 other processes 31->51 53 2 other processes 34->53 55 2 other processes 36->55 119 185.199.109.133, 443, 49711 FASTLYUS Netherlands 38->119 121 162.159.128.233, 443, 49710 CLOUDFLARENETUS United States 38->121 127 5 other IPs or domains 38->127 153 Tries to harvest and steal browser information (history, passwords, etc) 38->153 45 cmd.exe 38->45         started        58 3 other processes 38->58 123 64.185.227.155, 443, 49705, 49709 WEBNXUS United States 41->123 125 185.199.108.133, 443, 49707 FASTLYUS Netherlands 41->125 129 5 other IPs or domains 41->129 47 cmd.exe 41->47         started        49 cmd.exe 41->49         started        60 2 other processes 41->60 62 5 other processes 43->62 signatures13 process14 signatures15 64 WMIC.exe 45->64         started        67 conhost.exe 45->67         started        69 WMIC.exe 47->69         started        71 conhost.exe 47->71         started        73 WMIC.exe 49->73         started        75 conhost.exe 49->75         started        79 5 other processes 58->79 77 WMIC.exe 60->77         started        81 2 other processes 60->81 141 DLL side loading technique detected 62->141 process16 signatures17 131 DLL side loading technique detected 69->131
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dd7670685a7856ea0675983e14e0e103cb8f189aa0e87dfd1ea984e11c9015f/
Threat name:
Win64.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2023-04-25 17:31:44 UTC
File Type:
PE+ (Exe)
Extracted files:
2023
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxlwobufu6cw5idhlgb6ctqoca6lr4mjvihipx6r5kme4eojafpq._file
Verdict:
malicious
Similar samples:
062f9b4fed0686cdc5f87598f80787b20d2dff3fae50a8ba57e97f196cb3db84
1e6112420d4e9561e458e074dad3ebed54ae6f759d5c3ae9844c8a61ac7f33d3
3ae27a7741a37b5ef68e56dcf589553c6e3516f9cf221a3491a7631f3c028887
4e805f05b321b848e5c8f7d1fd488ca0fb619b0451cf57d82b3b00d883acad75
6227340282692b6d2787579afad74ac6cd11dad74d6068469f7c132f85cbc2cc
75e9498c9de4ca202f86709a5b58448b64f09ab94440007fe6a9a0ea7c1e633e
8e4ce102a531d540a1f643396d6ddfc0da9acc963ca995bcba9d07909ebb58e0
a20cc7c8887cad9fce369f6b2113b21958926bdef91f6b544f01bbbbd2b12dc7
b442edaab307f4460969d14fe0901493bb6464d46fc36e90ecfa4dfbe056bec9
e712783a06ade3a6680ad0dccb49f3092ecac6c3f62bf78de8e08037f7cb28eb
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller upx
Link:
https://tria.ge/reports/230514-xc6gtsfd7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
7dd7670685a7856ea0675983e14e0e103cb8f189aa0e87dfd1ea984e11c9015f
MD5 hash:
7e959b965c38ccf73416218e2272e098
SHA1 hash:
c6ca655662ba9be4f765c28db5d2e1b384260e58
Link:
https://www.unpac.me/results/e30bf8fd-75b5-4db5-864d-340f9bcfc240/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7dd7670685a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7dd7670685a7856ea0675983e14e0e103cb8f189aa0e87dfd1ea984e11c9015f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments