MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01b4c0260a1f991fa4a1e1b82a6c1cd52e3f57bb64aa9f2278f3b23aab86f3f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01b4c0260a1f991fa4a1e1b82a6c1cd52e3f57bb64aa9f2278f3b23aab86f3f6
SHA3-384 hash: 670fc9629dc4323f06794cc72dd8a67e10dc5e9f0564dfd5c5769f1c365c8adb279792b7d460687fca5d67007c20297b
SHA1 hash: 53eeffb2bb97937fd7315edd1b93d94dc5a0377c
MD5 hash: 69716e71b3f817cb8927e824f5df04be
humanhash: saturn-stairway-missouri-comet
File name:nexty-1.5.3.exe
Download: download sample
File size:74'736'488 bytes
First seen:2023-12-10 09:21:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:ylpHvAnc4199LCxdOza6wD/iamMXsTw6KI7PbVpOA4jEBd/w:yXGc4194xdOzalDaamksTw6fDVpOodI
TLSH T1FBF73344379A8F3ECE850A7D14E2EBA2C2B26F7906250987790C7737B83AB57D40754E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon b070ce96aac6e470
Reporter Xev
Tags:BbyStealer exe


Avatar
NIXLovesCooper
C2: rufflesrefined.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
GR GR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Changing a file
DNS request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6575833e855eb2633d658f80/reports/02e49016-964c-4582-852c-4c007ee2b960/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/01b4c0260a1f991fa4a1e1b82a6c1cd52e3f57bb64aa9f2278f3b23aab86f3f6
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1357242
Signature
Drops large PE files
Drops PE files to the startup folder
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1357242 Sample: nexty-1.5.3.exe Startdate: 10/12/2023 Architecture: WINDOWS Score: 68 60 rufflesrefined.com 2->60 66 Multi AV Scanner detection for domain / URL 2->66 68 Multi AV Scanner detection for dropped file 2->68 8 nexty-1.5.3.exe 11 193 2->8         started        12 nextyVPN-v18.16.0-x64.exe 11 2->12         started        15 Updater.exe 2->15         started        signatures3 process4 dnsIp5 44 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 8->44 dropped 46 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 8->46 dropped 48 C:\Users\user\...\nextyVPN-v18.16.0-x64.exe, PE32+ 8->48 dropped 56 15 other files (5 malicious) 8->56 dropped 70 Drops large PE files 8->70 17 cmd.exe 1 8->17         started        19 dllhost.exe 1 8->19         started        64 rufflesrefined.com 172.67.218.203, 443, 49736, 49737 CLOUDFLARENETUS United States 12->64 50 C:\Users\user\AppData\Roaming\...\Updater.exe, PE32+ 12->50 dropped 52 b50ed62e-c3b9-4268...82f36c4a0a.tmp.node, PE32+ 12->52 dropped 54 C:\Users\user\AppData\Local\...\Web Data.bby, SQLite 12->54 dropped 58 3 other files (2 malicious) 12->58 dropped 72 Drops PE files to the startup folder 12->72 74 Tries to harvest and steal browser information (history, passwords, etc) 12->74 21 nextyVPN-v18.16.0-x64.exe 1 12->21         started        24 cmd.exe 1 12->24         started        26 cmd.exe 12->26         started        28 nextyVPN-v18.16.0-x64.exe 1 12->28         started        file6 signatures7 process8 dnsIp9 30 conhost.exe 17->30         started        32 tasklist.exe 1 17->32         started        34 find.exe 1 17->34         started        62 chrome.cloudflare-dns.com 162.159.61.3 CLOUDFLARENETUS United States 21->62 36 tasklist.exe 1 24->36         started        38 conhost.exe 24->38         started        40 tasklist.exe 1 26->40         started        42 conhost.exe 26->42         started        process10
Score:
17%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/01b4c0260a1f991fa4a1e1b82a6c1cd52e3f57bb64aa9f2278f3b23aab86f3f6
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ag2majqkd6mr7jfb4g4cu3a42uxd6v53msvj6ity6ozdvk4g6p3a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231210-lbxbzsedd8/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

rar a1e401e1461e63a4cfea1b5bfaf96a8d33c09776b8828ac976bf878eb04ab763

Executable exe 01b4c0260a1f991fa4a1e1b82a6c1cd52e3f57bb64aa9f2278f3b23aab86f3f6

(this sample)

  
Dropped by
SHA256 a1e401e1461e63a4cfea1b5bfaf96a8d33c09776b8828ac976bf878eb04ab763
  
Dropped by
MD5 2f67444eb62ea7e3e13a4e69ecf4728a

Comments