MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0
SHA3-384 hash:	821bf520059bd321a1dfb42b1b9a44326de066cb24b571e37aad91a289fc197445847d0ee15e1db378670bc0e15de8e5
SHA1 hash:	933ee238ef2b9cd33fab812964b63da02283ae40
MD5 hash:	bf9acb6e48b25a64d9061b86260ca0b6
humanhash:	friend-arizona-magazine-diet
File name:	file
Download:	download sample
File size:	2'711'040 bytes
First seen:	2024-07-26 09:24:10 UTC
Last seen:	2024-12-18 10:38:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e49b63183dc452ee4abc90a6e47f6582
ssdeep	49152:KoW7eYGTL2twElWv+qXy3wfENRxOgB03gStRTvgl6xhp8IbCcNy+OHDLjzs/DOrD:m7e6KVdx1Rquh
TLSH	T101C57C2B457A558AE3D6C07CF52B1792AC3136484E39B37725FAC3913B30A1C6B6D362
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	Bitsight
Tags:	DeerStealer exe

Bitsight

url: http://185.215.113.16/inc/server.exe

Intelligence

File Origin

# of uploads :

# of downloads :

387

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0.exe

Verdict:

Malicious activity

Analysis date:

2024-07-27 08:53:17 UTC

Tags:

stealer deerstealer xfiles

Link:

https://app.any.run/tasks/8de98a03-c6fd-49b6-be9c-c1b5e85071f6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.12338.20262.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66a36b55458e130e002a9df9

Tags:

Stealth

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug mingw packed

Link:

https://www.filescan.io/uploads/66a36b759149fd55f990f25e/reports/8d54cd45-707c-4d60-bcd2-944ed65975aa/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/0351e581-e5a0-499b-a4a0-400e44811cc9

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1482923

Signature

AI detected suspicious sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0/

Threat name:

Win64.Trojan.Smokeloader

Status:

Malicious

First seen:

2024-07-26 00:31:46 UTC

File Type:

PE+ (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=akumcep5do3xw5ed3rmcewzkfa3lldg27h6japzpfsekk4dgzpaa._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access discovery spyware stealer

Link:

https://tria.ge/reports/240726-ldl9sssfph/

Behaviour

Suspicious behavior: EnumeratesProcesses

Browser Information Discovery

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/02141f0f-7c78-4a7c-9851-aa94ea0128bd

Unpacked files

SH256 hash:

02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0

MD5 hash:

bf9acb6e48b25a64d9061b86260ca0b6

SHA1 hash:

933ee238ef2b9cd33fab812964b63da02283ae40

Link:

https://www.unpac.me/results/b50f58e2-2028-4947-8540-4e618a6a143e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/02a8c111fd1b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3068353/

URLhaus

https://urlhaus.abuse.ch/url/3068554/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample