MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 092bcd3cf82639b3edc348e5c040fc6cb7c472928832aadf07b18dd61986675d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 092bcd3cf82639b3edc348e5c040fc6cb7c472928832aadf07b18dd61986675d
SHA3-384 hash: c4b5afbf9d326f72e4a440ff2067fe3eff695c6423b6bf649080b0b28483fe35f4f52a82510d061f33c26a83f07073e7
SHA1 hash: fada62293a56242c909621b757105a0b06f0d111
MD5 hash: 629c1218d4df42e44c7e561aff28a152
humanhash: may-moon-helium-fix
File name:Memory.Cheat.exe
Download: download sample
File size:8'158'898 bytes
First seen:2023-02-05 10:06:25 UTC
Last seen:2023-02-05 11:29:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5546933531fafa869b1f86a4e2a959 (10 x DCRat, 3 x RedLineStealer, 2 x RemcosRAT)
ssdeep 196608:BGyjotdQmR5dA6l6uErSEEJwdFt1rv43cruGO1i2C:xKdQ2l6+9JYvIKuti2C
Threatray 4'322 similar samples on MalwareBazaar
TLSH T17B8633A566161CEAD95B4036C483C630EB71386603D0E36F07F09EB71F5BAB02D7BA65
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter Vladisl51060804
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Memory.Cheat.exe
Verdict:
Malicious activity
Analysis date:
2023-02-05 10:08:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/adc1c7ed-4e99-4fec-9c7a-feebd087b549

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360386/
Detection(s):
SecuriteInfo.com.Win64.Trojan-gen.23190.26088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65402/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63df7fc8696b2d9725754c54/reports/422db063-10e1-4b80-a626-3dd856a3a187/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/092bcd3cf82639b3edc348e5c040fc6cb7c472928832aadf07b18dd61986675d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/62e13c3d-a396-486e-917c-10b2f3b4c67e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1165990
Signature
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 798761 Sample: Memory.Cheat.exe Startdate: 05/02/2023 Architecture: WINDOWS Score: 52 25 Multi AV Scanner detection for submitted file 2->25 7 Memory.Cheat.exe 22 2->7         started        process3 file4 17 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 7->17 dropped 19 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 7->19 dropped 21 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 7->21 dropped 23 16 other files (none is malicious) 7->23 dropped 10 Memory.Cheat.exe 1 7->10         started        13 conhost.exe 7->13         started        process5 signatures6 27 Installs a global keyboard hook 10->27 15 cmd.exe 1 10->15         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/092bcd3cf82639b3edc348e5c040fc6cb7c472928832aadf07b18dd61986675d/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-05 10:07:12 UTC
File Type:
PE+ (Exe)
Extracted files:
439
AV detection:
1 of 26 (3.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bev42phyey43h3odjds4aqh4ns34i4usrazkvxyhwgg5mgmgm5oq._file
Verdict:
unknown
Similar samples:
028eb90d9030197de2540b5376793e2d4f26209ac6aae517a9090dd576eba6fd
0bc250f43d37f663c9b9655be85caec78a7b8662b262b17abc67654f60709fdd
0f99ffd1922111c7dfa9f59f23bbd8490894c6d5640fe901f3bca388b1e4881b
3b0422e2969647a30d739eac69c0bf70a5ae30c603c89902535ba643017fa07a
51bf7d8f0523c3b9b7b352f4d9e7ed427325808cfaf88399965062e9457e82c4
66faa0ab77f8471078f93a7d389f95ddffd4b5fc6abf7f79fee3f1dd9a70a5b7
c9dd5ad8e1a4b2f30743465a874b3ce4ac0e3657683678fb1fb7477a1f8ebe98
cbafa6b5a5a5141801e04ad135271a9e0169e120582ed96c4136c0b2b2ae4d98
fecc5f0ecda63fab65cc46fd2b92a3817505f28562cadd787d7915baa4869099
+ 4'312 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230205-l5mpmscd5s/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
Unpacked files
SH256 hash:
092bcd3cf82639b3edc348e5c040fc6cb7c472928832aadf07b18dd61986675d
MD5 hash:
629c1218d4df42e44c7e561aff28a152
SHA1 hash:
fada62293a56242c909621b757105a0b06f0d111
Link:
https://www.unpac.me/results/60c62aac-82d9-4a65-8684-0379d6eeeab9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/092bcd3cf82639b3edc348e5c040fc6cb7c472928832aadf07b18dd61986675d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360386/

Comments