MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0db3bd35b25826c66d2ebc8f3d009b44dcffbf66e7998b19be0cf4c0d8fec258. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0db3bd35b25826c66d2ebc8f3d009b44dcffbf66e7998b19be0cf4c0d8fec258
SHA3-384 hash: 25ee128647e704c1e62490e36e8dcd205e5b4a1faf1bdc8b868f4ccf42ec1c04ab89700c8399adda3399821841dc80e5
SHA1 hash: 0ce6d6df6365a753e787d43ee7b9eb9c28112751
MD5 hash: 355583a086e74e0f82d93eb5a3a69401
humanhash: eighteen-montana-black-edward
File name:Img-347654566091234.exe
Download: download sample
File size:748'370 bytes
First seen:2021-06-18 13:00:36 UTC
Last seen:2021-06-18 13:56:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:Bgd+/Ft5qYyBsGCuhxGjcOc3+y0+Tl37zt+JI8Z5x/eu:Kd+/CqGCQxq/KJ0I37ztV8Z5xx
Threatray 202 similar samples on MalwareBazaar
TLSH C4F4EF236474611AC7E3323A4F61F9F963191D0DC8A05C1AB6F0BFC7B5BC283AE99645
Reporter TeamDreier
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Img-347654566091234.exe
Verdict:
Malicious activity
Analysis date:
2021-06-18 13:01:57 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/d864ad0f-a732-4cf4-82a6-a428637c3b32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166846/
Detection(s):
SecuriteInfo.com.Trojan.Loader.840.8011.1979.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c91909e6-568c-4af3-b89d-1c2191b44d0f
Result
Threat name:
MicroClip SpyEx
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804341
Signature
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected MicroClip
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436752 Sample: Img-347654566091234.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected SpyEx stealer 2->53 55 Yara detected MicroClip 2->55 57 5 other signatures 2->57 7 Img-347654566091234.exe 1 21 2->7         started        11 vtvhvcyuwyebt.exe 17 2->11         started        13 vtvhvcyuwyebt.exe 17 2->13         started        process3 file4 31 C:\Users\user\AppData\...\vtvhvcyuwyebt.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\...\System.dll, PE32 7->33 dropped 59 Writes to foreign memory regions 7->59 61 Maps a DLL or memory area into another process 7->61 15 svchost.exe 1 14 7->15         started        35 C:\Users\user\AppData\Local\...\System.dll, PE32 11->35 dropped 63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 20 svchost.exe 11->20         started        37 C:\Users\user\AppData\Local\...\System.dll, PE32 13->37 dropped 22 vtvhvcyuwyebt.exe 15 13->22         started        24 svchost.exe 13->24         started        signatures5 process6 dnsIp7 39 Smtp.azebal.com 15->39 41 us2.smtp.mailhostbox.com 208.91.199.223, 49704, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->41 29 C:\Users\user\AppData\...\sdedffggdg.exe, PE32 15->29 dropped 43 System process connects to network (likely due to code injection or exploit) 15->43 45 Tries to steal Crypto Currency Wallets 15->45 47 Writes or reads registry keys via WMI 15->47 49 Installs a global keyboard hook 15->49 26 sdedffggdg.exe 3 15->26         started        file8 signatures9 process10 signatures11 67 Antivirus detection for dropped file 26->67 69 Multi AV Scanner detection for dropped file 26->69 71 Machine Learning detection for dropped file 26->71 73 Tries to harvest and steal browser information (history, passwords, etc) 26->73
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0db3bd35b25826c66d2ebc8f3d009b44dcffbf66e7998b19be0cf4c0d8fec258/
Threat name:
Win32.Trojan.MintPorcupine
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 02:17:17 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
4068367bc59ad89c43c9024b63d4057942626c13d4cb4233ba14218a5f1d2ee8
43c7a6a2753a823e9588d72776b4a660d33b8890414fff82d6741132346d8abb
4aeff0a9aeaaf5b99bf1cf428c7e5dee1effb8da421bb4111c8bc76d0c455a9a
4e4d1f64ee342ea468d20fa61ce6f7f9061d12ef01e43e9669e7085fd80181fb
51e96096360aaaa7df70507ee70610710b1c532e30994b60fc3d20792fcd688d
7f5f68e3163fd4aae367b129dc4d519000905b78d66e6933e7b091053eadd98f
8040940621af7b77ecbb66d16ca8fc924900960d48665247aa3f77d4de560c9a
8cf4d9a55d80942fbdf18648f7fa01768efc4783b439503d39d9ef98a85fb193
b2462d16cc9531dd5f8d9d0ea09ee96da1a09902f91dbddc9fe6c52f3467c590
f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
+ 192 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210618-cdhvsa6epe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
2d0dbb2f4d70d41b1dc71cab349224456544de975d00425a0e1cac9b6af85759
MD5 hash:
ba50f69104ff8e1fd8ca1eefb5e97a84
SHA1 hash:
9d2961cecf677b9c32f00f4297832e40f93d9852
Link:
https://www.unpac.me/results/3cbf130b-365c-4e38-8ffd-8aa7e008c04b/
SH256 hash:
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
MD5 hash:
56a321bd011112ec5d8a32b2f6fd3231
SHA1 hash:
df20e3a35a1636de64df5290ae5e4e7572447f78
Link:
https://www.unpac.me/results/3cbf130b-365c-4e38-8ffd-8aa7e008c04b/
SH256 hash:
0db3bd35b25826c66d2ebc8f3d009b44dcffbf66e7998b19be0cf4c0d8fec258
MD5 hash:
355583a086e74e0f82d93eb5a3a69401
SHA1 hash:
0ce6d6df6365a753e787d43ee7b9eb9c28112751
Link:
https://www.unpac.me/results/3cbf130b-365c-4e38-8ffd-8aa7e008c04b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/0db3bd35b25826c66d2ebc8f3d009b44dcffbf66e7998b19be0cf4c0d8fec258

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166846/

Comments