MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af
SHA3-384 hash: bd324f60747ae642079d6c60cae77ec552b6cf9e2a082c810ee5186b6e8214c7c09db12cd3b179f9c9c04d1c4b2d104e
SHA1 hash: c682d8c1adb079b528bd54c757a753c9c7aca850
MD5 hash: 4eda40b6e2669ccf005e4a9b4223f5bc
humanhash: neptune-solar-august-ceiling
File name:4eda40b6e2669ccf005e4a9b4223f5bc.exe
Download: download sample
File size:1'711'528 bytes
First seen:2023-02-23 08:49:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3ef7ff125eee1c6b9d433b0829d1dc8 (1 x Rhadamanthys)
ssdeep 49152:SvY8fOwCsYf0SwAFbt48v38qELbLXK7msn:Sv32wCNwAF38K9n
Threatray 317 similar samples on MalwareBazaar
TLSH T12885E00372E8845CEABB22BC8EDF951CD43936D70B65DDD3418366DA0421BC99E7CA72
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00ba92b2babac4c0 (2 x PureCrypter, 1 x CoinMiner, 1 x zgRAT)
Reporter abuse_ch
Tags:exe signed

Code Signing Certificate

Organisation:investopedia.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-28T22:48:16Z
Valid to:2023-03-28T22:48:15Z
Serial number: 037045f52d29ebe0e8e2b5d4bfd1607bdbb6
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 454077ff5fb3c752bc6b3533e43d592a81bd47ace25c485db662f789bf0d5538
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4eda40b6e2669ccf005e4a9b4223f5bc.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 08:59:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3343424a-76d3-4643-96f6-814b8542a418

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369210/
Detection(s):
SecuriteInfo.com.Variant.Jaik.124431.14001.4705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63f728bfb53d126ad265c184/reports/aa0cf771-69f1-4195-b86e-9c59e4ee42a1/overview
Verdict:
Malicious
Labled as:
Kryptik.HSUM trojan
Link:
https://www.hybrid-analysis.com/sample/0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ebe7d84-32f0-4db6-90ce-ff1fa6cf16d9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181195
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814023 Sample: ThI4u7GfHi.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 5 other signatures 2->45 7 alqzs.exe 9 2->7         started        11 ThI4u7GfHi.exe 12 2->11         started        process3 dnsIp4 29 hottn9sjmesqcdey.nvlaxu0vzpih1gzyjnyuv57zgra 7->29 31 185.17.0.22, 49700, 58001 SUPERSERVERSDATACENTERRU Russian Federation 7->31 47 Machine Learning detection for dropped file 7->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Encrypted powershell cmdline option found 7->53 14 powershell.exe 15 17 7->14         started        33 hottn9sjmesqcdey.nvlaxu0vzpih1gzyjnyuv57zgra 11->33 21 C:\Users\user\AppData\Local\...\alqzs.exe, PE32 11->21 dropped 23 C:\Users\user\...\alqzs.exe:Zone.Identifier, ASCII 11->23 dropped 25 C:\Users\user\AppData\...\ThI4u7GfHi.exe.log, ASCII 11->25 dropped file5 signatures6 process7 dnsIp8 35 77.73.131.249, 49701, 80 AS43260TR Kazakhstan 14->35 27 C:\Users\user\AppData\Local\Temp\toilb.exe, PE32+ 14->27 dropped 37 Powershell drops PE file 14->37 19 conhost.exe 14->19         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 05:43:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bytlxmzdnyk6boqg42l4jhej2kzd6ib5lhszhmueeior6qy7ooxq._file
Verdict:
malicious
Similar samples:
06417fde2af515dc4ac553b1cdd8ffb45158fcc4369de364a759a4146b3488be
1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804
261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0
599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
5d8e70acefcbcc2eff05078efbea2c82d7a051edaabfa4caaf6d48fc9d6644e3
74930b91b8999d03db3840b121fc52d0f5fb6d4b9158b950a5e869aa84a431f2
a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288
d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
f99cf4e79efb37bea41405c5701f8ce7f86dea17a05b0c89f8f775c28458b214
+ 307 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230223-krnt4shb2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
43013b0f1212ecb97b8e8660750b2dd88b7d7c0ff018917184fd3a5b776f7a6c
MD5 hash:
21e3e7feca81a66a4b905271326f6168
SHA1 hash:
30bebd38d5e302958aa812f8df178e677605242d
Link:
https://www.unpac.me/results/88a87553-2017-4d16-b445-c0cfb9fdb185/
SH256 hash:
0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af
MD5 hash:
4eda40b6e2669ccf005e4a9b4223f5bc
SHA1 hash:
c682d8c1adb079b528bd54c757a753c9c7aca850
Link:
https://www.unpac.me/results/88a87553-2017-4d16-b445-c0cfb9fdb185/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2549312/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/369210/

Comments