MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f99ffd1922111c7dfa9f59f23bbd8490894c6d5640fe901f3bca388b1e4881b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f99ffd1922111c7dfa9f59f23bbd8490894c6d5640fe901f3bca388b1e4881b
SHA3-384 hash: 6b8e3e6a456f671beae8212f0a73ccaa103025bb4ea9defffc8812991038b8304f170eadf2647f3d7fd25fb05a6fb87f
SHA1 hash: 32d5b2cff22e8e0f119d754a4017bf23d8504e87
MD5 hash: 83deabd1a3d271493c2084cb2cc0b975
humanhash: texas-beryllium-aspen-ohio
File name:chromepass.exe
Download: download sample
File size:8'056'224 bytes
First seen:2023-01-06 08:48:37 UTC
Last seen:2023-01-06 10:45:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5546933531fafa869b1f86a4e2a959 (10 x DCRat, 3 x RedLineStealer, 2 x RemcosRAT)
ssdeep 196608:UoNdzUjpRpkL2Vmd6+DXLZy7YM30LzajY1ljvYDCSpXSg:7oVRpkL2Vmd6m70GzajYfrSc
Threatray 236 similar samples on MalwareBazaar
TLSH T14D863309A63004E6F936C43DD462C416DAB1BDA20B90E68747B5C64B1F07AF6BDB7F90
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter r3dbU7z
Tags:exe pyinstaller

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
chromepass.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 08:49:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d41afb8d-b1a1-4323-bfc4-b5d3d83b0a66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349907/
Detection(s):
SecuriteInfo.com.Generic.Application.Lazagne.D.A1D3967C.18683.1729.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63b7e07f5f356e00329ca580/reports/13a887aa-8f9d-4a4f-80b3-44b2e886d107/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ElevenClock
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3c97c2bd-e4e6-4fd3-bb38-320d940dc887
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1146126
Signature
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f99ffd1922111c7dfa9f59f23bbd8490894c6d5640fe901f3bca388b1e4881b/
Threat name:
Win64.Hacktool.Lazagne
Create hunting rule
Status:
Malicious
First seen:
2023-01-06 08:49:12 UTC
File Type:
PE+ (Exe)
Extracted files:
419
AV detection:
5 of 41 (12.20%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6m77umseei4px5j6wpsho6yjeejjrwvmqh6saptxsryrmperanq._file
Verdict:
unknown
Similar samples:
028eb90d9030197de2540b5376793e2d4f26209ac6aae517a9090dd576eba6fd
0bc250f43d37f663c9b9655be85caec78a7b8662b262b17abc67654f60709fdd
3b0422e2969647a30d739eac69c0bf70a5ae30c603c89902535ba643017fa07a
51bf7d8f0523c3b9b7b352f4d9e7ed427325808cfaf88399965062e9457e82c4
585437888a36695c0d522c9f8aefe1de1ca2b10b54ec4e9600a9a635c4d5c94d
c5e11de6c91c453483b70bbde34bd99a5b9970a6ba4a898e42caa1f598d2d160
c9dd5ad8e1a4b2f30743465a874b3ce4ac0e3657683678fb1fb7477a1f8ebe98
cbafa6b5a5a5141801e04ad135271a9e0169e120582ed96c4136c0b2b2ae4d98
eb1bc9a5f5c530c8a4d271f626906fe986e5622fe4c635aceb77e95898978654
fecc5f0ecda63fab65cc46fd2b92a3817505f28562cadd787d7915baa4869099
+ 226 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/230106-kq3a4sfe29/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ed6c9d8-e67e-4d3b-9f4a-3fdc9f521ea7
Unpacked files
SH256 hash:
0f99ffd1922111c7dfa9f59f23bbd8490894c6d5640fe901f3bca388b1e4881b
MD5 hash:
83deabd1a3d271493c2084cb2cc0b975
SHA1 hash:
32d5b2cff22e8e0f119d754a4017bf23d8504e87
Link:
https://www.unpac.me/results/c0a7141f-96ed-49c6-addb-8ffc8f7a8d36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f99ffd1922111c7dfa9f59f23bbd8490894c6d5640fe901f3bca388b1e4881b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0f99ffd1922111c7dfa9f59f23bbd8490894c6d5640fe901f3bca388b1e4881b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349907/

Comments