MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10c3b61ee321398d021fcb8981eeac2b44cdefc2243a36d7ea4dee1d5dd81bbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	10c3b61ee321398d021fcb8981eeac2b44cdefc2243a36d7ea4dee1d5dd81bbc
SHA3-384 hash:	9dfe79ae231292856f28bfaa1aaa4507ce1a5cb45ff9ca217b18c33962453de7140f3d4f37c7d368bb5f1f7141d8827d
SHA1 hash:	fa6aa394aff8c1333570bcf2805de493dcb6144b
MD5 hash:	e22ffee57a49fa419b65b484d6ea62b6
humanhash:	august-quiet-hawaii-lamp
File name:	explorer.exe
Download:	download sample
File size:	7'354'630 bytes
First seen:	2023-05-28 00:42:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep	196608:7lxnNpICteEroXxDVfEqlbkkwR7VTEmLEN+x0SxDTnBPG:ZpInEroXzfEqirRRomLo+uSxDT
Threatray	265 similar samples on MalwareBazaar
TLSH	T1C7763304A7940CE9F5A7003AE5A09915E1B6B8334350D9CB9B78D2274FA7AF47DB7F80
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	Anonymous
Tags:	exe

Anonymous

Retrieved from https://anonfiles.com/c3MdR9tcz4/explorer.exe

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

explorer.exe

Verdict:

Malicious activity

Analysis date:

2023-05-28 00:45:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b5f85712-e618-42d5-b892-a3e1f837b555

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/392695/

Detection(s):

SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Launching a process

Creating a window

DNS request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88280/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/6472a397287852508d173777/reports/9be2eb35-f393-4ae7-a711-c84838e1b892/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/10c3b61ee321398d021fcb8981eeac2b44cdefc2243a36d7ea4dee1d5dd81bbc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/20ebd210-1e0d-432a-8e53-e741734e5471

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1243929

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/10c3b61ee321398d021fcb8981eeac2b44cdefc2243a36d7ea4dee1d5dd81bbc/

Threat name:

Win64.Malware.Generic

Status:

Suspicious

First seen:

2023-05-28 00:44:07 UTC

File Type:

PE+ (Exe)

Extracted files:

497

AV detection:

4 of 24 (16.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cdb3mhxdee4y2aq7zoeyd3vmfncm336ceq5dnv7kjxxb2xoydo6a._file

Verdict:

unknown

64a604a8f103b52f36a9f45ba809babfa68ee6d9e052818477d45350051ac499

6cda633387fccd75a142a0103c720e661466059974663dfca7f702fd35640415

6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8

75016e4ed0580c4b3baa3acdb2c9102eb073749ef91332d91ed982b6551ba870

7ccb7f63df4247bbe86f4c6dcea7ed51a17e0d5eea9843c29d2ef05d8208067e

94d64d00b0aa175cc28ecac33d829a33411cd0cb549018852c0ae82d592f5ec6

9d85f7e7bbce1fc023353548d2bd1a54223370ccc64f073bcd473545aa36f6bc

d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4

+ 255 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/230528-a2xjwsea91/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Loads dropped DLL

Gathering data

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10c3b61ee321398d021fcb8981eeac2b44cdefc2243a36d7ea4dee1d5dd81bbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 10c3b61ee321398d021fcb8981eeac2b44cdefc2243a36d7ea4dee1d5dd81bbc

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/392695/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample