MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10c509006cf9328447712a70a0793952a1a6c6f3bdf994a482baa47e883f9e5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EpsilonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10c509006cf9328447712a70a0793952a1a6c6f3bdf994a482baa47e883f9e5b
SHA3-384 hash: 109e542341fc75af6b04e47647b90bcf8bf31d578dab0ca65b893e5b1014256fc71044c8a27c6dda19b0d8e939559b7e
SHA1 hash: 91477c37c04bedb0d5d01ac863231ab322d16f44
MD5 hash: a8d2f6362b102dbad2b8b240b7fbe7d9
humanhash: zulu-thirteen-fish-mockingbird
File name:SecuriteInfo.com.Trojan.Siggen21.47292.30874.29519
Download: download sample
Signature EpsilonStealer
Create hunting rule
File size:68'748'928 bytes
First seen:2023-10-22 01:37:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:y4/4rzOchPar22d1YIfOocFSvEDtqJQZbXj9hCbB9MvqboaGR7:xkqcdar22dCUOco4JijEcqrO7
Threatray 5 similar samples on MalwareBazaar
TLSH T16EE73375EB51917FC33CDFBA61C4A215340908C079A3BB135A7F90AAE12570A8BBF275
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer)
Reporter SecuriteInfoCom
Tags:EpsilonStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
369
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen21.47292.30874.29519
Verdict:
Malicious activity
Analysis date:
2023-10-22 01:45:45 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/2518fdb4-e099-488a-88df-344b348a2d0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/10c509006cf9328447712a70a0793952a1a6c6f3bdf994a482baa47e883f9e5b
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1329823
Signature
Overwrites Mozilla Firefox settings
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329823 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 22/10/2023 Architecture: WINDOWS Score: 64 68 raw.githubusercontent.com 2->68 70 ipinfo.io 2->70 72 3 other IPs or domains 2->72 9 SecuriteInfo.com.Trojan.Siggen21.47292.30874.29519.exe 205 2->9         started        12 WindowsDriverSetup.exe 2->12         started        process3 file4 52 C:\Users\user\AppData\...\Legacysurvival.exe, PE32+ 9->52 dropped 54 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\...\System.dll, PE32 9->56 dropped 58 18 other files (none is malicious) 9->58 dropped 14 Legacysurvival.exe 41 9->14         started        process5 dnsIp6 76 api.gofile.io 51.178.66.33, 443, 49738 OVHFR France 14->76 78 ipinfo.io 34.117.59.81, 443, 49719, 49720 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 14->78 80 2 other IPs or domains 14->80 60 C:\Users\user\...\WindowsDriverSetup.exe, PE32+ 14->60 dropped 62 C:\Users\user\AppData\...\places.sqlite_tmp, SQLite 14->62 dropped 64 C:\Users\user\AppData\...\cookies.sqlite_tmp, SQLite 14->64 dropped 66 7 other files (5 malicious) 14->66 dropped 82 Uses cmd line tools excessively to alter registry or file data 14->82 84 Overwrites Mozilla Firefox settings 14->84 86 Tries to harvest and steal browser information (history, passwords, etc) 14->86 19 cmd.exe 1 14->19         started        22 cmd.exe 14->22         started        24 cmd.exe 14->24         started        26 32 other processes 14->26 file7 signatures8 process9 dnsIp10 88 Suspicious powershell command line found 19->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 19->90 29 WMIC.exe 1 19->29         started        32 conhost.exe 19->32         started        34 powershell.exe 22->34         started        36 conhost.exe 22->36         started        38 powershell.exe 24->38         started        40 conhost.exe 24->40         started        74 chrome.cloudflare-dns.com 172.64.41.3, 443, 49724, 49725 CLOUDFLARENETUS United States 26->74 42 cmd.exe 26->42         started        44 WMIC.exe 1 26->44         started        46 53 other processes 26->46 signatures11 process12 signatures13 92 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 29->92 94 Uses cmd line tools excessively to alter registry or file data 38->94 48 attrib.exe 38->48         started        50 schtasks.exe 42->50         started        process14
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/10c509006cf9328447712a70a0793952a1a6c6f3bdf994a482baa47e883f9e5b
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdcqsadm7eziir3rfjyka6jzkkq2nrxtxx4zjjecxksh5cb7tznq._file
Verdict:
unknown
Similar samples:
866ad0e1f44d12677e3cd565d47283d6229df46e23387c1ed482abe145ce080d
EpsilonStealer
90e7e0b24ef5cfae31312e39e5ac1cf13c23ffef9f7135f0fc6d44cc7da47195
EpsilonStealer
a5daea252e13d75a667b0e37b15c9616a0ddea034662eb10fb4e815cf795df20
EpsilonStealer
fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4
EpsilonStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231022-b2d8zsch3s/
Behaviour
Collects information from the system
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments