MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10da02d97bac2bd149bd1f3937a4739d8193e93b6142d888f528e4c5fa2b426b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EpsilonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10da02d97bac2bd149bd1f3937a4739d8193e93b6142d888f528e4c5fa2b426b
SHA3-384 hash: 8446265a0d80f75512dce9f0ed272c2cb7ec55c334a1e3d6705989b62b97c5e51d0e64ce01fee814a7beb4cca53b4455
SHA1 hash: dbd9c15b7b075fef592a026d52e470b21676088f
MD5 hash: 3ff2891689592e9662fab1e4442c0273
humanhash: eighteen-pip-princess-alpha
File name:10da02d97bac2bd149bd1f3937a4739d8193e93b6142d888f528e4c5fa2b426b.exe
Download: download sample
Signature EpsilonStealer
Create hunting rule
File size:68'432'889 bytes
First seen:2023-11-07 17:57:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:y4/4rzOchPm8RHgqvM9m4Gqh8/CR3lTEBmIweuRr9J6chs7:xkqcdTRAUMgmWaRVEBmIwR96chs7
Threatray 43 similar samples on MalwareBazaar
TLSH T120E733306B270BAFCDA29BFE1739989BF40BA5D1FA287743D81D381A1C5164E2B715C4
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer)
Reporter Anonymous
Tags:888Rat EpsilonStealer exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
CH CH
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/654a7aac641154c7e3ed91ee/reports/d8a7117d-f2c6-4a87-810f-2b8f7505854d/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/10da02d97bac2bd149bd1f3937a4739d8193e93b6142d888f528e4c5fa2b426b
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.adwa.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1338431
Signature
Drops PE files to the startup folder
Overwrites Mozilla Firefox settings
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338431 Sample: OH8FRaSl51.exe Startdate: 07/11/2023 Architecture: WINDOWS Score: 68 68 transfer.sh 2->68 70 raw.githubusercontent.com 2->70 72 4 other IPs or domains 2->72 9 OH8FRaSl51.exe 205 2->9         started        process3 file4 52 C:\Users\user\AppData\Local\Temp\...\888.exe, PE32+ 9->52 dropped 54 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\...\System.dll, PE32 9->56 dropped 58 18 other files (none is malicious) 9->58 dropped 12 888.exe 49 9->12         started        process5 dnsIp6 76 api.gofile.io 51.178.66.33, 443, 49748, 49753 OVHFR France 12->76 78 github.com 20.29.134.23, 443, 49746 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->78 80 3 other IPs or domains 12->80 60 C:\Users\user\AppData\...\places.sqlite_tmp, SQLite 12->60 dropped 62 C:\Users\user\AppData\...\cookies.sqlite_tmp, SQLite 12->62 dropped 64 C:\Users\user\AppData\Local\...\Web Data_tmp, SQLite 12->64 dropped 66 7 other files (3 malicious) 12->66 dropped 92 Uses cmd line tools excessively to alter registry or file data 12->92 94 Overwrites Mozilla Firefox settings 12->94 96 Drops PE files to the startup folder 12->96 98 Tries to harvest and steal browser information (history, passwords, etc) 12->98 17 cmd.exe 1 12->17         started        20 cmd.exe 12->20         started        22 cmd.exe 12->22         started        24 37 other processes 12->24 file7 signatures8 process9 dnsIp10 82 Suspicious powershell command line found 17->82 84 Uses cmd line tools excessively to alter registry or file data 17->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 17->86 27 WMIC.exe 1 17->27         started        30 conhost.exe 17->30         started        32 powershell.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 powershell.exe 22->38         started        74 chrome.cloudflare-dns.com 162.159.61.3, 443, 49743, 49744 CLOUDFLARENETUS United States 24->74 40 powershell.exe 24->40         started        42 cmd.exe 24->42         started        44 63 other processes 24->44 signatures11 process12 signatures13 88 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 27->88 46 Conhost.exe 36->46         started        90 Uses cmd line tools excessively to alter registry or file data 40->90 48 attrib.exe 40->48         started        50 schtasks.exe 42->50         started        process14
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/10da02d97bac2bd149bd1f3937a4739d8193e93b6142d888f528e4c5fa2b426b
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdnafwl3vqv5csn5d44tpjdttwazh2j3mfbnrchvfdsml6rlijvq._file
Verdict:
unknown
Similar samples:
10da02d97bac2bd149bd1f3937a4739d8193e93b6142d888f528e4c5fa2b426b
EpsilonStealer
1b7e07ca51f111803466a9d888eb8c42b0508329ff31e529f2d747f785e11c5f
EpsilonStealer
2b7fda9022313bcf0d6bc31aa1058ccfcbbb925fd24529b43e7ec29f46fc3c70
EpsilonStealer
52636749d75f870099f5e84af6225309980ae7c2fe5e190c9685b960d9577b86
EpsilonStealer
866ad0e1f44d12677e3cd565d47283d6229df46e23387c1ed482abe145ce080d
EpsilonStealer
9a724dd1c38c698ac3be3e0e5bc128b0875e9f4ed6226ae73c85eba661d6a65a
EpsilonStealer
ce17af59a2414b2dd199529a1c0e47d9bdd9b7f01c793b0e7dacaf27b12abca3
EpsilonStealer
ceb8949a84d139477c8531d556f9b1dedad152e51c5caec0b95af239cd890131
EpsilonStealer
fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4
EpsilonStealer
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/231107-wj6kqsed49/
Behaviour
Collects information from the system
Creates scheduled task(s)
Detects videocard installed
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Disables Task Manager via registry modification
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10da02d97bac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments