MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13664348e49c044bb4e93a342dbdc3ac8570ab9516e1389a4b38ed3f7f082fd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13664348e49c044bb4e93a342dbdc3ac8570ab9516e1389a4b38ed3f7f082fd6
SHA3-384 hash: 35e1b161524a1c8f64e8281ce3025eac7ffc9df1d7515ca32cc9a52141506956561bd4ff969612b32281c46e22300cfd
SHA1 hash: 9902b9f2c0a7204f34b12b08061a4c7b0a833815
MD5 hash: 4573a27f516b5afd4bc180ae623d3e84
humanhash: floor-paris-north-dakota
File name:4573a27f516b5afd4bc180ae623d3e84.exe
Download: download sample
File size:5'420'544 bytes
First seen:2023-01-19 15:36:15 UTC
Last seen:2023-01-19 17:39:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 47 x PureHVNC, 28 x RedLineStealer)
ssdeep 98304:DMQOuCspQCOjYK5tuUCcLCw8Hk6ReckJJvxc:45PCPZzRVSvxc
Threatray 2'876 similar samples on MalwareBazaar
TLSH T1BE46AEE326D1A69DC11EC0F9E220B46F9B8FB47A0A1EB293C865F3B5D913D507974B01
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4573a27f516b5afd4bc180ae623d3e84.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 15:38:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a8e2b447-8b52-4f48-a80d-5c904e1121bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354633/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.12404.12561.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c965acdeddc48f89f824be/reports/bd771da0-3c81-4ecd-b1a9-6608409d2c9f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe92de55-cbd7-4216-a285-3099d986aff4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1154818
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787556 Sample: z6J6NaSKOM.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 88 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Machine Learning detection for sample 2->37 39 PE file contains section with special chars 2->39 7 z6J6NaSKOM.exe 4 2->7         started        11 WlndowsDraiver-Ver0.4.9.9.exe 2->11         started        process3 file4 29 C:\...\WlndowsDraiver-Ver0.4.9.9.exe, PE32+ 7->29 dropped 31 WlndowsDraiver-Ver...exe:Zone.Identifier, ASCII 7->31 dropped 41 Query firmware table information (likely to detect VMs) 7->41 43 Uses schtasks.exe or at.exe to add and modify task schedules 7->43 45 Hides threads from debuggers 7->45 13 icacls.exe 1 7->13         started        15 icacls.exe 1 7->15         started        17 schtasks.exe 1 7->17         started        19 icacls.exe 1 7->19         started        47 Antivirus detection for dropped file 11->47 49 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->49 signatures5 process6 process7 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13664348e49c044bb4e93a342dbdc3ac8570ab9516e1389a4b38ed3f7f082fd6/
Threat name:
Win64.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 03:22:41 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cntegshetqcexnhjhi2c3podvscxbk4vc3qtrgslhdwt67yif7la._file
Verdict:
unknown
Similar samples:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d
70a1aa57047f844284ddb6a4fc464b54c4bfaa2dd8d4aced800b197ffcee27cb
7f4b450947cbe4007402816a42e6281cd1f3d76ce090c547d5643d5b8f227d49
867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e
9312b4d7781abdf95059979001a1d7f63a6a927c93ae99c05f5460c78090f52f
965de9a48decafacbffec3e87e3585769025a114117f06d5cbaa1b02c5e11d18
9d5ebf928258a2e9da500459de8bd2f650ef10bef03929bc0863f6b9d24481d9
b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68
d63c19155af0a329cd61cd832d7c4d2d5bbcb61067ea764283b664605979864f
+ 2'866 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion themida trojan
Link:
https://tria.ge/reports/230119-s2ggsadd41/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
13664348e49c044bb4e93a342dbdc3ac8570ab9516e1389a4b38ed3f7f082fd6
MD5 hash:
4573a27f516b5afd4bc180ae623d3e84
SHA1 hash:
9902b9f2c0a7204f34b12b08061a4c7b0a833815
Link:
https://www.unpac.me/results/c78d601b-9393-483c-80e8-6cdd527e9e43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/13664348e49c044bb4e93a342dbdc3ac8570ab9516e1389a4b38ed3f7f082fd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 13664348e49c044bb4e93a342dbdc3ac8570ab9516e1389a4b38ed3f7f082fd6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2469977/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/354633/

Comments