MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3
SHA3-384 hash: 9e9210426cfaea46d975836c40b4221daf0de4e4047edba958b0f6c796ad13b0d0abb31c537ce4a250651890a14b28a8
SHA1 hash: 59d3e7bd118a34918e3a39d5a680ff75568482bb
MD5 hash: 77ecafee1b0ba32bd4e3b90b6d92a81f
humanhash: speaker-mirror-don-london
File name:SecuriteInfo.com.Trojan.Inject5.7186.14643.24760
Download: download sample
File size:3'450'368 bytes
First seen:2024-08-16 17:14:54 UTC
Last seen:2025-03-05 08:21:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0189345388451634260fa99de205c9c8
ssdeep 49152:ZfZDFDHgbjZ766knm3Y3ykj+B8lleKkqI5l+/pDktLE1wGZdcjnGnbPfnzR:npHgbJcmI3t08l3NKM/Sk9rcjnGnb3n
TLSH T189F533C7A51044E2D799A8707D53BFD04A91BBFA295E921FE6CEB93B1832ED20C4510F
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 686c74fcc2e8e4e0 (1 x RedLineStealer, 1 x ArkeiStealer, 1 x CoinMiner)
Reporter SecuriteInfoCom
Tags:185-215-113-209 exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
375
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://github.com/evan9908/Setup/raw/main/222.exe
Verdict:
Malicious activity
Analysis date:
2024-08-11 19:18:29 UTC
Tags:
pastebin github discord stealer adware neoreklami
Link:
https://app.any.run/tasks/b4307422-c5fd-4424-97b8-13aa176636b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject5.7186.14643.24760.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66bf8929aa5b40be0aa04d0e
Tags:
Execution Generic Network Malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug lolbin mingw packed packed shell32 upx
Link:
https://www.filescan.io/uploads/66bf892232f6d05ff3ce43e4/reports/5dbea4e4-021b-4b8c-bc68-39f923077907/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a691b02a-d0e7-4b00-9f0c-4772ad5bab08
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1493650
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Forfiles.EXE Child Process Masquerading
Sigma detected: Suspicious Creation TXT File in User Desktop
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1493650 Sample: tzNWgjf4MQ Startdate: 16/08/2024 Architecture: WINDOWS Score: 100 97 infinititechmac.com 2->97 103 Multi AV Scanner detection for submitted file 2->103 105 Sample uses string decryption to hide its real strings 2->105 107 Machine Learning detection for sample 2->107 109 5 other signatures 2->109 12 tzNWgjf4MQ.exe 18 2->12         started        signatures3 process4 dnsIp5 101 infinititechmac.com 103.191.208.92, 443, 49894 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 12->101 89 C:\ProgramData\Microsoft\Windows\...\cmd.exe, PE32 12->89 dropped 91 C:\ProgramData\Microsoft\...\forfiles.exe, PE32+ 12->91 dropped 133 Detected unpacking (changes PE section rights) 12->133 135 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->135 137 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->137 17 forfiles.exe 1 12->17         started        file6 signatures7 process8 process9 19 cmd.exe 1 17->19         started        22 cmd.exe 17->22         started        24 cmd.exe 17->24         started        26 conhost.exe 17->26         started        signatures10 111 Multi AV Scanner detection for dropped file 19->111 113 Machine Learning detection for dropped file 19->113 115 Writes to foreign memory regions 19->115 28 AppLaunch.exe 1 19->28         started        31 WerFault.exe 21 16 19->31         started        117 Allocates memory in foreign processes 22->117 119 Sample uses process hollowing technique 22->119 121 Injects a PE file into a foreign processes 22->121 33 AppLaunch.exe 22->33         started        35 AppLaunch.exe 22->35         started        37 WerFault.exe 22->37         started        39 AppLaunch.exe 24->39         started        process11 signatures12 129 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->129 131 Injects a PE file into a foreign processes 28->131 41 AppLaunch.exe 18 3 28->41         started        44 WerFault.exe 20 16 28->44         started        46 conhost.exe 28->46         started        48 WerFault.exe 28->48         started        50 AppLaunch.exe 33->50         started        53 conhost.exe 33->53         started        55 WerFault.exe 33->55         started        57 WerFault.exe 33->57         started        59 conhost.exe 39->59         started        process13 dnsIp14 123 Creates an undocumented autostart registry key 41->123 125 Creates multiple autostart registry keys 41->125 127 Creates an autostart registry key pointing to binary in C:\Windows 41->127 61 cmd.exe 2 41->61         started        65 cmd.exe 41->65         started        67 cmd.exe 1 41->67         started        69 5 other processes 41->69 99 127.0.0.1 unknown unknown 50->99 signatures15 process16 file17 93 C:\Users\user\Desktop\info-0v92.txt, JSON 61->93 dropped 139 Uses cmd line tools excessively to alter registry or file data 61->139 71 conhost.exe 61->71         started        83 2 other processes 61->83 95 C:\Users\Public\Desktop\info-0v92.txt, JSON 65->95 dropped 73 conhost.exe 65->73         started        85 2 other processes 65->85 75 conhost.exe 67->75         started        77 attrib.exe 67->77         started        79 attrib.exe 67->79         started        81 conhost.exe 69->81         started        87 9 other processes 69->87 signatures18 process19
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-11 22:45:53 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ctmmg352wiwjk5sbnhuq4smf7efbogzadozanplovcedwsjaqprq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/240816-vsktyswhke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks for VirtualBox DLLs, possible anti-VM trick
Looks for VMWare Tools registry key
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2bbd2f35-9057-4d68-8d7a-b043d544b3c0
Unpacked files
SH256 hash:
14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3
MD5 hash:
77ecafee1b0ba32bd4e3b90b6d92a81f
SHA1 hash:
59d3e7bd118a34918e3a39d5a680ff75568482bb
Link:
https://www.unpac.me/results/9c21100d-bae3-4afc-8ed0-2b663583866f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3110400/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3110411/
  
URLhaus
https://urlhaus.abuse.ch/url/3110426/

Comments