MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 152ef5fcd0278e127c3df415018857f3aed0a748160032356786815ccbe870d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TitanStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 152ef5fcd0278e127c3df415018857f3aed0a748160032356786815ccbe870d5
SHA3-384 hash: 0281d29ab88732c17d0c0777422f01aefb7022a9a8427e90834d3bc35dc28270b790b5a9a68df8c85a1da91b6123306d
SHA1 hash: 119f5b7da9e57bad8b618c660d21a91d06d1795c
MD5 hash: 1af2037acbabfe804a522a5c4dd5a4ce
humanhash: happy-mississippi-magnesium-robert
File name:1af2037acbabfe804a522a5c4dd5a4ce.exe
Download: download sample
Signature TitanStealer
Create hunting rule
File size:2'947'359 bytes
First seen:2022-12-25 13:52:56 UTC
Last seen:2022-12-25 15:31:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 227d8e180539434a4545745b2a33e7ca (2 x RedLineStealer, 2 x TitanStealer, 1 x ArkeiStealer)
ssdeep 49152:Oh9mgBWyaSu1kD8oMgz1T9CecOU7m6RK3l3h:MWya3LgV9CdOU7Y
Threatray 2'020 similar samples on MalwareBazaar
TLSH T122D56D431ADF4E6ADDD17BF871C7231DA774ED30CF6A4B7AA50840364A433D8A91AB42
TrID 30.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe TitanStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
152ef5fcd0278e127c3df415018857f3aed0a748160032356786815ccbe870d5
Verdict:
Malicious activity
Analysis date:
2022-11-29 00:09:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3778e535-9890-45f4-aba4-1e3a3294fa5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Launching a process
Reading critical registry keys
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Sending an HTTP POST request
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye
Link:
https://www.filescan.io/uploads/63a855c2657c03f3643122b6/reports/fd733437-273a-416b-8907-407e8a902ac4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43e49830-a778-4c3f-b243-c5e683a04323
Result
Threat name:
Titan Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140843
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Titan Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/152ef5fcd0278e127c3df415018857f3aed0a748160032356786815ccbe870d5/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-03 21:52:57 UTC
File Type:
PE (Exe)
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cuxpl7gqe6hbe7b56qkqdccx6oxnbj2icyadenlhq2avzs7iodkq._file
Verdict:
malicious
Similar samples:
30c1f93a3d798bb18ef3439db0ada4e0059e1f6ddd5d860ec993393b31a62842
TitanStealer
4264a0c8d7acc6f10539285aa557a2d9d0298285b0a75a51a283241ccf11c94f
TitanStealer
5183c27d986a7a6682d0f57a40eff9c2e458ddfd8175f849fe9390e46b1a7cf5
TitanStealer
78e27b98a7490de940c39948497894aba3d1408dd3ca2bbaa26430032b0a0bd6
TitanStealer
a7dfb6bb7ca1c8271570ddcf81bb921cf4f222e6e190e5f420d4e1eda0a0c1f2
TitanStealer
aea823d6446fbf9059391125a9b7fceb9f433b846275d28dc5f433645984a683
TitanStealer
af58e830feef2f4086fb52dafda6084b3b85c6200f4cbc35a5460fb703dd39df
TitanStealer
c78767cb268589c7e3519f8643c7d7bc891ee3e8f8660f9340419af278ade263
TitanStealer
cbb8c2cc3ac88bbd575fc3153fc67f43dde566fda8e7c244c0f50d1333f7c3f8
TitanStealer
e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc
TitanStealer
+ 2'010 additional samples on MalwareBazaar
Result
Malware family:
titanstealer
Create hunting rule
Score:
  10/10
Tags:
family:titanstealer stealer
Link:
https://tria.ge/reports/221225-q6y7aabf22/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Titan Stealer
Malware Config
C2 Extraction:
77.73.133.88:5000
Unpacked files
SH256 hash:
3d7b98cd629705350084e31235c1815e22def36e32b43c55a325b19d678dc826
MD5 hash:
862e60dab967c8c60af4615a219178ae
SHA1 hash:
549b7d15971ddff3da994afc4b319b5639228ddd
Link:
https://www.unpac.me/results/d1aecdd6-5d34-40bd-b5ff-c5e9c375f543/
SH256 hash:
29b83b5043ef26d4b5a8a9234a7d4ccfc8dd047c8d3bf90dba65d0c3c4b5963f
MD5 hash:
7af5afb66f87dd8a7672cc080a12c446
SHA1 hash:
8c230ccf24f13e0b7e7f34e933acbe6f6b3a767d
Link:
https://www.unpac.me/results/d1aecdd6-5d34-40bd-b5ff-c5e9c375f543/
SH256 hash:
152ef5fcd0278e127c3df415018857f3aed0a748160032356786815ccbe870d5
MD5 hash:
1af2037acbabfe804a522a5c4dd5a4ce
SHA1 hash:
119f5b7da9e57bad8b618c660d21a91d06d1795c
Link:
https://www.unpac.me/results/d1aecdd6-5d34-40bd-b5ff-c5e9c375f543/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/152ef5fcd0278e127c3df415018857f3aed0a748160032356786815ccbe870d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments