MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 163b127ca6dd39ad16f01e2afeef52e574f315f0b842b57424d36571c5cee139. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 163b127ca6dd39ad16f01e2afeef52e574f315f0b842b57424d36571c5cee139
SHA3-384 hash: 2a41199479f116b0f515269fd25d28ac48c190991cb2225c1ce70df0d5c5e62f63d389a174b128aaffaf7827996cc8ff
SHA1 hash: 33ad114d37baa33444a01b2b10c3278b3e2f44bf
MD5 hash: d39d554fe5e06ab25bf0540ace9e902b
humanhash: paris-lactose-happy-december
File name:file
Download: download sample
File size:80'384 bytes
First seen:2022-08-28 16:00:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dff0364386fc5652a25ea1f2b62603e6
ssdeep 1536:CxHxtWxSgcK9JMM62hXkvMtMDfDjB8dC2ibM3Bvd2csWfcde60FJPeED:IfASbK9JMMxftMDfDjyI2pB12fe6KJGG
Threatray 13'928 similar samples on MalwareBazaar
TLSH T1DD735A13B9D28471E4B619324874D9B14A3FFD210F65DDAB2788173E4F700D1AA3AE6B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://yesilyasam.eu/Tema/file.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Crack.zip
Verdict:
Malicious activity
Analysis date:
2022-07-25 19:39:20 UTC
Tags:
trojan rat redline evasion loader
Link:
https://app.any.run/tasks/40e964b9-ef7a-4ae7-9113-0c92c989f2a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301884/
Detection(s):
Win.Malware.Zusy-9955823-0
Create hunting rule

Win.Downloader.Zusy-9955824-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Creating a window
Adding an access-denied ACE
Searching for the window
Reading critical registry keys
Creating a file in the system32 subdirectories
Sending an HTTP POST request
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a browser process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30545/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/630b918a095b251adf6c1ee2/reports/76208388-1f86-4aec-99ee-79266bea4b58/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2ca6c24-6f41-481b-a6d6-ce9f5aefd6c7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059321
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops PE files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 691838 Sample: file.exe Startdate: 28/08/2022 Architecture: WINDOWS Score: 100 83 Antivirus detection for URL or domain 2->83 85 Antivirus detection for dropped file 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 8 other signatures 2->89 8 file.exe 19 2->8         started        13 ISXXzQaTraqYr2mB.exe 2->13         started        process3 dnsIp4 63 yesilyasam.eu 185.175.200.64, 443, 49755, 49756 ASTRALUSNL Netherlands 8->63 65 192.168.2.1 unknown unknown 8->65 49 C:\Users\user\AppData\Roaming\00004823..exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Roaming\00000029..exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\fw4[1].exe, PE32 8->53 dropped 55 C:\Users\user\AppData\Local\...\fw3[1].exe, PE32 8->55 dropped 91 Self deletion via cmd or bat file 8->91 15 00004823..exe 1 8->15         started        19 00000029..exe 15 11 8->19         started        22 cmd.exe 1 8->22         started        93 Writes to foreign memory regions 13->93 95 Allocates memory in foreign processes 13->95 97 Creates a thread in another existing process (thread injection) 13->97 99 Injects a PE file into a foreign processes 13->99 24 NzNjrhGecIsdcOQdYXrzm.exe 13->24 injected 26 NzNjrhGecIsdcOQdYXrzm.exe 13->26 injected 28 NzNjrhGecIsdcOQdYXrzm.exe 13->28 injected file5 signatures6 process7 dnsIp8 57 C:\Users\user\...\ISXXzQaTraqYr2mB.exe, PE32 15->57 dropped 67 Antivirus detection for dropped file 15->67 69 Multi AV Scanner detection for dropped file 15->69 71 Found evasive API chain (may stop execution after checking mutex) 15->71 81 7 other signatures 15->81 30 NzNjrhGecIsdcOQdYXrzm.exe 15->30 injected 32 NzNjrhGecIsdcOQdYXrzm.exe 15->32 injected 34 NzNjrhGecIsdcOQdYXrzm.exe 15->34 injected 43 5 other processes 15->43 59 87.251.77.179, 49768, 80 HOSTKEY-ASNL Russian Federation 19->59 73 Machine Learning detection for dropped file 19->73 75 Tries to harvest and steal browser information (history, passwords, etc) 19->75 77 Tries to steal Crypto Currency Wallets 19->77 36 cmd.exe 1 19->36         started        79 Uses ping.exe to check the status of other devices and networks 22->79 38 PING.EXE 1 22->38         started        41 conhost.exe 22->41         started        file9 signatures10 process11 dnsIp12 45 conhost.exe 36->45         started        47 timeout.exe 1 36->47         started        61 127.0.0.1 unknown unknown 38->61 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/163b127ca6dd39ad16f01e2afeef52e574f315f0b842b57424d36571c5cee139/
Threat name:
Win32.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2022-07-07 13:07:43 UTC
File Type:
PE (Exe)
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cy5re7fg3u422fxqdyvp532s4v2pgfpqxbblk5be2nsxdroo4e4q._file
Verdict:
malicious
Similar samples:
0d5b29148871620c11ceb9d8e710d964e63c38185c0c0cae63d55287619423bd
11a161f3413da2cb192c2146d7d0ac592efa3d8fda9eaf64b59e03a2707671f3
20da317121146505720e1df1fdcc539b2b25c3801c4dd0fc21c89bf6129f0a33
3e3cae5883fb1aa3b277cdc2f030267828f9635830d77208a7bed268e3291bea
58471946c593e0d10006f978acd9327ca7d94f0dbbe775492bdf141bba5a70ce
9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b
+ 13'918 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220828-tf7mhscfc2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
163b127ca6dd39ad16f01e2afeef52e574f315f0b842b57424d36571c5cee139
MD5 hash:
d39d554fe5e06ab25bf0540ace9e902b
SHA1 hash:
33ad114d37baa33444a01b2b10c3278b3e2f44bf
Link:
https://www.unpac.me/results/cd400001-c6ca-4ef8-9880-be06546c758f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/163b127ca6dd39ad16f01e2afeef52e574f315f0b842b57424d36571c5cee139

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/301884/
  
URLhaus
https://urlhaus.abuse.ch/url/2282304/

Comments