MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16e6a84d1a906671106d1f02336675820c4b1d91fdf85bca031cb84eda80237d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	16e6a84d1a906671106d1f02336675820c4b1d91fdf85bca031cb84eda80237d
SHA3-384 hash:	70023bdaee75c414ae84635fbd526401e0f0bccccd8c6792a49457724b28cd8ea6d1c76256dcf19034f90c1310a7da7a
SHA1 hash:	b75f65c06554f3818727fde2750f4b89f8ab7abb
MD5 hash:	0f2d69788bde79f421b28aa455758b18
humanhash:	mexico-seven-hotel-victor
File name:	file
Download:	download sample
File size:	4'587'647 bytes
First seen:	2022-10-19 12:08:07 UTC
Last seen:	2022-10-19 16:09:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep	49152:QYG9xlq/6NyhI5R23Z/gQj4+uGDGk7wQYan5ElNtGQnlQPB/n01P:PwU/vPTrLEVG8lQG
Threatray	34 similar samples on MalwareBazaar
TLSH	T13E260747F89585F5C0AED130CA669262BB713C891B3063D33B51B3B82B73BE46A79354
gimphash	18fc3a8d15ce05ed74941fd9a713ddb90fada7efc67dea45c1030357fbdb4f4a
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from https://vk.com/doc32384019_646081847?hash=BQQnI5uu6520w9ufkkc8X2Vk6dFrf7xLOZzzRtR6jeL&dl=GMZDGOBUGAYTS:1666179542:7szgzXZlB87YO3jQasxZazKTEh86q216fqa8bZMZdS8&api=1&no_preview=1#new1/5

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-10-19 12:09:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3337f9ac-feda-4eed-8f90-0c3173a94ead

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321689/

Detection(s):

SecuriteInfo.com.Variant.Semper.Agent.4.19357.14435.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Running batch commands

Creating a file in the system32 subdirectories

Creating a file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/43817/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm golang greyware overlay

Link:

https://www.filescan.io/uploads/634fe8e0898b0652a4b8f8e7/reports/de65f663-3421-4459-b2df-dec8f39ed75c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Kraken

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f2cd0a41-d7d5-4234-ad57-3135be4f8910

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1093441

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16e6a84d1a906671106d1f02336675820c4b1d91fdf85bca031cb84eda80237d/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-19 16:23:06 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 41 (46.34%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c3tkqti2sbthcednd4bdgztvqigewhmr7x4fxsqdds4e5wuaen6q._file

Verdict:

malicious

0f9b30402f73d225631915acc66cfd6fa860e4050aa7db8e24b111dcb407dc35

3d9ebf871e9ada91551158af5078da769ca8bea4014afcd75472deb0d4beb538

3f654cc740b18a83fdb840f27cf46f7c8299f51a9a2a6b97b9583ca9e9d9ca5f

4883c8f935d8c8397ffb003f72e4e515501820ebd37ca079c478ba5b7ed7b3d4

5782a7d3cf791a0be9d8e994520618d4299a51ca032ff1a549646713193a1ecf

5e98a67c09e5c975e6d6a86235294386b829ba1df7d1436a9abc9db35f224b5b

8a05e6ef4f863b73ec09200c5a19c68e5107bfc0de895ca22ecf1018ea9d4c89

90174f6ac821b5dbe916b4c320e3515f382606a511d800d35c1122da4cf08418

acb1d8fdde1f261d7c8c625ae0aab48232bea861532bb66657dda02e1a209d0e

+ 24 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/221019-pbfk1sgafm/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b9d5b8b8-2505-430a-96ad-36d23560eb31

Unpacked files

SH256 hash:

16e6a84d1a906671106d1f02336675820c4b1d91fdf85bca031cb84eda80237d

MD5 hash:

0f2d69788bde79f421b28aa455758b18

SHA1 hash:

b75f65c06554f3818727fde2750f4b89f8ab7abb

Link:

https://www.unpac.me/results/b866f930-8c93-406c-9c73-83340b1b9a96/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/16e6a84d1a906671106d1f02336675820c4b1d91fdf85bca031cb84eda80237d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	methodology_golang_build_strings Create hunting rule
Author:	smiller
Description:	Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/321689/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample