MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a424c25c13280bf50c3c85c1f58c6210eedf94135424f240bbcf08c63b922e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a424c25c13280bf50c3c85c1f58c6210eedf94135424f240bbcf08c63b922e1
SHA3-384 hash: 42c6af1f3adbc7c82c688540baa8c70b0b01a17ef8761e08ab69cc0e70940decd213bc99b763dc22cb1d2b3c2f8c0dd0
SHA1 hash: 5e416707fbd871622e7fc40c389a6181e8be1aeb
MD5 hash: 20d91e228097bebc548810a2f004e1e6
humanhash: yellow-oregon-five-spring
File name:FlappyBird.zip
Download: download sample
File size:26'202'683 bytes
First seen:2023-04-27 08:32:54 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 393216:jZcrWGs7oa2l/Op/g+KmU5PCngdsGj5nEgGElbq82knGnqTyxtWwuIM61xZUb5aq:aSqJuU5ndsuEgplb1GCJUxogf4uc
TLSH T1D64733D1E02C1FA302E1B5954254069513777ADC32F8BF6BFB9F12621BC52B9983F60A
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter iamdeadlyz
Tags:FakeFlappyBird W4SPstealer zip


Avatar
Iamdeadlyz
From github.com/RyanJLord/FlappyBird/ (fake P2E Flappy Bird game)
W4SP Stealer uploads to gofile and notifies malicious actor/s using a Discord webhook to guild ID: 1100241905750646915 and channel ID: 1100241905750646918

Intelligence

File Origin
# of uploads :
1
# of downloads :
668
Origin country :
SG SG
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:FlappyBird.exe
File size:27'848'825 bytes
SHA256 hash: d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4
MD5 hash: 3d3c3464bf2fc5ea569fbddc652f01ad
MIME type:application/x-dosexec
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/1a424c25c13280bf50c3c85c1f58c6210eedf94135424f240bbcf08c63b922e1/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/644a33408615b5d32a5368bd/reports/d4ab640a-71d9-45b0-9965-359c8e5b8fa4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1a424c25c13280bf50c3c85c1f58c6210eedf94135424f240bbcf08c63b922e1
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1a424c25c13280bf50c3c85c1f58c6210eedf94135424f240bbcf08c63b922e1
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djbeyjobgkal6ugdzbob6wggeeho36kbgvbe6jalxtyiyy5zelqq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/230427-lzg7zagh3z/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Detects Pyinstaller
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a424c25c13280bf50c3c85c1f58c6210eedf94135424f240bbcf08c63b922e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip 1a424c25c13280bf50c3c85c1f58c6210eedf94135424f240bbcf08c63b922e1

(this sample)

Executable exe d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4

  
Dropping
SHA256 d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4
  
Delivery method
Distributed via web download

Comments