MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b1f6c7839220249660ca0634c826f2695ae527f6900938b290b910f2a6e4f64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b1f6c7839220249660ca0634c826f2695ae527f6900938b290b910f2a6e4f64
SHA3-384 hash: 50731c287ccf959ca1be18ca5946035304849ff40e8ba0328afc7ece21d0b66c392e31df242792db7f1454847b51af57
SHA1 hash: a9416dbb20e7cdb01b4230510bdb868d76f98600
MD5 hash: 8a0246ce242ad77fd8f06a1952bc45ab
humanhash: equal-cup-island-stairway
File name:SecuriteInfo.com.Artemis8A0246CE242A.22805.29881
Download: download sample
File size:13'162'412 bytes
First seen:2022-01-24 18:26:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d170e2e5adcfc4c271f2eb78a565305e (1 x Heodo, 1 x Meterpreter)
ssdeep 393216:5sPg3GH6Yk3CEDiH2ciIrHWmpf670PUsC:5RGHf6CEDikILVpf6oPU
Threatray 75 similar samples on MalwareBazaar
TLSH T114D63319B91515D3DAB211388C23C239C926FD361B21C16B49E870A7EEAB6FD6C37F50
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/923619112809275422/931268606724014120/client.exe
Verdict:
Malicious activity
Analysis date:
2022-01-17 03:28:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1a4953d2-c51a-4541-b87e-a35d3daab7a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis8A0246CE242A.22805.29881.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe expand.exe greyware overlay packed python
Link:
https://www.filescan.io/uploads/61eeef80d32385db632986c1/reports/d9b1362e-24fe-432a-8b8d-b7e85f3a550e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46801518-6712-477f-b6f0-128f66319014
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/926543
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 559021 Sample: SecuriteInfo.com.Artemis8A0... Startdate: 24/01/2022 Architecture: WINDOWS Score: 48 32 Multi AV Scanner detection for submitted file 2->32 8 SecuriteInfo.com.Artemis8A0246CE242A.22805.exe 161 2->8         started        process3 file4 22 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->22 dropped 24 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 8->24 dropped 26 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->26 dropped 28 63 other files (none is malicious) 8->28 dropped 11 SecuriteInfo.com.Artemis8A0246CE242A.22805.exe 1 8->11         started        14 conhost.exe 8->14         started        process5 dnsIp6 30 127.0.0.1 unknown unknown 11->30 16 cmd.exe 1 11->16         started        18 cmd.exe 1 11->18         started        process7 process8 20 reg.exe 1 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b1f6c7839220249660ca0634c826f2695ae527f6900938b290b910f2a6e4f64/
Threat name:
Win64.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-20 20:37:53 UTC
File Type:
PE+ (Exe)
Extracted files:
727
AV detection:
13 of 43 (30.23%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
053e7603d2776f39c17d74cd5a095d2fa4727ce019cb91274c135be4b9732358
089b3975338c69d1c8ae96cec13328459e8208c7cf9c88ce98896b90697c140b
1a9d8e0f73b132cec42a383b06fc86cc73e451a653ef93a693e6738321648539
1cb25d3cc571376d8ede87286d774b307c92df8371b7a483e53383ae33443784
3e0ad711c5a1bfe4792854e2fa8db745fb29e0e9d1cb6374b6d9fbfb0fa9c57d
3f09f8df1e94e9588e4f9584e4d97eae73bf6e7375c92751cbb1f7e9647242d3
684aa3d044556d1883bed06b737a297eac301d14872e1813b0e5cd78cefaa95d
774c3c82a6ba75819070cca4d14f0df9329ebfe5b4dbb2e61423f95281ae7e6d
81ac71909750b1ba2225c173ea99f56d6e237aeb70b45212ac757e265c25ea6f
+ 65 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/220124-w3r7fshbdj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
1b1f6c7839220249660ca0634c826f2695ae527f6900938b290b910f2a6e4f64
MD5 hash:
8a0246ce242ad77fd8f06a1952bc45ab
SHA1 hash:
a9416dbb20e7cdb01b4230510bdb868d76f98600
Link:
https://www.unpac.me/results/320c96f8-d695-4c57-8438-692748653881/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b1f6c7839220249660ca0634c826f2695ae527f6900938b290b910f2a6e4f64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1b1f6c7839220249660ca0634c826f2695ae527f6900938b290b910f2a6e4f64

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2002684/
  
Delivery method
Distributed via web download

Comments