MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c691a07932f78eb9ff5bf9bafddccdf0acd1faa899677662bcdd2cb0570b62d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	1c691a07932f78eb9ff5bf9bafddccdf0acd1faa899677662bcdd2cb0570b62d
SHA3-384 hash:	d96a8b7135e2360e131779e2e3bec76df0bbb3745b0d8d6e37dce813fe4801374c87adfdb8503148597547e71a6dd3c9
SHA1 hash:	3050e2d35e4a43df9d729a05edef52c82c144d41
MD5 hash:	3a8ea85074d43fc55999ce0857cc2b5d
humanhash:	five-dakota-london-bakerloo
File name:	3a8ea85074d43fc55999ce0857cc2b5d.exe
Download:	download sample
File size:	305'152 bytes
First seen:	2023-10-16 08:14:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	89b4938a013d6b8954f68c2ef1293c62 (10 x RedLineStealer, 4 x Amadey, 4 x LummaStealer)
ssdeep	6144:mZJsICnU9Q8iE+y3wWYLtfM3qfxgmSiFwCBdVx0DRqcL6+7oeH3CKdxQVGmPoJ:mjsICnb5M3qJTSiFwCBdcRqWmPoJ
Threatray	344 similar samples on MalwareBazaar
TLSH	T17654AFA672C04172DB768F356DA0DB1C5A4CFAF80A29D4A707CC47694B3C6C4CE17B6A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3a8ea85074d43fc55999ce0857cc2b5d.exe

Verdict:

Malicious activity

Analysis date:

2023-10-16 08:20:50 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/51acb23c-7b28-40a9-bf73-3ff7874f8d34

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454744/

Detection(s):

Win.Trojan.Pwsx-10011270-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cerbu control greyware lolbin

Link:

https://www.filescan.io/uploads/652cf1085da218a42f50fd48/reports/6c22c304-25e6-4e12-8354-684e6be4096a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1c691a07932f78eb9ff5bf9bafddccdf0acd1faa899677662bcdd2cb0570b62d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2695c765-20f1-4d6f-b245-17efbbbc87f6

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1326267

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Found API chain indicative of debugger detection

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1c691a07932f78eb9ff5bf9bafddccdf0acd1faa899677662bcdd2cb0570b62d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c691a07932f78eb9ff5bf9bafddccdf0acd1faa899677662bcdd2cb0570b62d/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-15 08:16:02 UTC

File Type:

PE (Exe)

AV detection:

20 of 35 (57.14%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=drurub4tf54oxh7vx6n27xom34fm2h5krglhozrlzxjmwblqwywq._file

Verdict:

malicious

1646b6d7c774d1e0dff2074733df10b97733cb3e0be6c3e5bcc667e866a2783c

347f0e9c3b75ed07fe583c1977aee33329700ab45f88d514f77672575a6162e7

3f61b1490dccdd36a2307b6376b6b682b988815bbd7ac5805315ff2f7f6aa649

4829c79709a464c0a10d17053c6916df5a0f1f500ebb10af230e35d548ea3265

5ccd3fc1613c48f85aad3fb1946ec858d17e42021e77a1cd681406b6b6b0b557

64263a4ed1a6432b06bc1729d818182081babbe97f02fd6f61f2d09e3e657dc0

7ee31d9861f8144887ba4516b71831a3991858a6815faa8fd2b643b0265e5c38

bbb535e87b6d2fde49c6b143af1a003b5670b422937c9dd0cf5424bd212dfc01

cfbd24a3ff45eb3d630bbe3fa9d8db4fc6c4e78da702a3e5f1aec08973b60c2a

+ 334 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231016-j422tseg92/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

c359cad2d4b0cb214d0e84d78cc648637cb3f09e3ac774b97d1b50175752706e

MD5 hash:

2da2d4908005e48f676c9b1310aca54c

SHA1 hash:

964698d411f778c036fe13913e915d641b2908e8

Link:

https://www.unpac.me/results/6cb53c4f-ff9c-4974-bd20-953b78761508/

SH256 hash:

1c691a07932f78eb9ff5bf9bafddccdf0acd1faa899677662bcdd2cb0570b62d

MD5 hash:

3a8ea85074d43fc55999ce0857cc2b5d

SHA1 hash:

3050e2d35e4a43df9d729a05edef52c82c144d41

Link:

https://www.unpac.me/results/6cb53c4f-ff9c-4974-bd20-953b78761508/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1c691a07932f78eb9ff5bf9bafddccdf0acd1faa899677662bcdd2cb0570b62d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 1c691a07932f78eb9ff5bf9bafddccdf0acd1faa899677662bcdd2cb0570b62d

(this sample)

Cape

https://www.capesandbox.com/analysis/454744/

URLhaus

https://urlhaus.abuse.ch/url/2719349/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample