MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cb25d3cc571376d8ede87286d774b307c92df8371b7a483e53383ae33443784. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cb25d3cc571376d8ede87286d774b307c92df8371b7a483e53383ae33443784
SHA3-384 hash: 8b90b15d5b9781b17a27d41489c0aa0292e97a0d6750f434f2b48685eccf144ec927ec579b4712fb6b22ac13cd3bb476
SHA1 hash: 7a67ac0b2001f589f0c097d81be2df6bb301bc93
MD5 hash: 46c35e18a9a02475ff02e9f2feaca0cf
humanhash: carolina-north-georgia-enemy
File name:Injector.exe
Download: download sample
File size:22'777'521 bytes
First seen:2021-11-02 09:25:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb9d0bbbbe276288f85180f1a72901a7 (1 x ErbiumStealer)
ssdeep 393216:CNE2JXPr/FJn5Pb393bZxlHOFGCEDmlh2pYG3in9Zzz2m1QPSf3:uRr/FNZb393bBHCEDUQpYjnLz2mt
Threatray 1'633 similar samples on MalwareBazaar
TLSH T12337334C64B2444FD95A8637152BCA220C72EC7ECF87920E58DE27876E93F5E9836C5C
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Injector.exe
Verdict:
No threats detected
Analysis date:
2021-11-02 09:32:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21627273-ddec-4820-af50-196e54f198ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the %temp% subdirectories
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6181042c9982ff7c3f7a81af/reports/f8db71ac-f3ae-41c0-aa22-0fd6df6e80c5/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/881121
Signature
Antivirus / Scanner detection for submitted sample
DLL reload attack detected
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513552 Sample: Injector.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 92 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 PE file contains section with special chars 2->39 7 Injector.exe 177 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 7->21 dropped 23 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 7->23 dropped 25 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 7->25 dropped 27 110 other files (none is malicious) 7->27 dropped 41 DLL reload attack detected 7->41 43 Query firmware table information (likely to detect VMs) 7->43 45 May check the online IP address of the machine 7->45 47 3 other signatures 7->47 11 Injector.exe 8 7->11         started        15 conhost.exe 7->15         started        signatures5 process6 dnsIp7 29 discord.com 162.159.138.232, 443, 49748 CLOUDFLARENETUS United States 11->29 31 api.ipify.org.herokudns.com 52.20.78.240, 443, 49747 AMAZON-AESUS United States 11->31 33 api.ipify.org 11->33 49 Query firmware table information (likely to detect VMs) 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Hides threads from debuggers 11->53 55 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->55 17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        signatures8 process9
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-02 09:26:06 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1306e24bda80da1dacddc7c7d808502407cc8b29960d807aed0327050ba32be6
368d69f599577877c3dca1b45eae62a7da934b832dc2f3b5dfcf18a99f3600be
5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303
68706f1c7fd143b8b87788aff9018f8c6314d4215683402e2648d2f3b769eab4
8f5b300680db95b545347229941acb9113690ab187cd7ac7b2cc601b9e31a205
939d7f86c86ecf9d15114b335bee3c8e760f743b62cba3cb2b8afacb5fbab1a6
9debd5d7a5f7cf87a37d1f1432878baa0ac7cf6ecca5b4bfdcfa1163f07a6953
b464b774eb8a0f033ded0b5d0765f526cfbb4c38452c13e096f03dc7c8025094
decd15e2e48ecd6ad7fedaae8e9233c2a8594cd39fd32a2cb12c0fdaba7a1af6
+ 1'623 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211102-ld69zahben/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/1cb25d3cc571376d8ede87286d774b307c92df8371b7a483e53383ae33443784

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments