MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BanditStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b
SHA3-384 hash: 14a32b29c6e49967e087a1ff1bb5d6486049bf9fedb2702fe445a12c91eeb3a2b53d6893670352a985a5edfcb7c7d1e9
SHA1 hash: 436e83ce6882e798e5bb6d89a31913285886d3a2
MD5 hash: 2afcac7aaede32980c96fda99c8c8677
humanhash: alaska-october-don-india
File name:SecuriteInfo.com.Win64.PWSX-gen.23885.14599
Download: download sample
Signature BanditStealer
Create hunting rule
File size:4'865'024 bytes
First seen:2023-05-21 22:27:42 UTC
Last seen:2023-07-11 15:10:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:DbcuGWyADhhIab1bvece79p6T215vhx8ovhqg4zi4RWouv60FFS7W:0dyhhIaZNeZy2Lb8Uf4G4EoE6t
Threatray 95 similar samples on MalwareBazaar
TLSH T1C13633CE148F59F6F99B1F7D37B28DABA590F14A6058D9008E2949A3D27AB71133C0F1
TrID 55.2% (.EXE) UPX compressed Win64 Executable (70117/5/12)
21.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:BanditStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
UI721.bin
Verdict:
Malicious activity
Analysis date:
2023-05-21 18:58:57 UTC
Tags:
evasion loader ransomware opendir stealer rat redline lumma gcleaner amadey trojan fabookie arkei vidar lokibot remcos raccoon recordbreaker keylogger
Link:
https://app.any.run/tasks/f6a6cc23-4b97-49de-a580-6d175494a63d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.23885.14599.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Reading critical registry keys
Creating a file
Running batch commands
Launching the process to interact with network services
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/646a9af37a1dd7820bf3d530/reports/c8ea5973-18f0-428d-9223-332f241dd015/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6de30d6-0855-43d1-a18f-5a55a007f236
Result
Threat name:
Bandit Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1239028
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Bandit Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 872019 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 22/05/2023 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Bandit Stealer 2->38 40 4 other signatures 2->40 8 SecuriteInfo.com.Win64.PWSX-gen.23885.14599.exe 15 2->8         started        process3 dnsIp4 26 api.telegram.org 149.154.167.220, 443, 49757 TELEGRAMRU United Kingdom 8->26 28 103.89.12.160, 49758, 8080 MIRAIMiraiCommunicationNetworkIncJP Philippines 8->28 30 ipinfo.io 8->30 42 May check the online IP address of the machine 8->42 44 Tries to steal Instant Messenger accounts or passwords 8->44 46 Tries to steal Mail credentials (via file / registry access) 8->46 48 Tries to harvest and steal ftp login credentials 8->48 12 curl.exe 1 8->12         started        16 systeminfo.exe 1 1 8->16         started        18 curl.exe 1 8->18         started        20 33 other processes 8->20 signatures5 process6 dnsIp7 32 ipinfo.io 34.117.59.81, 443, 49694, 49695 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->32 50 May check the online IP address of the machine 12->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->52 22 net.exe 1 20->22         started        signatures8 process9 process10 24 net1.exe 1 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b/
Threat name:
Win64.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-21 21:18:01 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtlamuh2hzla3d34qdknawpgnhtejbv5hstnv3ks3d644fgqivnq._file
Verdict:
unknown
Similar samples:
00436433cbc20393854a4bbfd835fa66ba454a180db125241d029b8959bf2efa
BanditStealer
179a9cbd204f59591634d4289b4b9494a72d655021e06caf41b1e615df989b4c
BanditStealer
197e1ed153952290628d8d7df87f8574f58d7720c8f6a6b9b48f0f20b656b1fd
BanditStealer
6819aeef46bdb64eb7f72f5ba764c618808e83cd169e678923d6c0103e78b8fe
BanditStealer
7d2ef88de4820aae52a0062afc1dc0bcb93647254db69ced2a75304c5bef8d63
BanditStealer
b77dd1dbfede33d9a526773a528ce16e02617325db7ab4c82b9491409a284deb
BanditStealer
cd67dd1379ad01106eeaf5d06610ebd026c789967434a5b905dac82b3dc31ada
BanditStealer
dda918f09ec1d46c0ece122efce15ef8985857e0c9b372b9a67466f7700c6c70
BanditStealer
f0956c80448500aab24cddda90a8b602fd94653168e0eced89b661bcb2ec15b4
BanditStealer
f7e7a42f65bcf4a4adf1423839e783d4bcc203b83b964cdac321d232700b4bd4
BanditStealer
+ 85 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/230521-2dmtbscg27/
Behaviour
Gathers system information
GoLang User-Agent
Kills process with taskkill
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
623a5f4c57cf5b3feb6775508cd6492f89d55ce11f62e0b6fb1020fd730b2e8f
MD5 hash:
cf519389cbb5f3529bcb0123233f2200
SHA1 hash:
093ce454bc5aa3b92eb48d86c7129cb8be614c01
Link:
https://www.unpac.me/results/d5dff8fb-9b2d-4cd2-99a4-4d4593ba488f/
SH256 hash:
1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b
MD5 hash:
2afcac7aaede32980c96fda99c8c8677
SHA1 hash:
436e83ce6882e798e5bb6d89a31913285886d3a2
Link:
https://www.unpac.me/results/d5dff8fb-9b2d-4cd2-99a4-4d4593ba488f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BanditStealer

Executable exe 1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2638272/
  
Delivery method
Distributed via web download

Comments