MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d42a976c5c433e8ae6b3ba1fe20bd87384731658797d1d81579e42aad7e0cee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d42a976c5c433e8ae6b3ba1fe20bd87384731658797d1d81579e42aad7e0cee
SHA3-384 hash: 9e85087ecced8c6b49bc0e0bb9161104a87d9827a065baf6d59fbe763fbcbe5c09fa1f29db4e076b95dcd5888d5d45e3
SHA1 hash: f3c1d0a11788b958a273e04c3aec46bdcd69327a
MD5 hash: 7168a99bf5513c19964eaa4e59d32d8f
humanhash: harry-robin-delta-moon
File name:MysteryMansion.exe
Download: download sample
File size:79'900'885 bytes
First seen:2024-06-19 08:25:47 UTC
Last seen:2024-06-19 09:33:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:cuoFopqeHGLtlwmWylzqFa3UDYZ07BYjqMtgHqnb+G51iPf:cunlHGLtVWy94aEDYS7BY2M8S+I1Uf
TLSH T1AA0833654FD458A0E6C4EA7BE36193F1E28E2568307B815FC89C34A9AFF85F7450D8B0
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
438
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d42a976c5c433e8ae6b3ba1fe20bd87384731658797d1d81579e42aad7e0cee.exe
Verdict:
Malicious activity
Analysis date:
2024-06-19 08:27:03 UTC
Tags:
discordgrabber generic stealer discord
Link:
https://app.any.run/tasks/f97fbf04-498c-4ab0-8a62-80ff53b10819

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667297870f8138dd4eaf4b25win7simulatehigh_evasion
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/6672961eef9fdf64aa6cbab4/reports/0166adb1-80c7-4be2-a58d-4f4357debe4c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1d42a976c5c433e8ae6b3ba1fe20bd87384731658797d1d81579e42aad7e0cee
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
suspicious
Classification:
adwa.spyw
Score:
26 / 100
Link:
https://www.joesandbox.com/analysis/1459381
Signature
Drops large PE files
Drops PE files to the startup folder
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1459381 Sample: MysteryMansion.exe Startdate: 19/06/2024 Architecture: WINDOWS Score: 26 60 ptb.discord.com 2->60 62 hastebin.skyra.pw 2->62 64 2 other IPs or domains 2->64 8 MysteryMansion.exe 17 2->8         started        13 MysteryMansion.exe 12 206 2->13         started        15 MysteryMansion.exe 2->15         started        process3 dnsIp4 68 api.gofile.io 151.80.29.83, 443, 49747, 49751 OVHFR Italy 8->68 70 hastebin.skyra.pw 104.21.54.142, 443, 49746 CLOUDFLARENETUS United States 8->70 72 2 other IPs or domains 8->72 44 C:\Users\user\AppData\...\MysteryMansion.exe, PE32+ 8->44 dropped 46 C:\Users\user\AppData\Local\...\webdata.db, SQLite 8->46 dropped 48 C:\Users\user\AppData\Local\...\passwords.db, SQLite 8->48 dropped 56 3 other files (1 malicious) 8->56 dropped 74 Drops PE files to the startup folder 8->74 76 Tries to harvest and steal browser information (history, passwords, etc) 8->76 78 Drops large PE files 8->78 17 cmd.exe 8->17         started        19 MysteryMansion.exe 1 8->19         started        22 cmd.exe 1 8->22         started        24 4 other processes 8->24 50 C:\Users\user\AppData\...\MysteryMansion.exe, PE32+ 13->50 dropped 52 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 13->52 dropped 54 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 13->54 dropped 58 15 other files (none is malicious) 13->58 dropped file5 signatures6 process7 dnsIp8 26 cmd.exe 17->26         started        28 conhost.exe 17->28         started        66 chrome.cloudflare-dns.com 172.64.41.3, 443, 49743, 49744 CLOUDFLARENETUS United States 19->66 30 tasklist.exe 1 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 tasklist.exe 24->38         started        40 3 other processes 24->40 process9 process10 42 mshta.exe 26->42         started       
Score:
3%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/1d42a976c5c433e8ae6b3ba1fe20bd87384731658797d1d81579e42aad7e0cee
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvbks5wfyqz6rltlhoq74if5q44eomlfq6l5dwavphscvll6btxa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240619-kbvmqa1gnp/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1d42a976c5c433e8ae6b3ba1fe20bd87384731658797d1d81579e42aad7e0cee

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments