MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e1bc32c5d4d0cae5310d34827be61eb087dc6aca7a7d767c77529b41e720a81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e1bc32c5d4d0cae5310d34827be61eb087dc6aca7a7d767c77529b41e720a81
SHA3-384 hash: 28b0cce39e1730c464efb48563b9a0885fe1ae0148fdd0fbf743a7a4fac709b4b29b2a72392e7a5721c9e2f378c7c316
SHA1 hash: d16db762e8ca0fc4f82b12119fad118c5f386217
MD5 hash: 7db3e0a15ff5d498fd56aab3ceb8b968
humanhash: hamper-snake-pip-six
File name:7db3e0a15ff5d498fd56aab3ceb8b968.exe
Download: download sample
Signature Stop
Create hunting rule
File size:4'518'912 bytes
First seen:2024-08-21 06:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3467cb5eaf453087bf8f9b28a57ca3b (2 x Stop)
ssdeep 98304:GD15kDUGG3RYoqQQVzIKy8vHZzIN7YjmLYHoBXn0YcqQQvXYeJy:GdpBpqxVzIKyK+eeDXn0bqQ5eJy
TLSH T19B2622C53F8565F5C04AD3F8C250686CB0297B75DEF04BA5B5BC2A125DE39301EE22AB
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f0d4aacdcdaacce4 (1 x Stop)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://193.233.232.86/api/crazyfish.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.233.232.86/api/twofish.php https://threatfox.abuse.ch/ioc/1313504/
http://193.233.232.86/api/crazyfish.php https://threatfox.abuse.ch/ioc/1314306/

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7db3e0a15ff5d498fd56aab3ceb8b968.exe
Verdict:
Malicious activity
Analysis date:
2024-08-21 06:33:02 UTC
Tags:
berbew privateloader evasion
Link:
https://app.any.run/tasks/b78ec746-20b6-4385-b31b-7ae34c80cfc0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.4694.30983.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c589a8b2a4681a72966920
Tags:
Malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin packed privateloader shell32
Link:
https://www.filescan.io/uploads/66c589a7150fbf4bd60661cb/reports/c451257e-23e2-4eda-b984-c8ee22e35155/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1e1bc32c5d4d0cae5310d34827be61eb087dc6aca7a7d767c77529b41e720a81
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f3b744bf-ac82-482e-9bba-74e22ae6dfc1
Result
Threat name:
LummaC, Djvu, Go Injector, LummaC Steale
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1496361
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries Google from non browser process on port 80
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Stop EventLog
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Djvu Ransomware
Yara detected Go Injector
Yara detected LummaC Stealer
Yara detected Neoreklami
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected SystemBC
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1496361 Sample: 3QKcKCEzYP.exe Startdate: 21/08/2024 Architecture: WINDOWS Score: 100 143 service-domain.xyz 2->143 145 api5.check-data.xyz 2->145 147 32 other IPs or domains 2->147 157 Multi AV Scanner detection for domain / URL 2->157 159 Suricata IDS alerts for network traffic 2->159 161 Found malware configuration 2->161 165 27 other signatures 2->165 13 3QKcKCEzYP.exe 1 27 2->13         started        18 erzljnhmzkuz.exe 2->18         started        signatures3 163 Performs DNS queries to domains with low reputation 145->163 process4 dnsIp5 149 147.45.44.104, 49719, 49720, 80 FREE-NET-ASFREEnetEU Russian Federation 13->149 151 147.45.47.57, 49713, 80 FREE-NET-ASFREEnetEU Russian Federation 13->151 153 8 other IPs or domains 13->153 133 C:\Users\...\zVS6xq86P4Kl0c26CfULXfv4.exe, PE32+ 13->133 dropped 135 C:\Users\...\yZBxqqQICO50PLfWYKwJeSL5.exe, PE32+ 13->135 dropped 137 C:\Users\...\r0bVQRH8Dto7infNi6DOB01w.exe, PE32 13->137 dropped 141 9 other malicious files 13->141 dropped 217 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->217 219 Drops PE files to the document folder of the user 13->219 221 Creates HTML files with .exe extension (expired dropper behavior) 13->221 229 3 other signatures 13->229 20 r0bVQRH8Dto7infNi6DOB01w.exe 7 13->20         started        24 zVS6xq86P4Kl0c26CfULXfv4.exe 2 13->24         started        26 fOzLadrzZNRnwv2woTdiFoXM.exe 1 13->26         started        34 3 other processes 13->34 139 C:\Windows\Temp\hbxzipnhyvsr.sys, PE32+ 18->139 dropped 223 Multi AV Scanner detection for dropped file 18->223 225 Found strings related to Crypto-Mining 18->225 227 Modifies the context of a thread in another process (thread injection) 18->227 231 2 other signatures 18->231 28 powercfg.exe 18->28         started        30 powercfg.exe 18->30         started        32 powercfg.exe 18->32         started        file6 signatures7 process8 file9 125 C:\Users\user\AppData\Local\...\Install.exe, PE32 20->125 dropped 167 Machine Learning detection for dropped file 20->167 36 Install.exe 4 20->36         started        127 C:\ProgramData\...\erzljnhmzkuz.exe, PE32+ 24->127 dropped 169 Multi AV Scanner detection for dropped file 24->169 171 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->171 173 Uses powercfg.exe to modify the power settings 24->173 189 2 other signatures 24->189 40 powercfg.exe 24->40         started        42 powercfg.exe 24->42         started        44 sc.exe 24->44         started        55 5 other processes 24->55 175 Writes to foreign memory regions 26->175 177 Allocates memory in foreign processes 26->177 179 Injects a PE file into a foreign processes 26->179 46 MSBuild.exe 13 26->46         started        49 conhost.exe 28->49         started        51 conhost.exe 30->51         started        53 conhost.exe 32->53         started        129 C:\Users\user\AppData\Roaming\afasdfga.exe, PE32 34->129 dropped 181 Contains functionality to inject code into remote processes 34->181 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->183 185 Sample uses process hollowing technique 34->185 187 LummaC encrypted strings found 34->187 signatures10 process11 dnsIp12 131 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->131 dropped 191 Machine Learning detection for dropped file 36->191 57 Install.exe 1 36->57         started        193 Suspicious powershell command line found 40->193 60 conhost.exe 40->60         started        62 powershell.exe 42->62         started        64 conhost.exe 42->64         started        66 conhost.exe 44->66         started        68 Conhost.exe 44->68         started        155 193.176.190.41 AGROSVITUA unknown 46->155 70 conhost.exe 55->70         started        72 conhost.exe 55->72         started        74 3 other processes 55->74 file13 signatures14 process15 signatures16 203 Antivirus detection for dropped file 57->203 205 Suspicious powershell command line found 57->205 207 Machine Learning detection for dropped file 57->207 209 2 other signatures 57->209 76 cmd.exe 57->76         started        79 forfiles.exe 57->79         started        81 schtasks.exe 57->81         started        83 gpupdate.exe 62->83         started        85 conhost.exe 62->85         started        process17 signatures18 211 Suspicious powershell command line found 76->211 213 Uses cmd line tools excessively to alter registry or file data 76->213 215 Modifies Windows Defender protection settings 76->215 87 forfiles.exe 76->87         started        90 forfiles.exe 76->90         started        92 forfiles.exe 76->92         started        100 3 other processes 76->100 94 cmd.exe 79->94         started        96 conhost.exe 79->96         started        98 conhost.exe 83->98         started        process19 signatures20 199 Modifies Windows Defender protection settings 87->199 102 cmd.exe 87->102         started        105 cmd.exe 90->105         started        107 cmd.exe 92->107         started        201 Suspicious powershell command line found 94->201 109 powershell.exe 94->109         started        111 cmd.exe 100->111         started        113 cmd.exe 100->113         started        process21 signatures22 195 Uses cmd line tools excessively to alter registry or file data 102->195 115 reg.exe 102->115         started        117 reg.exe 105->117         started        119 reg.exe 107->119         started        121 WMIC.exe 109->121         started        123 reg.exe 111->123         started        197 Suspicious powershell command line found 113->197 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e1bc32c5d4d0cae5310d34827be61eb087dc6aca7a7d767c77529b41e720a81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e1bc32c5d4d0cae5310d34827be61eb087dc6aca7a7d767c77529b41e720a81/
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 01:15:00 UTC
File Type:
PE+ (Exe)
Extracted files:
27
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyn4glc5jugk4uyq2necpptb5meh3rvmu6t5oz6houu3ihtsbkaq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240821-g92l5stfra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Looks up external IP address via web service
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d187e964-10c6-496e-8e6b-995ab9b30c4d
Unpacked files
SH256 hash:
1e1bc32c5d4d0cae5310d34827be61eb087dc6aca7a7d767c77529b41e720a81
MD5 hash:
7db3e0a15ff5d498fd56aab3ceb8b968
SHA1 hash:
d16db762e8ca0fc4f82b12119fad118c5f386217
Link:
https://www.unpac.me/results/a1e81c39-bc51-4f59-a5b0-b881b914debc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e1bc32c5d4d0cae5310d34827be61eb087dc6aca7a7d767c77529b41e720a81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments