MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f75823631e70c74d3c906e6e51bd24d6e109729a8dc703aa712e8174e208330. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EpsilonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f75823631e70c74d3c906e6e51bd24d6e109729a8dc703aa712e8174e208330
SHA3-384 hash: 6c131ccd74ab07117373c1486c021cc4815947ae4ac1569c1661a350894de685121c9dd35f8454e22fc91d0641efaf81
SHA1 hash: bd43488646ad1aa544e3ccc8bbe3c334918dbf46
MD5 hash: fd4dbfa9eedeb18ec739a5f20efdcbd0
humanhash: kentucky-nine-zebra-nebraska
File name:PlanetsTherapy.exe
Download: download sample
Signature EpsilonStealer
Create hunting rule
File size:74'793'161 bytes
First seen:2024-01-13 21:58:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:L4/4rzOchPPuF5mAXJP4adwv4Xn4Rkb6n7IFWEOUuqPf7JPV277:0kqcdPQcAd4d4oRkmn7IFqDqPTS77
Threatray 114 similar samples on MalwareBazaar
TLSH T18EF7332A1F8D08F7D864D7F1B4B9064B6A48A100B572D663AC6F567D32CCE1E6D23F84
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer)
Reporter beansoup
Tags:discord electron EpsilonStealer exe PlanetsTherapy

Intelligence

File Origin
# of uploads :
1
# of downloads :
558
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
DNS request
Sending a custom TCP request
Launching many processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
78%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65a307a90a1b1cfd84a36768/reports/d14367fc-315c-4459-a2f2-a9870f7bb5d8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1f75823631e70c74d3c906e6e51bd24d6e109729a8dc703aa712e8174e208330
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
suspicious
Classification:
adwa
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1374322
Signature
Drops PE files to the startup folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374322 Sample: PlanetsTherapy.exe Startdate: 13/01/2024 Architecture: WINDOWS Score: 28 59 www.google.com 2->59 61 www.facebook.com 2->61 63 5 other IPs or domains 2->63 8 PlanetsTherapy.exe 182 2->8         started        process3 file4 43 C:\Users\user\AppData\...\PlanetsTherapy.exe, PE32+ 8->43 dropped 45 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\System.dll, PE32 8->47 dropped 49 14 other files (none is malicious) 8->49 dropped 11 PlanetsTherapy.exe 6 8->11         started        process5 dnsIp6 67 api.gofile.io 151.80.29.83, 443, 49750 OVHFR Italy 11->67 69 transfer.sh 144.76.136.153, 443, 49751 HETZNER-ASDE Germany 11->69 71 3 other IPs or domains 11->71 51 C:\Users\user\AppData\...\PlanetsTherapy.exe, PE32 11->51 dropped 53 C:\Users\user\AppData\...\PlanetsTherapy.exe, PE32 11->53 dropped 55 C:\Users\user\AppData\...\PlanetsTherapy.exe, PE32 11->55 dropped 57 3 other files (none is malicious) 11->57 dropped 73 Drops PE files to the startup folder 11->73 16 cmd.exe 1 11->16         started        18 cmd.exe 1 11->18         started        20 cmd.exe 11->20         started        22 35 other processes 11->22 file7 signatures8 process9 dnsIp10 25 tasklist.exe 1 16->25         started        27 conhost.exe 16->27         started        29 Conhost.exe 16->29         started        31 WMIC.exe 1 18->31         started        33 conhost.exe 18->33         started        35 conhost.exe 20->35         started        37 tasklist.exe 20->37         started        65 chrome.cloudflare-dns.com 172.64.41.3, 443, 49739, 49740 CLOUDFLARENETUS United States 22->65 39 conhost.exe 22->39         started        41 61 other processes 22->41 process11
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1f75823631e70c74d3c906e6e51bd24d6e109729a8dc703aa712e8174e208330
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-13 21:59:15 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d52yenrr44ghju6ja3tokg6sjvxbbfzjvdohaovhclubotraqmya._file
Verdict:
unknown
Similar samples:
33ab895e270da5c3783cadbee52e1728500af03fb414520c29f1bebb9fe3c504
EpsilonStealer
449a202893e77d929c180d920bc6c8ef1c42ca69a329263777cf2cfcd7933eca
EpsilonStealer
555d0020f21f464dbf6e2a43ed8c0cfc024a189953d19e712a65d61dc224dab5
EpsilonStealer
8ded2a6e3b34dc384a6364c393b9610d947dca0d1a37a90541fc47f70f173e35
EpsilonStealer
9e8143951a098ea6ce5959d1b8c24af47e272af8f5e9843bfc98fef84899f2b7
EpsilonStealer
b090507ee1bc9373000d6abfa9798aceac64bdf426eedba6f6a0aab49fb30ecd
EpsilonStealer
b70d0cd496727f94dcc63127c8539d38bfd97e636ab5f460d675efa46aa8d24f
EpsilonStealer
+ 104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240113-1v3qfaegek/
Behaviour
Creates scheduled task(s)
Detects videocard installed
Enumerates processes with tasklist
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EpsilonStealer

rar 53e61067c0f26d6d127ceed558a5ea4f3058ea46990c7221bbf039e7cefbee9e

EpsilonStealer

Executable exe 1f75823631e70c74d3c906e6e51bd24d6e109729a8dc703aa712e8174e208330

(this sample)

  
Link
https://planets-therapy.com/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 53e61067c0f26d6d127ceed558a5ea4f3058ea46990c7221bbf039e7cefbee9e
  
Dropped by
MD5 3feb95b3d2801fb6e8b0aa554983990c

Comments