MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 203f591e084a2ece60b2be5c13fbafa673ecac10ef91055ad7bd73fddc656b5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


000Stealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 203f591e084a2ece60b2be5c13fbafa673ecac10ef91055ad7bd73fddc656b5d
SHA3-384 hash: d3eabd83e5e2d45ba4ff5b6c9a7fa536a9f30739bb8ed501e63f43b93bb27945c83cb11df9754249573fd1390683ee0d
SHA1 hash: 54e1969a3f4000a610aec127bf2d9028e0dc7588
MD5 hash: 74cffc19a09979e23bfd9f5a5378508b
humanhash: wyoming-speaker-alanine-johnny
File name:file
Download: download sample
Signature 000Stealer
Create hunting rule
File size:5'916'672 bytes
First seen:2022-10-19 16:09:27 UTC
Last seen:2022-10-20 06:03:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0721ccf5c6e6216d478ef8b62a185a8b (1 x 000Stealer)
ssdeep 98304:cdqxlydvAURQUc6QSiSbgOOzVbRRtYoa5JSY8ANYCfBeGO:cdkqAURQUc6QSgOOnA7lhBo
Threatray 12 similar samples on MalwareBazaar
TLSH T11556BE8DCB26656ADED00A340D797D95F8F0246FFC5662C923CEB1AF9C62022F55C6E0
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter andretavare5
Tags:000Stealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc32384019_646103944?hash=ci5260gY2NnhPrNgBfnZyqB52PfZXggxCZaS6Qw28yT&dl=GMZDGOBUGAYTS:1666195514:0ZuIyrgtG0N0fx8mK8rgKPJaVGyy3tC2J7v4cfWKQrz&api=1&no_preview=1#mix2k

Intelligence

File Origin
# of uploads :
200
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-10-19 16:10:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c1ff33bc-20ec-442f-ab11-adfadfe7b1cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321770/
Detection(s):
SecuriteInfo.com.Trojan.Injector.8036.12788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Reading critical registry keys
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the system32 subdirectories
Stealing user critical data
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/6350215d66721ebd9b2f35cc/reports/f8936bf9-52ca-4de2-a968-face2bef247e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64e545c5-9f1d-4f5c-8c59-c4076911e713
Result
Threat name:
000Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1093632
Signature
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected 000Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/203f591e084a2ece60b2be5c13fbafa673ecac10ef91055ad7bd73fddc656b5d/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2022-10-19 16:12:36 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ea7vshqijixm4yfsxzobh65puzz6zlaq56iqkwwxxvz73xdfnnoq._file
Verdict:
malicious
Similar samples:
0077e7d6e90ad972b64e90c343c617482f39505deff44ebff99ff49041252dcb
000Stealer
08ff371dff7eb8283c675a14af2477eede676756cdd4d2252ee7239140445ec9
000Stealer
1023a522ff7c6abdd3bb32004ca28d89d82a2cd03c627519baea3543a8603f84
000Stealer
b180216a50259f6c1602343a6da48ccd1b9bc293e0d6ff4f1336fa212c482ce6
000Stealer
b924bd60cc419ee92e7c55cb20eb5fe43e2a9c440b5d6ed8b78446bbd180795c
000Stealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221019-tmc2gsfdfr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec1e222b-9383-4d8a-86a9-1ea9c19d75fe
Unpacked files
SH256 hash:
203f591e084a2ece60b2be5c13fbafa673ecac10ef91055ad7bd73fddc656b5d
MD5 hash:
74cffc19a09979e23bfd9f5a5378508b
SHA1 hash:
54e1969a3f4000a610aec127bf2d9028e0dc7588
Link:
https://www.unpac.me/results/73e55a13-e022-461f-b70b-d5d13a822b23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/203f591e084a2ece60b2be5c13fbafa673ecac10ef91055ad7bd73fddc656b5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/321770/

Comments