MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933
SHA3-384 hash:	741996e481c8df891c18225823cab4f17654287795113c15ab029e66d657690531d5435141871e040492389fce6896e7
SHA1 hash:	ebb0e34f44089fd4cc750b5fe0dcc14f6bb85a11
MD5 hash:	d3bddb5de864afd7e4f5e56027f4e5ea
humanhash:	december-bacon-lithium-monkey
File name:	docx.bin
Download:	download sample
File size:	5'433'824 bytes
First seen:	2022-06-20 19:56:46 UTC
Last seen:	2022-06-21 20:04:46 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	98304:TtClVkoOSfJNp8FUcwti78OqJ7TPBLYVrsk9N8ivyhAdsPSQx3UGgdN:TlobhH8FUcwti7TQlgVN8iNIShN
Threatray	67 similar samples on MalwareBazaar
TLSH	T1CC46332857E6168AFA721D782471A05189F97B55EC31CB8CF3C2320ECB6790ADB36D31
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	Arkbird_SOLG
Tags:	APT28 CredoMap exe signed V2

Code Signing Certificate

Organisation:	DESKTOP-DSDK4NU\Jefry
Issuer:	DESKTOP-DSDK4NU\Jefry
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-03-30T07:13:11Z
Valid to:	2023-03-30T13:13:11Z
Serial number:	6ae918f381c865b641675d9353bafdfd
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	403ae8bae9a1fecedeffadada6b41e7141f4a6020f7725da0a38f960050f21a3
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

578

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

docx.exe

Verdict:

No threats detected

Analysis date:

2022-06-21 07:41:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1033460f-e372-4718-a287-a40eb7228233

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/281738/

Detection(s):

SecuriteInfo.com.MSIL.PSW.Agent.SRW.23702.23099.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a file

Сreating synchronization primitives

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe overlay packed

Link:

https://www.filescan.io/uploads/62b0d11508903778452ab82f/reports/9bf5ede1-c53c-4198-b5c7-2555eef3deee/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/775a591a-c16c-4438-8e3b-54e4bb54e00f

Result

Threat name:

DocSa Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1016671

Signature

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Costura Assembly Loader

Yara detected DocSa Stealer by APT28

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-06-20 19:57:22 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

6 of 26 (23.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=emmk4xl4eo7rq24ivpwprexchtqzsoa3eleowilk2fqw52ehpezq._file

Verdict:

unknown

6409d3f3daa33f1e7cef02f4481954d6618a595fdfed57541566bbf1605d7c62

9121fd4845cbfaf6036ecd3d457eabb2baba660eb693d317eba3c97dccc55a64

a0c8b257c07608f436b12250b4e1dca22b9221b1d660beb55caad1366a1c222f

a4165ae334a45cd8cf05b1659650d61380854fe3e8369df4cfd47cdb71596303

d06072f959d895f2fc9a57f44bf6357596c5c3410e90dabe06b171161f37d690

e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d

+ 57 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/220620-yn8l1adag8/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

MD5 hash:

d3bddb5de864afd7e4f5e56027f4e5ea

SHA1 hash:

ebb0e34f44089fd4cc750b5fe0dcc14f6bb85a11

Link:

https://www.unpac.me/results/d84850e9-9bff-4273-a4b1-812e32bbd341/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/malwrhunterteam/status/1538962128534659076

Cape

https://www.capesandbox.com/analysis/281738/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample