MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23e3031465d1d82b6269870b0285007c37b4778b4260fbede19ef717959dabc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23e3031465d1d82b6269870b0285007c37b4778b4260fbede19ef717959dabc7
SHA3-384 hash: 581a61e5d88670ac8ceb0c3ad0c9a26fe484b36a37a7a64919f8360701d46c2305587c28ee48ddc85ef5ed085ab78781
SHA1 hash: 8781e92eca63f64067312b128edd9753d5e63a51
MD5 hash: b27992c6e5efd785ded3178f4f314012
humanhash: mockingbird-london-football-xray
File name:LoaderV2.exe
Download: download sample
File size:69'051'891 bytes
First seen:2024-01-14 11:52:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:7rziNx5qjHaNtMQ3v8opFnEBMawX1MdGXYopMdzdeUIbf7:+x5qjHw1vsGd2YFMbUf7
TLSH T1B1E7334A7C5D6862DA7634FCCB40803D6AB5B3B4DA37E061F03286D7BC5395B8C298D6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon f0e8f0f0f0706810
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
494
Origin country :
RO RO
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
DNS request
Reading critical registry keys
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65a3cb223b363792f359905d/reports/14aacda6-90bb-4515-88a6-d9e6ecef7943/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/23e3031465d1d82b6269870b0285007c37b4778b4260fbede19ef717959dabc7
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1374431
Signature
Antivirus detection for URL or domain
Drops large PE files
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374431 Sample: LoaderV2.exe Startdate: 14/01/2024 Architecture: WINDOWS Score: 60 57 raw.githubusercontent.com 2->57 59 discord.com 2->59 61 api.gofile.io 2->61 71 Antivirus detection for URL or domain 2->71 9 LoaderV2.exe 179 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\Driver.sys.exe, PE32+ 9->43 dropped 45 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\System.dll, PE32 9->47 dropped 49 13 other files (none is malicious) 9->49 dropped 73 Drops large PE files 9->73 13 Driver.sys.exe 16 9->13         started        signatures6 process7 dnsIp8 65 api.gofile.io 151.80.29.83, 443, 49742, 49743 OVHFR Italy 13->65 67 raw.githubusercontent.com 185.199.110.133, 443, 49739 FASTLYUS Netherlands 13->67 69 discord.com 162.159.138.232, 443, 49741 CLOUDFLARENETUS United States 13->69 51 C:\Users\user\AppData\Local\...\webdata.db, SQLite 13->51 dropped 53 C:\Users\user\AppData\Local\...\passwords.db, SQLite 13->53 dropped 55 cf0527af-9188-4f7d...015f463fba.tmp.node, PE32+ 13->55 dropped 75 Tries to harvest and steal browser information (history, passwords, etc) 13->75 77 Sample is not signed and drops a device driver 13->77 18 Driver.sys.exe 1 13->18         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 3 other processes 13->25 file9 signatures10 process11 dnsIp12 63 chrome.cloudflare-dns.com 172.64.41.3, 443, 49746 CLOUDFLARENETUS United States 18->63 27 powershell.exe 15 21->27         started        29 conhost.exe 21->29         started        31 powershell.exe 15 23->31         started        33 conhost.exe 23->33         started        35 tasklist.exe 1 25->35         started        37 tasklist.exe 1 25->37         started        39 conhost.exe 25->39         started        41 conhost.exe 25->41         started        process13
Score:
26%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/23e3031465d1d82b6269870b0285007c37b4778b4260fbede19ef717959dabc7
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eprqgfdf2hmcwytjq4fqfbiapq33i54lijqpx3pbt33rpfm5vpdq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240114-n2bjbahedj/
Behaviour
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
An obfuscated cmd.exe command-line is typically used to evade detection.
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 23e3031465d1d82b6269870b0285007c37b4778b4260fbede19ef717959dabc7

(this sample)

  
Delivery method
Distributed via web download

Comments