MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291
SHA3-384 hash:	e2bc144397610ba2f0476a740a0ee276d9ecb80adcaa06b3140c23797538edbdfd29536c9d371eafc6b1106f734c6d12
SHA1 hash:	1175d4347533ebbe738ffffda81432a67813d592
MD5 hash:	aa8584ec6da140150edaf594f2b973d9
humanhash:	mexico-five-carolina-freddie
File name:	VG-MW-CW-CAMOSWAPPER.exe
Download:	download sample
File size:	8'278'528 bytes
First seen:	2022-04-10 18:12:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	88381b84da56810b869e897e6d45bd58 (10 x XFilesStealer, 1 x LimeRAT)
ssdeep	196608:RpYTT/84azEQ1KHVOfEhoICUu8g5amuOtuEEWt:RpYf042zOVOfEDCUu84abOkEEWt
Threatray	37 similar samples on MalwareBazaar
TLSH	T131867DA326E139BEC212E0F68621707ECEABF1595766B2D7D451331AD627DF0A43CB01
Reporter	tech_skeech
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

631

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

VG-MW-CW-CAMOSWAPPER.exe

Verdict:

No threats detected

Analysis date:

2022-04-10 18:17:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6c6d3b5e-7e63-4fdc-96d6-063cce0d7250

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/262429/

Detection(s):

SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a window

Searching for analyzing tools

Searching for the window

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

DNS request

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13348/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug control.exe expand.exe greyware keylogger packed packed

Link:

https://www.filescan.io/uploads/62531e34d149c40acb1d9c7f/reports/eb95715f-4239-4705-b7ba-f7baf26fb549/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bd50494a-e15e-4dcb-a43b-1daccefdf3b7

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/974091

Signature

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-04-10 18:13:24 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Verdict:

unknown

51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6

7f7ebad193f76acfd76deebe1f9614da18537896e0e6b04d7873cd486f0cf4fd

9a45c640e91c9140c994f9e9ca5cfaea2f11000f988d538482356aa385ece7ba

d5b1a96dc7d4007a9228abee105cd77305827ed28aac77932e7c416c888c9d30

ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f

+ 27 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220410-wtql9sbccj/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Checks BIOS information in registry

Unpacked files

SH256 hash:

2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291

MD5 hash:

aa8584ec6da140150edaf594f2b973d9

SHA1 hash:

1175d4347533ebbe738ffffda81432a67813d592

Link:

https://www.unpac.me/results/b43935a2-7b94-4ac0-a01c-9cc5c2bca5c8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2421c5815103/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_BoxedApp Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with BoxedApp

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	SUSP_Discord_Attachments_URL Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/262429/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample