MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25613a9993c484dc8dd00937e0487299cc454e786eabd10cbf1a390a6ffdf0dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25613a9993c484dc8dd00937e0487299cc454e786eabd10cbf1a390a6ffdf0dc
SHA3-384 hash: 8d0cbeff67b3882882ec851d3c0f65f3267d7ba026e8a6ef28355e98aa6bacfcb31e4447cffc8b11a64eb1a8a799ee57
SHA1 hash: d8f3688a59dc4cbf7f1d8813165319b21b8c88c7
MD5 hash: 340822180b4caf3a92d1b91c5c6e6a74
humanhash: uranus-cardinal-oregon-cola
File name:340822180b4caf3a92d1b91c5c6e6a74.exe
Download: download sample
File size:1'192'960 bytes
First seen:2022-10-26 10:11:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e958f9c91f53edd19c93afb299d2d23c (10 x ArkeiStealer)
ssdeep 24576:naIMiZ9puDlXLpKY5bcrKlz5kAQqh3/wDTbuLE:naIMEpuDlXLpKY55mAh3/wDTbQE
Threatray 108 similar samples on MalwareBazaar
TLSH T15445BF4A28C326B2EC290A3CC9415D773E39BA31EAB55ADB43CA06F5553F153D84EF42
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
340822180b4caf3a92d1b91c5c6e6a74.exe
Verdict:
Malicious activity
Analysis date:
2022-10-26 10:18:24 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/b48e1157-9c70-46d0-9c10-11940813d540

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324333/
Detection(s):
SecuriteInfo.com.Variant.Jaik.101022.14485.32271.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45610/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53ac5fda-b593-427f-ade3-4c5337464354
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1098275
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 730934 Sample: 3UEBOoxCgk.exe Startdate: 26/10/2022 Architecture: WINDOWS Score: 68 40 Multi AV Scanner detection for submitted file 2->40 42 Machine Learning detection for sample 2->42 8 3UEBOoxCgk.exe 2->8         started        11 punpun.exe 2 2->11         started        13 punpun.exe 1 2->13         started        process3 signatures4 44 Contains functionality to inject code into remote processes 8->44 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 Injects a PE file into a foreign processes 8->50 15 RegSvcs.exe 1 1 8->15         started        20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        process5 dnsIp6 36 79.137.196.121, 1488, 49707 PSKSET-ASRU Russian Federation 15->36 32 C:\Users\user\AppData\Roaming\...\punpun.exe, PE32 15->32 dropped 38 Injects a PE file into a foreign processes 15->38 24 RegSvcs.exe 15->24         started        file7 signatures8 process9 signatures10 52 Injects a PE file into a foreign processes 24->52 27 RegSvcs.exe 12 24->27         started        30 RegSvcs.exe 24->30         started        process11 dnsIp12 34 172.86.121.106, 80 NETRANGEUS United States 27->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25613a9993c484dc8dd00937e0487299cc454e786eabd10cbf1a390a6ffdf0dc/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 04:30:21 UTC
File Type:
PE (Exe)
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=evqtvgmtyscnzdoqbe36asdsthgekttyn2v5cdf7di4qu3756doa._file
Verdict:
malicious
Similar samples:
11a3fde6fbce94c261cc8785856d132eccd5239e95a9129c2ba404cad58bbd96
21381ff60ef1e8a47ccc68310564b99b93912b4c6281869ee69c3723fab7fd7b
3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a
492dee95fb8d34fe78abfd205d0601a899374b008393d820d96cdb9e1aa2b769
dd56aa044bfb8c5acdc0a475b724252ea9e9d760d4bdf510e304c58aabd33e41
f074954a72991fd39600285df6a293d80f51d9a5982583c47bb25eabe89ed59c
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
+ 98 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/221026-l8jr6afdek/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Gathering data
Unpacked files
SH256 hash:
25613a9993c484dc8dd00937e0487299cc454e786eabd10cbf1a390a6ffdf0dc
MD5 hash:
340822180b4caf3a92d1b91c5c6e6a74
SHA1 hash:
d8f3688a59dc4cbf7f1d8813165319b21b8c88c7
Link:
https://www.unpac.me/results/adbaef68-c44a-4a2f-9af3-aa3440e99651/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25613a9993c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25613a9993c484dc8dd00937e0487299cc454e786eabd10cbf1a390a6ffdf0dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 25613a9993c484dc8dd00937e0487299cc454e786eabd10cbf1a390a6ffdf0dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2375666/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/324333/

Comments