MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7
SHA3-384 hash: 5b4224c0f14558521aebdd528ec94a7d50ce021bbcbfb24db671d8abf8d485985e594c0cf9f1da0f9c74d6908f847989
SHA1 hash: 8361af53ea19c1979757c19f7917b59dbc65c555
MD5 hash: dcc4e3a64f72ee55fb7e1fb1b93d8dc6
humanhash: wisconsin-arkansas-stairway-july
File name:SecuriteInfo.com.Trojan.PWS.DiscordNET.12.2100.18508
Download: download sample
File size:279'675 bytes
First seen:2020-07-27 16:39:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 6144:DsxanyfX5k7JlJDlABKUtfU/WQcb5JhU+ibP:40nyfXuIBDtfueWbP
Threatray 47 similar samples on MalwareBazaar
TLSH 7D546C3370B2D132D05A0131CE6AF6BA79B8BD60272155CFFBC53AB86A70563D21DB52
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32974/
Detection(s):
SecuriteInfo.com.Trojan.PWS.DiscordNET.12.2100.18508.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Creating a file
Delayed writing of the file
Creating a process from a recently created file
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/398928
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251683 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 27/07/2020 Architecture: WINDOWS Score: 68 35 Multi AV Scanner detection for submitted file 2->35 37 Uses ping.exe to sleep 2->37 39 Uses ping.exe to check the status of other devices and networks 2->39 7 SecuriteInfo.com.Trojan.PWS.DiscordNET.12.2100.exe 3 14 2->7         started        process3 file4 29 C:\Users\user\AppData\Local\...\install.exe, PE32 7->29 dropped 10 cmd.exe 1 7->10         started        13 install.exe 15 2 7->13         started        16 wscript.exe 7->16         started        process5 dnsIp6 41 Uses ping.exe to sleep 10->41 18 PING.EXE 1 10->18         started        21 conhost.exe 10->21         started        23 PING.EXE 1 10->23         started        27 10 other processes 10->27 33 discordapp.com 162.159.133.233, 443, 49715 CLOUDFLARENETUS United States 13->33 43 Multi AV Scanner detection for dropped file 13->43 45 Machine Learning detection for dropped file 13->45 25 WerFault.exe 28 10 13->25         started        signatures7 process8 dnsIp9 31 127.0.0.1 unknown unknown 18->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7/
Threat name:
ByteCode-MSIL.Infostealer.DiscoStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-27 07:05:21 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
2d40a6c3d1200616055b55031daa8a6b010b3c99219f6b6da87bcd2b2f27d6c2
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
5ade1071b7d6a1abe0b851d953fe1571f7372bce3d48f0adedfbbecd02c512c6
73acff9ea3647f699cd645b09e652ca498eea7c5cee9f3cb573afda67a0ceeb2
cf1e8f2fc2dd05514be3e8f92abf5b266dfb1547cc611dabc0cc4eea5a1b7dfe
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
fd869766f1f735b4c1479ec1300fd63f4a203142e4ed0e6ac18f05d1cdba3ac8
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200727-1yt7y3xqve/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Program crash
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/419870/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32974/

Comments