MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b7fda9022313bcf0d6bc31aa1058ccfcbbb925fd24529b43e7ec29f46fc3c70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EpsilonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b7fda9022313bcf0d6bc31aa1058ccfcbbb925fd24529b43e7ec29f46fc3c70
SHA3-384 hash: 318a1613b0333dd76039e87d935bd2f1a55bd3d44fece0e831611bfed59c500290c486c35c701129020aed3cb5b7a254
SHA1 hash: b7773c9460b113d6fec40e8941e6694f75f307e8
MD5 hash: d5cfef095c2b4d2393cdad42de0898a5
humanhash: wolfram-hamper-quiet-venus
File name:Dual Corps.exe
Download: download sample
Signature EpsilonStealer
Create hunting rule
File size:68'682'351 bytes
First seen:2023-10-30 15:21:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:k4/4rzOchPGUqDxtL4Bz/zJYh4LQI+3ezBKSURV1GJ7:vkqcdGUqDv0BH6h40IM1S57
Threatray 41 similar samples on MalwareBazaar
TLSH T15BE733E4BFDB087FD3388AB592BCA38BC208D2E258797253C3A6B45A074D9573D5C161
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer)
Reporter YAMalwareGuy
Tags:32-bit electron EpsilonStealer exe


Avatar
YAMalwareGuy
InfoStealer as a Service by Nova Sentinel french group

Group Telegram: https://t.me/Sordeal
Triage: https://tria.ge/231030-shyxqaff73

The malware sends the informations to hawkish.eu which then redirects the infos over to a discord webhook.

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
FR FR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/653fca1eb38131f117aad667/reports/6395b2be-e8b4-4ade-9488-526118d6682f/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2b7fda9022313bcf0d6bc31aa1058ccfcbbb925fd24529b43e7ec29f46fc3c70
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1334345
Signature
Overwrites Mozilla Firefox settings
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334345 Sample: Dual_Corps.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 56 61 ipinfo.io 2->61 63 github.com 2->63 65 2 other IPs or domains 2->65 8 Dual_Corps.exe 205 2->8         started        process3 file4 45 C:\Users\user\AppData\...\Dual Corps.exe, PE32+ 8->45 dropped 47 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 8->47 dropped 49 C:\Users\user\AppData\Local\...\System.dll, PE32 8->49 dropped 51 18 other files (none is malicious) 8->51 dropped 11 Dual Corps.exe 40 8->11         started        process5 dnsIp6 69 api.gofile.io 151.80.29.83, 443, 49748 OVHFR Italy 11->69 71 ipinfo.io 34.117.59.81, 443, 49740, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 11->71 73 github.com 140.82.113.4, 443, 49747 GITHUBUS United States 11->73 53 C:\Users\user\AppData\...\places.sqlite_tmp, SQLite 11->53 dropped 55 C:\Users\user\AppData\...\cookies.sqlite_tmp, SQLite 11->55 dropped 57 C:\Users\user\AppData\Local\...\Web Data_tmp, SQLite 11->57 dropped 59 5 other files (3 malicious) 11->59 dropped 81 Overwrites Mozilla Firefox settings 11->81 83 Tries to harvest and steal browser information (history, passwords, etc) 11->83 16 cmd.exe 1 11->16         started        19 cmd.exe 11->19         started        21 cmd.exe 11->21         started        23 30 other processes 11->23 file7 signatures8 process9 dnsIp10 75 Suspicious powershell command line found 16->75 77 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 16->77 26 WMIC.exe 1 16->26         started        29 conhost.exe 16->29         started        31 conhost.exe 19->31         started        33 powershell.exe 19->33         started        41 2 other processes 21->41 67 chrome.cloudflare-dns.com 172.64.41.3, 443, 49746 CLOUDFLARENETUS United States 23->67 35 WMIC.exe 1 23->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        43 53 other processes 23->43 signatures11 process12 signatures13 79 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 26->79
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2b7fda9022313bcf0d6bc31aa1058ccfcbbb925fd24529b43e7ec29f46fc3c70
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fn75vebcge546dllymnkcbmmz7f3xes72jcstnb6p3bj6rx4hrya._file
Verdict:
unknown
Similar samples:
10c509006cf9328447712a70a0793952a1a6c6f3bdf994a482baa47e883f9e5b
EpsilonStealer
30a1ae69eb70083e1fe40c28becf7de5ec557705aae764af211f70f87ae5a403
EpsilonStealer
41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514
EpsilonStealer
47d9aeb26536b9d9c74b69c0e7510cbdb6c3858e953711db573a5ff9112214cb
EpsilonStealer
52636749d75f870099f5e84af6225309980ae7c2fe5e190c9685b960d9577b86
EpsilonStealer
866ad0e1f44d12677e3cd565d47283d6229df46e23387c1ed482abe145ce080d
EpsilonStealer
9a724dd1c38c698ac3be3e0e5bc128b0875e9f4ed6226ae73c85eba661d6a65a
EpsilonStealer
ce17af59a2414b2dd199529a1c0e47d9bdd9b7f01c793b0e7dacaf27b12abca3
EpsilonStealer
ceb8949a84d139477c8531d556f9b1dedad152e51c5caec0b95af239cd890131
EpsilonStealer
fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4
EpsilonStealer
+ 31 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231030-srxe9adh3w/
Behaviour
Collects information from the system
Detects videocard installed
Enumerates processes with tasklist
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b7fda902231/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EpsilonStealer

Executable exe 2b7fda9022313bcf0d6bc31aa1058ccfcbbb925fd24529b43e7ec29f46fc3c70

(this sample)

  
Link
https://dualcorps.site/DualCorps.zip
  
Delivery method
Distributed via web download

Comments