MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ce89d5d8b680b72063d34470ff0e9b77075e25056bd0a50899c06e193fe2452. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ce89d5d8b680b72063d34470ff0e9b77075e25056bd0a50899c06e193fe2452
SHA3-384 hash: f4cb836419ecf182f438fd96aa4221e608f81923a2b9785567621479926ac78f20bbe51e33dac32f66349d82e959ae94
SHA1 hash: 01ae054edb64db86454e4697907fb52eaf7f76db
MD5 hash: 8e24d18f451a007e2894ca5f7e3fe768
humanhash: north-utah-apart-utah
File name:NitroGenerator.exe
Download: download sample
File size:5'300'864 bytes
First seen:2021-02-20 03:08:54 UTC
Last seen:2021-02-23 13:45:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bb2292057634957dfa559b6eef7b52d8 (1 x BlackKingdom, 1 x ItsSoEasy)
ssdeep 98304:XXcv6FQCvFpDPvdIWXe+q2WWmQNfTBBGzQuKLQ59PzNYMccB6tEOv1e5ZBUdq5:XXNvfDnd9e+q2WWmQNLBBGZlrOFLtEaG
Threatray 21 similar samples on MalwareBazaar
TLSH D33612E6EA502098CDBCDA37E7EDAF3353A35C3E279D264B47E4B23444A3C661E55108
Reporter Jirehlov
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Python.Stealer.129.17695.7126.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/613196
Signature
Antivirus / Scanner detection for submitted sample
Connects to a pastebin service (likely for C&C)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ce89d5d8b680b72063d34470ff0e9b77075e25056bd0a50899c06e193fe2452/
Threat name:
Win64.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-02-20 00:07:57 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
06eeeac97751699903c4751be6fce5d4d453e25830e8a02cc118f41d592308c9
260809d850f42fd71f5ddff0bf68a241a82595aa062d82fa5ca6c7bf8076ad15
290452bb8eb4dfcc3cfb1590c8fb1b44427a3c9f0439ad5855e35bc39537a3a3
4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6
4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea
554b54dd18ef35af4bfe0f065f0310a29a3ae19bfc518bc50be481744aaa01fe
5f7edbfee38f8e9a93df459405b952189d48b4a7f2ddc7a81d25bdfd59b31c80
e68a310f4d4a1a9d76c462cf0404a702bc138296a1badd2a7728656b3757c254
fbe1b7e3984d33ae5f5756116aaddce9139849cf0364f4ca1edb74d8a273e766
fd81b3ed300db65a7a31b2b10011c9bfa9a2349571e2ccb532bc714856241b8e
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware
Link:
https://tria.ge/reports/210220-9tzycsxgws/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2ce89d5d8b680b72063d34470ff0e9b77075e25056bd0a50899c06e193fe2452
MD5 hash:
8e24d18f451a007e2894ca5f7e3fe768
SHA1 hash:
01ae054edb64db86454e4697907fb52eaf7f76db
Link:
https://www.unpac.me/results/5fe40c51-7d26-4035-a65f-f5f73169ef9e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2ce89d5d8b680b72063d34470ff0e9b77075e25056bd0a50899c06e193fe2452

(this sample)

  
Delivery method
Distributed via web download

Comments