MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc
SHA3-384 hash: cb82f4f546519315ff8e1f9305a3f70851aa013b62c4fc26c44f9a87380c4c86127b363106162e893d5ae1162ae29598
SHA1 hash: c4caf30d5ef7b05d8cd947eb1775a3b088901523
MD5 hash: 83f41d521a92d8cdf21f3c31aa63fbab
humanhash: tango-hotel-wisconsin-triple
File name:file
Download: download sample
File size:4'467'712 bytes
First seen:2022-11-03 21:19:52 UTC
Last seen:2022-11-04 10:14:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:2vZQbbwVesOVzgDla/HkfiXLqGOwCpUTVfdezX2XYoYfkVf:2vSfwVTOac1X+wCpUTijAYB8p
Threatray 124 similar samples on MalwareBazaar
TLSH T1A226336AC4F222F6F0DC8576B3650ED5B489729522834CDC0685F5B367B9E0F10E4BB9
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter jstrosch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-03 21:22:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f07c3397-d225-4b0c-8421-6b61324d08bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328157/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63379604.30424.22288.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a process with a hidden window
Launching a service
Using the Windows Management Instrumentation requests
Forced system process termination
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6364308515611f8d8bf8ac94/reports/c3eb759f-5b37-48d3-8104-1cc4ab83eb73/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5f2db634-bdb6-4608-9d5f-1b53fa48c205
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1104865
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 737524 Sample: file.exe Startdate: 03/11/2022 Architecture: WINDOWS Score: 68 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 7 file.exe 2->7         started        process3 signatures4 27 Tries to harvest and steal browser information (history, passwords, etc) 7->27 10 powershell.exe 11 7->10         started        13 powershell.exe 11 7->13         started        15 powershell.exe 11 7->15         started        process5 signatures6 29 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->29 31 Queries memory information (via WMI often done to detect virtual machines) 10->31 17 conhost.exe 10->17         started        19 conhost.exe 13->19         started        21 conhost.exe 15->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-03 21:20:28 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzkxxua5qekybpnac76r2edq2vwxelt5eykhj4vuaraq6vpmdk6a._file
Verdict:
unknown
Similar samples:
2a1276d50bffabe2b41cd6c789ef1b5df02080d1ed1c87acce6bcc91f0ac29f8
42c5acd0133e2653a0e4f9792906d42f16cf44c6ea920dca1edaf74618feb437
46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6
52fbe26c4b9fd1f8fae6d4840ef6741eb6c8bcd4f137f9139ae49b15d1590b20
677817a0182db451275cf23a4c1b96bb9d00ca6c3c50b244723bc6c0ef96b219
7e7cf5a3069c6ffd76d00f193d85cd8d0afcd13ae022626d21b11e264700c91c
7ec738bfdf48fd3a07f87eee1bf8f17a4d790b97263e9655106369c642bff090
b61546030dbe1d3839d0244d814e48f88b36f70303750590b67cfed3486a4e8d
ff3ae8fff0d1862d4bde8f61e0ed14ef76d6d2cc6d940bb83dc0b4cfdacc2752
+ 114 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/221103-z6ra4shdep/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7dc7c8a8-7aa7-4d7f-abc2-37a84b81f301
Unpacked files
SH256 hash:
4c3476a0df8285e3562b2d09c24ed0791a25882a62f9d7019cf360d25a034185
MD5 hash:
8e34ccb6b14ed39f36db9b547c98118e
SHA1 hash:
f6264dbe4e84b39f4a2cf9c5ae152b54d36fbcb7
Link:
https://www.unpac.me/results/f3401774-b04d-4b90-83a9-8da497a4fa90/
SH256 hash:
2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc
MD5 hash:
83f41d521a92d8cdf21f3c31aa63fbab
SHA1 hash:
c4caf30d5ef7b05d8cd947eb1775a3b088901523
Link:
https://www.unpac.me/results/f3401774-b04d-4b90-83a9-8da497a4fa90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/328157/
  
URLhaus
https://urlhaus.abuse.ch/url/2400267/

Comments