MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f83274b2e5cbe9c8bced262f0f0eb600f9ca32c5f5eac4eb32cdf1fd2498913. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f83274b2e5cbe9c8bced262f0f0eb600f9ca32c5f5eac4eb32cdf1fd2498913
SHA3-384 hash: a2268e74f01a82723e3b0cdba3ae5a6e184d5fea98b012372b7f17e85b8c28c7ed3e6284cbfaec580eab28d7717c48da
SHA1 hash: 70b6815c2dfb37a99e881b5f78e224d70f542b29
MD5 hash: 15cd68e19a2f1ab284904963e3468abe
humanhash: mockingbird-low-zulu-hot
File name:file
Download: download sample
File size:1'564'640 bytes
First seen:2022-12-03 14:19:31 UTC
Last seen:2022-12-03 16:21:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2272bd1fadcc3c967b255c33596d9f56 (2 x LgoogLoader, 2 x RedLineStealer)
ssdeep 24576:bzz7rejetDEyjrWSFQuBs0vfrKw5g6FDmmrP/l7wm9EOo66CxsIpR3C82iIgv7Qw:bz3regyuBsE66FKU/lwm9HkCxsIpIU
Threatray 15'952 similar samples on MalwareBazaar
TLSH T1537512442B6247A6ECD3497D413AE3BB0731B9783A7AC6837754561FCFB42A28520B4F
TrID 52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0f8e8ccd0e4ecf0
Reporter andretavare5
Tags:exe signed

Code Signing Certificate

Organisation:*.fandom.com
Issuer:GlobalSign Atlas R3 DV TLS CA 2022 Q2
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-29T16:20:14Z
Valid to:2023-06-30T16:20:13Z
Serial number: 0140594ccaad5348bfaf7de297272e29
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: fa7ef95683db2bc31e4529987990cc9c93fb36b641e50af61384539189ead97d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.213.50.36/files/spacemen.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-03 14:21:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e046736f-33b0-4bf8-b832-b60a47057044

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342274/
Detection(s):
SecuriteInfo.com.Unwanted-Program.004d2a1d1.15681.15376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638b5b1404e0e79bdf408dfa/reports/9ba1eb8f-0f4d-4b65-b370-0ed7618dd218/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70e1cda5-6d97-48f9-9f4c-1e07dd0991b9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1127095
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Machine Learning detection for sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f83274b2e5cbe9c8bced262f0f0eb600f9ca32c5f5eac4eb32cdf1fd2498913/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-03 14:20:11 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6bsoszols7jzc6o2jrpb4hlmahzzizml5pkytvtftpr7usjrejq._file
Verdict:
malicious
Similar samples:
15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351
2c989418ee6df1ae08f2332ca25edc3c7ace2aa9f8ef710b80857c500b4f4c01
3c645242b178e6248f189ace55b2c3c0af905b5f35a0cc7d03600dd148ae915a
3e45e89d63f4a3f2091d7b1f5b2c331779c735cc45581b3f0d6f293e45fc45f1
44212fc0e7338e59097d84235ef677051327e3486960b2801099ab57f51de83a
616812fc478db8cb2f4be4aae6094fb9e93ca2449c9b0841beeb9f7960914437
94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900
9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168
dfd88d1b834dac64cb82037099eff4e0d062011c712b7d413041a801ba0ac0ae
e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6
+ 15'942 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/221203-rneklaca8s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e7d7ede-0dc1-46a6-b192-c5126c0c7de2
Unpacked files
SH256 hash:
27bdfb622f98e13ec759b0beac187408381e21f6ffa2386692c1b72d5655fbfa
MD5 hash:
38cdef5d379a128f0739a5d193a3dbb6
SHA1 hash:
45c121fad6ea6da0d999fb65774a62ed72102cba
Link:
https://www.unpac.me/results/53700a6a-82e4-46fe-8f9b-b05e79a414f0/
SH256 hash:
2f83274b2e5cbe9c8bced262f0f0eb600f9ca32c5f5eac4eb32cdf1fd2498913
MD5 hash:
15cd68e19a2f1ab284904963e3468abe
SHA1 hash:
70b6815c2dfb37a99e881b5f78e224d70f542b29
Link:
https://www.unpac.me/results/53700a6a-82e4-46fe-8f9b-b05e79a414f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/2f83274b2e5cbe9c8bced262f0f0eb600f9ca32c5f5eac4eb32cdf1fd2498913

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/342274/

Comments