MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 327e7f9b3d96c8403dca1b734cdee199d399ce0bc0a596aa5dc248705211f134. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 327e7f9b3d96c8403dca1b734cdee199d399ce0bc0a596aa5dc248705211f134
SHA3-384 hash: 725689fc3c8500cb419f425ffc4f9fdc5daaf8d1d92b41746b1f70537900726cdda29d3dec498d780cde38b6cb906cf5
SHA1 hash: dace91947a8384c286862b8d1fa98677883ba74d
MD5 hash: 2b9602b344c78cdc59adb236728b2efc
humanhash: minnesota-lake-summer-carolina
File name:2b9602b3_327e7f9b3d96c8403dca1b734cdee199d399ce0bc0a596aa5dc248705211f134.exe
Download: download sample
File size:6'428'109 bytes
First seen:2023-06-21 09:10:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:B2x7eICteEroXx7EqlbkkwR7VTEJH+x0S3lB9QK:WeInEroXFEqirRRoJH+uS1B9
Threatray 117 similar samples on MalwareBazaar
TLSH T11256331863940CFDF877403A95A05512E1BA78220744DA8B17B8E6270FB7BE5BD7BF90
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter pmmkowalczyk1111
Tags:exe keylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
387
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2b9602b3_327e7f9b3d96c8403dca1b734cdee199d399ce0bc0a596aa5dc248705211f134.exe
Verdict:
Malicious activity
Analysis date:
2023-06-21 09:11:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1a6c1812-c458-42b8-a4f2-e3eb79a465eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401266/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Moving a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/6492bea799f0c0cb09332ed6/reports/3a1227ab-ccf0-4d27-9036-522fbaf82dc0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/327e7f9b3d96c8403dca1b734cdee199d399ce0bc0a596aa5dc248705211f134
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/45e091dd-06c2-4809-8634-3c7da1b5cc5b
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1258900
Signature
Antivirus detection for dropped file
Drops PE files to the startup folder
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potentially malicious time measurement code found
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891920 Sample: KFCV2ASugW.exe Startdate: 21/06/2023 Architecture: WINDOWS Score: 76 134 Multi AV Scanner detection for submitted file 2->134 136 PE file has nameless sections 2->136 13 KFCV2ASugW.exe 23 2->13         started        17 MicrosoftEdgeUpdate.exe 2->17         started        process3 file4 116 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 13->116 dropped 118 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 13->118 dropped 120 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 13->120 dropped 128 14 other files (12 malicious) 13->128 dropped 146 Suspicious powershell command line found 13->146 148 Potentially malicious time measurement code found 13->148 19 KFCV2ASugW.exe 5 13->19         started        122 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->122 dropped 124 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 17->124 dropped 126 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 17->126 dropped 130 9 other files (8 malicious) 17->130 dropped 24 MicrosoftEdgeUpdate.exe 17->24         started        signatures5 process6 dnsIp7 132 gitlab.com 172.65.251.78, 443, 49695, 49696 CLOUDFLARENETUS United States 19->132 102 C:\Users\user\Desktop\WinRAR\dIIhost.exe, PE32+ 19->102 dropped 104 C:\Users\user\Desktop\WinRAR\WinRAR.exe, PE32 19->104 dropped 106 C:\Users\user\...\MicrosoftEdgeUpdate.exe, PE32+ 19->106 dropped 144 Suspicious powershell command line found 19->144 26 powershell.exe 12 19->26         started        28 powershell.exe 12 19->28         started        30 powershell.exe 17 19->30         started        32 dIIhost.exe 24->32         started        file8 signatures9 process10 file11 35 dIIhost.exe 27 26->35         started        39 conhost.exe 26->39         started        41 WinRAR.exe 2 28->41         started        43 conhost.exe 28->43         started        45 conhost.exe 30->45         started        72 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 32->72 dropped 74 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 32->74 dropped 76 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 32->76 dropped 78 18 other files (16 malicious) 32->78 dropped 47 dIIhost.exe 32->47         started        process12 file13 92 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 35->92 dropped 94 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 35->94 dropped 96 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 35->96 dropped 100 18 other files (16 malicious) 35->100 dropped 138 Antivirus detection for dropped file 35->138 140 Drops PE files to the startup folder 35->140 49 dIIhost.exe 3 35->49         started        98 C:\Users\user\AppData\Local\...\WinRAR.tmp, PE32 41->98 dropped 52 WinRAR.tmp 3 15 41->52         started        142 Installs a global keyboard hook 47->142 54 cmd.exe 47->54         started        signatures14 process15 file16 80 C:\Users\user\...\MicrosoftEdgeUpdate.exe, PE32+ 49->80 dropped 82 C:\Users\Public\...\dIIhost.exe (copy), PE32+ 49->82 dropped 84 C:\Users\...\MicrosoftEdgeUpdate.exe (copy), PE32+ 49->84 dropped 56 dIIhost.exe 49->56         started        59 cmd.exe 49->59         started        86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->86 dropped 88 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 52->88 dropped 90 C:\Users\user\AppData\Local\Temp\...\BASS.dll, PE32 52->90 dropped 61 conhost.exe 54->61         started        process17 file18 108 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 56->108 dropped 110 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 56->110 dropped 112 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 56->112 dropped 114 18 other files (16 malicious) 56->114 dropped 63 dIIhost.exe 56->63         started        66 conhost.exe 59->66         started        process19 signatures20 150 Installs a global keyboard hook 63->150 68 cmd.exe 63->68         started        process21 process22 70 conhost.exe 68->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/327e7f9b3d96c8403dca1b734cdee199d399ce0bc0a596aa5dc248705211f134/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-20 19:03:09 UTC
File Type:
PE+ (Exe)
Extracted files:
642
AV detection:
6 of 35 (17.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gj7h7gz5s3eeapokdnzuzxxbthjzttqlycsznks5yjehauqr6e2a._file
Verdict:
unknown
Similar samples:
10c3b61ee321398d021fcb8981eeac2b44cdefc2243a36d7ea4dee1d5dd81bbc
29653a76f882b0a1acaeca5b301f4df849c153a53f3926bf2506a801663c2768
893857eda1c8baa7192884da5e299097b811c2d0910756418f36ec578d93f574
bab5e34e2c6d0ee621ae10a59eadc5b76c6cafe19d60b48b99a15b2c0e127bec
bc1669a5747c1c381b74017308f30427d1bdc0d70a3f3cbf4b28d8c78aa5503d
c3c1aa22ce237c9c533f077f4d4f08a81a3f0d93d5deb45b18d837cd6b916320
cd26de8bee55c69f5adeeebffa9b4f68800fef2130db35bd6c28d28c70d8fd5c
+ 107 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230621-k5la5shf7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
327e7f9b3d96c8403dca1b734cdee199d399ce0bc0a596aa5dc248705211f134
MD5 hash:
2b9602b344c78cdc59adb236728b2efc
SHA1 hash:
dace91947a8384c286862b8d1fa98677883ba74d
Link:
https://www.unpac.me/results/a096f4ed-6212-4d68-a054-e657adeb99b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/327e7f9b3d96c8403dca1b734cdee199d399ce0bc0a596aa5dc248705211f134

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401266/

Comments