MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 338d6376434f33f3997d6a457d8dddd603697b7d8267fc7f306387d99d4dcb6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 338d6376434f33f3997d6a457d8dddd603697b7d8267fc7f306387d99d4dcb6c
SHA3-384 hash: 8e0862d40498ed928dc3abd778101682047d6d6668952ac0048af9ae957f3f4095fd436fb749b3d2f2d7a7b5bda9efd1
SHA1 hash: 8f0e443b8462394f62a0053d79720d57f63ae209
MD5 hash: e9528c13a0b3e711a2ddc8d38bb3343a
humanhash: island-december-artist-lion
File name:e9528c13a0b3e711a2ddc8d38bb3343a.exe
Download: download sample
File size:377'344 bytes
First seen:2022-09-15 07:46:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a490e3ca20f57194cb1f4b473b3242c4 (17 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:aUUTBjz9PuswWG4VkiPQtA4+bdHzMQe4ak6/p8a4oOLPaXuUjglmgxbgLvj+GS3j:aUUldZwqFPQtA4+bdfak6RX4pLqkwgxh
TLSH T1EA849E9EE73BB281F15E007F0454DAE441B326F75800671EE239AA79513A0CE76FAD93
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310183/
Detection(s):
SecuriteInfo.com.Variant.Lazy.243992.31224.11208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Running batch commands
Searching for the window
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/6322d85f6da26524a1405d7a/reports/9bacb55b-a348-423e-be76-77cd878350ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/13f02cf3-fa21-43d2-88a9-c043a88bd4da
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1070761
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 703303 Sample: mQB8ghQAv7.exe Startdate: 15/09/2022 Architecture: WINDOWS Score: 72 45 Multi AV Scanner detection for submitted file 2->45 47 .NET source code contains method to dynamically call methods (often used by packers) 2->47 49 Machine Learning detection for sample 2->49 9 mQB8ghQAv7.exe 1 2->9         started        13 Clipper.exe 1 2->13         started        15 Clipper.exe 1 2->15         started        process3 file4 39 C:\Users\user\AppData\...\mQB8ghQAv7.exe.log, ASCII 9->39 dropped 51 Contains functionality to inject code into remote processes 9->51 53 Injects a PE file into a foreign processes 9->53 17 mQB8ghQAv7.exe 15 4 9->17         started        55 Multi AV Scanner detection for dropped file 13->55 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        signatures5 process6 dnsIp7 43 cdn.discordapp.com 162.159.130.233, 443, 49711 CLOUDFLARENETUS United States 17->43 37 C:\Windows\Temp\xsv.exe, PE32+ 17->37 dropped 25 cmd.exe 1 17->25         started        27 conhost.exe 17->27         started        file8 process9 process10 29 xsv.exe 1 7 25->29         started        33 conhost.exe 25->33         started        file11 41 C:\Users\user\AppData\Roaming\...\Clipper.exe, PE32+ 29->41 dropped 57 Multi AV Scanner detection for dropped file 29->57 35 conhost.exe 29->35         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/338d6376434f33f3997d6a457d8dddd603697b7d8267fc7f306387d99d4dcb6c/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-09-15 07:47:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gogwg5sdj4z7hgl5njcx3do52ybws635qjt7y7zqmod5thknznwa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220915-jmjh6agadr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/21d6cd1c-27cd-4408-8912-e49327dbbd67
Unpacked files
SH256 hash:
4d3d2938da6e71546247c62158907ebcec94428cfc4e132b89c3427d3b348df5
MD5 hash:
b124e1698719c95d31c3580b0f23571c
SHA1 hash:
8c792f162bd1f03578e51d6f532607930b461ab0
Link:
https://www.unpac.me/results/45bdb7bd-a2b4-4806-bd81-ab0d8e86a383/
SH256 hash:
338d6376434f33f3997d6a457d8dddd603697b7d8267fc7f306387d99d4dcb6c
MD5 hash:
e9528c13a0b3e711a2ddc8d38bb3343a
SHA1 hash:
8f0e443b8462394f62a0053d79720d57f63ae209
Link:
https://www.unpac.me/results/45bdb7bd-a2b4-4806-bd81-ab0d8e86a383/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/338d6376434f33f3997d6a457d8dddd603697b7d8267fc7f306387d99d4dcb6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 338d6376434f33f3997d6a457d8dddd603697b7d8267fc7f306387d99d4dcb6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2301799/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/310183/

Comments