MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975
SHA3-384 hash: 4edb7d928fb4379360c77fb2e9d7f2c6ee683fbbc19f68743f5a86f050e82124e6d44a52504db5fdf38a0e81f48085a6
SHA1 hash: 523d61b31dd1104a20bbd04e3f4c30729191af64
MD5 hash: f91e53e0379eac34c222de4a46588cf1
humanhash: single-butter-mobile-batman
File name:SecuriteInfo.com.Win64.PWSX-gen.29890.2280
Download: download sample
Signature VectorStealer
Create hunting rule
File size:1'128'960 bytes
First seen:2023-03-28 07:32:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:MOp5uo31uJ1xQ/YNuZb4c9JsJchzWN82fRwFceVXmgNbo6qYfQD:Dg0gHQuuGSLhjwhMo6qYfi
Threatray 1'239 similar samples on MalwareBazaar
TLSH T19D35334DD2EEABB3CD9D0F7E415930668F55F27BD580AAF5A96C0C76AC203C534B2910
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe VectorStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280
Verdict:
Malicious activity
Analysis date:
2023-03-28 07:35:47 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/b1847ca2-7cc1-4292-b995-316aefccd047

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378120/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun for a service
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642298356ed02dd52de59d3a/reports/70d30852-40a8-41b5-97ef-dc29a7601c3e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
VectorStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/235edd4a-714f-463e-82a7-30a5e7eb9cb1
Result
Threat name:
Vector Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203232
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Yara detected Vector Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975/
Threat name:
Win64.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 22:02:03 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwtriglt3vyioi5ooenzj6cf2ntub4tbhvhzjxpdvkohkum7bf2q._file
Verdict:
malicious
Similar samples:
41955ff332c22ffa3c2014f4bdffc2db6b5ae75d8289df443929a507dca525cd
VectorStealer
4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
VectorStealer
66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a
VectorStealer
67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8
VectorStealer
bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
VectorStealer
bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48
VectorStealer
bc8560177aa43a687207e68c27c1c9378eb6fff83e61d279641c9256d79ea055
VectorStealer
cb8cd78c09c1a9dd7b2cf6a4288c984b4b5619ab8301d1a963e089024bb314d0
VectorStealer
e2dbdd45e11e2b7e32caef9e2f4365d05e63eaf13724bea2ed842a503adb802f
VectorStealer
+ 1'229 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence
Link:
https://tria.ge/reports/230328-jdjskabd7s/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Sets service image path in registry
Unpacked files
SH256 hash:
35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975
MD5 hash:
f91e53e0379eac34c222de4a46588cf1
SHA1 hash:
523d61b31dd1104a20bbd04e3f4c30729191af64
Link:
https://www.unpac.me/results/74258d57-e529-41f6-97b5-9eb1ede77a5c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35a7141973dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/378120/

Comments