MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d0ca4604a0effdd7d12700991d223fc96ea02b49531fcea2e4e4d3db521e9b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d0ca4604a0effdd7d12700991d223fc96ea02b49531fcea2e4e4d3db521e9b2
SHA3-384 hash: b74ee6d81c9fcf703028198b9bf36ecaafb3f84252bf4c537eb4400942e61f0d622a487e7866ff41fedccd099ccf242e
SHA1 hash: c270872ab49c78b3f71b832a89f14de81977d8ab
MD5 hash: 325f8c0fcc87998e2bda7f8e8ab2e843
humanhash: moon-mike-leopard-three
File name:Pencil_of_Death.exe
Download: download sample
File size:6'961'468 bytes
First seen:2021-11-18 00:24:51 UTC
Last seen:2021-11-18 01:57:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 51a5e6ba413b3d4c2f9ffde72d1f2a95 (2 x ZuoRAT)
ssdeep 196608:Rkgx7QICteEroXxWVfEqlbkkwR7VTEJZFH3X7rJ1s:ZQInEroXgfEqirRRoJZR3X79O
Threatray 9 similar samples on MalwareBazaar
TLSH T1B766330867900CFCF5B30034A5908821D27ABC324744DD9B5AA8A6775FA7FD5BE7BE84
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Python.Stealer.194.7124.10109.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed python
Link:
https://www.filescan.io/uploads/61959d614912a8c920a1fb4c/reports/b2205701-aa10-477d-aa56-077ef6a7097f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19d1c1ac-2754-4d95-84d3-cc93d7ef5812
Result
Threat name:
Discord Token Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/891639
Signature
Connects to a pastebin service (likely for C&C)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Discord Token Grabber
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d0ca4604a0effdd7d12700991d223fc96ea02b49531fcea2e4e4d3db521e9b2/
Threat name:
Win64.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 02:27:06 UTC
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04a31ae8a31bb4144d7392040442f4a38e8301cc550124cc47d012a0eba71bdd
089b3975338c69d1c8ae96cec13328459e8208c7cf9c88ce98896b90697c140b
4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc
5ca7f6603eb01705ec76307ca6c64f694a4f2132c84413a0751520b8a3961716
622fb838298b78969dfbe0d1ff0c2fcea071b77e9a30332805a532683a039570
81ac71909750b1ba2225c173ea99f56d6e237aeb70b45212ac757e265c25ea6f
d747ef417490620d91d0f64262469fb8996cce9e0031fcc319fc4a0a39962dce
e18efb7cff387e8b7ab7e7882841d21e5d6c3e9bddaa289a30315a54352bc39a
e8f57a83f154fb0c67f6064d3dc6914ad4278e5f79d054ec66c3b8383aeb5b5e
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/211118-aqmkjsbdem/
Behaviour
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3d0ca4604a0effdd7d12700991d223fc96ea02b49531fcea2e4e4d3db521e9b2
MD5 hash:
325f8c0fcc87998e2bda7f8e8ab2e843
SHA1 hash:
c270872ab49c78b3f71b832a89f14de81977d8ab
Link:
https://www.unpac.me/results/88561815-de9f-4057-9f2c-5e47a6db3dfc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d0ca4604a0effdd7d12700991d223fc96ea02b49531fcea2e4e4d3db521e9b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3d0ca4604a0effdd7d12700991d223fc96ea02b49531fcea2e4e4d3db521e9b2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207051/

Comments