MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d3cdbc05416c888b5779c01e83e7e9dfce24a81e3c736f55aac3a34f8cd488d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d3cdbc05416c888b5779c01e83e7e9dfce24a81e3c736f55aac3a34f8cd488d
SHA3-384 hash: 5e345e28e786fedc93f004fba403b57d55b9344bc87eb473e5d42cd8fa38049c1dab043572433a005192065345514511
SHA1 hash: 759b2b09f53aa11e0bbd041f878c51886b5eec5b
MD5 hash: 34e062df0d21868a42c4d73ccd050901
humanhash: blue-jig-delta-arizona
File name:PEUIPY.exe
Download: download sample
File size:2'366'257 bytes
First seen:2021-07-31 07:55:09 UTC
Last seen:2021-07-31 08:52:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep 12288:8hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4ahr60zpIzFfLG:0RmJkcoQricOIQxiZY1iad60zEFfLG
Threatray 2'929 similar samples on MalwareBazaar
TLSH T192B5EBD4D83BD921E2D633B2848416E6D147BEE43E2D92B50398F4FB24659AD67C830F
dhash icon 31915626135a5a24
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
551
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PEUIPY.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-31 07:56:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f523650-0597-4c70-ab33-0acf0cbfca29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175425/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.281.11649.2839.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3d025ca3-86cd-48f7-8ff7-cbd0c41e08c4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/824843
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457255 Sample: PEUIPY.exe Startdate: 31/07/2021 Architecture: WINDOWS Score: 92 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 6 PEUIPY.exe 2->6         started        9 vkl.exe 2->9         started        11 vkl.exe 2->11         started        process3 signatures4 27 Detected unpacking (changes PE section rights) 6->27 29 Detected unpacking (overwrites its own PE header) 6->29 31 Injects a PE file into a foreign processes 6->31 13 PEUIPY.exe 3 2 6->13         started        33 Antivirus detection for dropped file 9->33 17 vkl.exe 9->17         started        19 vkl.exe 11->19         started        process5 file6 21 C:\Users\user\AppData\Local\Temp\vkl.exe, PE32 13->21 dropped 35 Tries to harvest and steal browser information (history, passwords, etc) 13->35 37 Installs a global keyboard hook 13->37 signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d3cdbc05416c888b5779c01e83e7e9dfce24a81e3c736f55aac3a34f8cd488d/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2021-07-31 07:56:06 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hu6nxqcuc3eirnlxtqa6qpt6tx6oesub4pdtn5k2vq5dj6gnjcgq._file
Verdict:
malicious
Similar samples:
0d58813f6e88337b27157411f7a929995e64dd389c16da0fc12e0bdf0f4c48d5
38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844
647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
83b924a12b9d879758a2cd4c73a095de0ba4016163f76c94404820e741534030
9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08
af842257a5720b2a587284626867caed0bbc03fbaf8163258eb52d36b053a428
aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7
ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d
+ 2'919 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210731-z83za3gc2j/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7cc553e88bdcef0ea7113776bf9c33c30ad53a948eaa520305608775c52fbe89
MD5 hash:
c6e4de475161ef94d5b0f07a30d3951a
SHA1 hash:
007418a07153a72ee95cfd11d1695026fb37208a
Link:
https://www.unpac.me/results/24ee929a-ba87-4e2b-880b-8ae2bfd17455/
SH256 hash:
3d3cdbc05416c888b5779c01e83e7e9dfce24a81e3c736f55aac3a34f8cd488d
MD5 hash:
34e062df0d21868a42c4d73ccd050901
SHA1 hash:
759b2b09f53aa11e0bbd041f878c51886b5eec5b
Link:
https://www.unpac.me/results/24ee929a-ba87-4e2b-880b-8ae2bfd17455/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d3cdbc05416c888b5779c01e83e7e9dfce24a81e3c736f55aac3a34f8cd488d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175425/

Comments