MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e45e89d63f4a3f2091d7b1f5b2c331779c735cc45581b3f0d6f293e45fc45f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	3e45e89d63f4a3f2091d7b1f5b2c331779c735cc45581b3f0d6f293e45fc45f1
SHA3-384 hash:	a413315fd3cb580f14ada46f3ab69407f801005f7a6a48636cc5e09a9f65ec1f50f0e4f4c94619437e759a6902c2443a
SHA1 hash:	5f64f9e6200115cdd6060d04b9a6fccd20ebcff4
MD5 hash:	d879588b3878a138d84c21f9e6146f48
humanhash:	six-cat-low-leopard
File name:	file
Download:	download sample
File size:	198'656 bytes
First seen:	2022-11-09 22:32:13 UTC
Last seen:	2022-11-10 01:01:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	64c1eadffab91dbab47828ec42ef51fa (1 x Khalesi, 1 x Rhadamanthys)
ssdeep	3072:Uv5ChRQUknU7TfNMXgSrayXVE9y4qQDHg2EPkoTrEsjHZvQ3hl43vpMvxGWqB2cH:dh6zU7T1DylEtDAvPJTrF5vQ37IM
Threatray	15'378 similar samples on MalwareBazaar
TLSH	T1A214F16430B084B5E5DB163994B4A6B52EFD3C82077447CB2BBC20BA7EF12E95538397
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13097/50/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	jstrosch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-09 22:35:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ed7d6e1c-a5ef-450b-837c-54a6d70f27d5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/331497/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.24002.11987.25613.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/636c2aa082dd9f2e26533a00/reports/cef61480-e958-45d8-94cd-2cb6200e6dfb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Khalesi

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95ce1b78-ded2-48ca-aada-5c5f41d19c79

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1108940

Signature

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e45e89d63f4a3f2091d7b1f5b2c331779c735cc45581b3f0d6f293e45fc45f1/

Threat name:

Win32.Trojan.Khalesi

Status:

Malicious

First seen:

2022-11-09 22:33:09 UTC

File Type:

PE (Exe)

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hzc6rhld6sr7eci5pmpvwlbtc544onomivmbwpynn4ut4rp4ixyq._file

Verdict:

malicious

173bc17148edeb750b8be58b2729f2149083acf4c0e1dd14e99b2de439fe3bed

1bf07f850e46c6caa0cf82d9a97733b4f10d4606112c6410dcaa7789b1f44401

2c3310a45db53d2bc092521b417c9434c919dce00876b386e39a5b7cffa3c58f

39e60dbcfa3401c2568f8ef27cf97a83d16fdbd43ecf61c3be565ee4e7b9092e

3c645242b178e6248f189ace55b2c3c0af905b5f35a0cc7d03600dd148ae915a

44cb5f67a1313320c87d07074faf1c5d98fb8e7731293558b03a834d4aac6511

bafe13e7940b35cf894aede68acc6159bd1264fb7c7cacaf30c29e2acf95f34d

c95291e964d00cce6654614e73ca2db6db981587be71b4b872d8df40b22addba

e916ceb1730c9a41ab832a0009cbcf419dbeb52642ee37b2828d347c753ff5fd

+ 15'368 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/221109-2ghnsacfh4/

Behaviour

outlook_win_path

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

Program crash

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fccb37c5-1e97-4099-88f0-f3e4079645bd

Unpacked files

SH256 hash:

3e45e89d63f4a3f2091d7b1f5b2c331779c735cc45581b3f0d6f293e45fc45f1

MD5 hash:

d879588b3878a138d84c21f9e6146f48

SHA1 hash:

5f64f9e6200115cdd6060d04b9a6fccd20ebcff4

Link:

https://www.unpac.me/results/14f8efbe-2aa8-421e-ae41-1a316d743d59/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e45e89d63f4a3f2091d7b1f5b2c331779c735cc45581b3f0d6f293e45fc45f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 3e45e89d63f4a3f2091d7b1f5b2c331779c735cc45581b3f0d6f293e45fc45f1

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/331497/

URLhaus

https://urlhaus.abuse.ch/url/2406507/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample