MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e6471fe0cd370a3fa47ffa76664525b9e190aeadd9a0446f3f2647471be84e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e6471fe0cd370a3fa47ffa76664525b9e190aeadd9a0446f3f2647471be84e5
SHA3-384 hash: 046c4704e8374b170016fbbb31011b44361b88eec78264bfeb9427986c4fe6d86b16ffd4ea46366b2d2e9e7568ec7c1a
SHA1 hash: 6b58f77ef7ee340388452250d47adfc4eec3a3fa
MD5 hash: c446e68d647897db88a161289f4d4635
humanhash: tango-video-illinois-salami
File name:file
Download: download sample
File size:2'949'848 bytes
First seen:2022-10-28 20:58:05 UTC
Last seen:2022-10-29 04:54:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 49152:COPTF0v86Xcbox0yXFzs1IBXQAOxf1W+D0dqrL4PhruxVeIz9+Q0VTlxysk4OaJV:BPTF0vr9RXhTBbOB1Cy4PhceY9qTlxym
Threatray 2'983 similar samples on MalwareBazaar
TLSH T11FD533860B05D098E2B95139373234D8C4D175D7E08D602C366EDB0BAF3F7FA9A64E96
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc758682806_652712368?hash=SatqxpjY5ZPqBEcRFaUv6mwaoiL8x9B5FqfJi7LWyaX&dl=G42TQNRYGI4DANQ:1666989765:Abo4ZCFF397zM7QOvMfOpPPjTAAQHZzTfamm0mnAxO8&api=1&no_preview=1#555_1401

Intelligence

File Origin
# of uploads :
9
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-10-28 20:58:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d378c6b-6152-4667-b3af-361c537248ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325647/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.21767.10155.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/635c4297a5db8d309cbbb5cb/reports/ed88ff47-7a1f-4948-a0d5-ac46e360d7ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ngrok-server
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8ca4b20c-2729-42d1-873c-8c7cbabd10ca
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
spyw
Score:
23 / 100
Link:
https://www.joesandbox.com/analysis/1100635
Signature
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 733296 Sample: file.exe Startdate: 28/10/2022 Architecture: WINDOWS Score: 23 6 file.exe 1 2->6         started        dnsIp3 14 youtube-ui.l.google.com 172.217.18.14, 443, 49692 GOOGLEUS United States 6->14 16 www.youtube.com 6->16 18 Tries to harvest and steal browser information (history, passwords, etc) 6->18 10 cmd.exe 1 6->10         started        signatures4 process5 process6 12 conhost.exe 10->12         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e6471fe0cd370a3fa47ffa76664525b9e190aeadd9a0446f3f2647471be84e5/
Threat name:
Win64.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-28 21:19:39 UTC
File Type:
PE+ (Exe)
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzshd7qm2nykh6sh76twmzcslopbscxk3wnairxt6jshi4n6qtsq._file
Verdict:
unknown
Similar samples:
0d6e6e8102cd0111c0707ab388eca547471562f6e9d67009588161ff908a107a
1180fe04ddcfbdbf01119558b96acb61e2767bc09edb48cc4f2cff37edeb627c
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
346593feca8346078fc0d354e5533614e71b7147315e6ebdd3868f12a886303c
3561c1061b28eb2a567d63c11e6dc5241f2f0cbcda3f5d0c03652a42423c8865
57dcb664bd6a2ed66dc3baeabf7493788796028913f0ea4c2c98e2c99cd8dc46
6a4b9c18783615adb849fdf2951023243f4a7e70d050a912c9dfad60a537fe28
7d51d09df887d02efb0ad589d90fd45a5ca24b4554f4d80a7d58995e9022c44a
+ 2'973 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/221028-zsqgnafefr/
Behaviour
Suspicious use of WriteProcessMemory
Deletes itself
Reads user/profile data of web browsers
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2426cc14-4943-4a33-a7b7-1faeddbd92f0
Unpacked files
SH256 hash:
8d0dbb24b1f1fa29599c1135c9846cb2a0e691c3ca48604d63e1dea637504c2f
MD5 hash:
1a141782056e9b3bdd671b33098c6139
SHA1 hash:
9130baff23a11a9e60a47f8e1e98aec45f24ee05
Link:
https://www.unpac.me/results/eda026b8-3eee-4a51-b254-7eb85892a403/
SH256 hash:
3e6471fe0cd370a3fa47ffa76664525b9e190aeadd9a0446f3f2647471be84e5
MD5 hash:
c446e68d647897db88a161289f4d4635
SHA1 hash:
6b58f77ef7ee340388452250d47adfc4eec3a3fa
Link:
https://www.unpac.me/results/eda026b8-3eee-4a51-b254-7eb85892a403/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3e6471fe0cd370a3fa47ffa76664525b9e190aeadd9a0446f3f2647471be84e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/325647/

Comments