MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4
SHA3-384 hash: 38a7205790998057eddb653862a85e0352d2ddf4bea32f4399444a5b28d94e2febe977638f9373184e9ed281eda8c8c3
SHA1 hash: 3ffa6c671ce32d5818cd6f552145652eeb4ab410
MD5 hash: 19d22f176eec093d2ce313e3e0def5b7
humanhash: bulldog-autumn-alaska-grey
File name:19d22f176eec093d2ce313e3e0def5b7
Download: download sample
File size:2'146'789 bytes
First seen:2021-07-06 07:16:59 UTC
Last seen:2021-07-06 07:50:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 49152:9qe3f6R5G57Y7ZI8vFKqIZC1ncC/vGW07cDq:MSiR5G5kNvFfjnre
Threatray 24 similar samples on MalwareBazaar
TLSH 8FA5CF3BB368E53EC4AA0B3245B39350597BBA65B81ACC1E47F0090DCF265E11E3B657
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
19d22f176eec093d2ce313e3e0def5b7
Verdict:
Suspicious activity
Analysis date:
2021-07-06 07:19:10 UTC
Tags:
installer
Link:
https://app.any.run/tasks/399cef48-39d9-45fa-b412-cc2ac56f59c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169892/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e907e70-c879-4cec-95cd-b6d8afbe1dd2
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj.spyw.evad
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/812115
Signature
Creates files with lurking names (e.g. Crack.exe)
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444526 Sample: j2uhH8k28Z Startdate: 06/07/2021 Architecture: WINDOWS Score: 32 66 Multi AV Scanner detection for submitted file 2->66 68 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->68 12 j2uhH8k28Z.exe 2 2->12         started        15 VC_redist.x64.exe 2->15         started        process3 file4 58 C:\Users\user\AppData\...\j2uhH8k28Z.tmp, PE32 12->58 dropped 17 j2uhH8k28Z.tmp 34 240 12->17         started        22 VC_redist.x64.exe 15->22         started        process5 dnsIp6 64 92.63.100.2, 49716, 49724, 80 THEFIRST-ASRU Russian Federation 17->64 44 C:\Program Files (x86)\...\tap0901.sys, PE32+ 17->44 dropped 46 C:\Program Files (x86)\...\tap0901.sys, PE32+ 17->46 dropped 48 C:\Program Files (x86)\...\ssh-keygen.exe, PE32+ 17->48 dropped 50 82 other files (none is malicious) 17->50 dropped 70 Creates files with lurking names (e.g. Crack.exe) 17->70 72 Tries to harvest and steal browser information (history, passwords, etc) 17->72 74 Sample is not signed and drops a device driver 17->74 24 VC_redist.x64.exe 3 17->24         started        27 VC_redist.x64.exe 22->27         started        file7 signatures8 process9 file10 54 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 24->54 dropped 29 VC_redist.x64.exe 71 24->29         started        56 C:\Windows\Temp\...\wixstdba.dll, PE32 27->56 dropped process11 file12 60 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 29->60 dropped 62 C:\Windows\Temp\...\wixstdba.dll, PE32 29->62 dropped 32 VC_redist.x64.exe 29 18 29->32         started        process13 file14 42 C:\ProgramData\...\VC_redist.x64.exe, PE32 32->42 dropped 35 VC_redist.x64.exe 32->35         started        process15 process16 37 VC_redist.x64.exe 35->37         started        file17 52 C:\Windows\Temp\...\wixstdba.dll, PE32 37->52 dropped 40 VC_redist.x64.exe 37->40         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-05 01:03:00 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
066bdbaf5b5526cc3040573bea83da7a384e0c97df13d50a7cc0716b1dd8e6ac
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982
7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548
827a427d329e934f5ff7826d647034818a56a69445aa97d08cc74bf801fcf0c2
923e1d37bb37118bd66462b153d9fa0d4518898ed56f0252690a6d9eb111a0d7
a66fa48b2fe26bd3fc8dd1ebb104a2deb9f117f0aac0d2e1b01d7fe27c82b3f2
ccaedac7e0d5d4a655d37d59fb12bfb920785e9c8d0b811dc6ab88d3e1ca6ea0
d4898d4aec91b789a3abb2d9e103eb1111d783a05a119ef7d1db9ab3811a79c2
f5a558eba4843612e1b2e7bbfb431932a94bdc86f9411c0529f4216bcfe0ef02
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210706-sz7sclqy8a/
Behaviour
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/55fe233e-bd79-4dfa-87e3-9dfd0c6706db/
SH256 hash:
3a1f7819402704397072699b5e46fe67b262d636d997d49564c1e8d9dfb70fd7
MD5 hash:
d5bb32ba40606f3287fb36c9a3458465
SHA1 hash:
4cebada14015d8ff11fea8c3ed71928dfa3190d2
Link:
https://www.unpac.me/results/55fe233e-bd79-4dfa-87e3-9dfd0c6706db/
SH256 hash:
3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4
MD5 hash:
19d22f176eec093d2ce313e3e0def5b7
SHA1 hash:
3ffa6c671ce32d5818cd6f552145652eeb4ab410
Link:
https://www.unpac.me/results/55fe233e-bd79-4dfa-87e3-9dfd0c6706db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1430300/
Cape
Cape
https://www.capesandbox.com/analysis/169892/

Comments


Avatar
zbet commented on 2021-07-06 07:16:59 UTC

url : hxxps://shadow-vpn.com/download/ShadowVPN.exe