MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fa4786f54c609e7e5e88c79eb7f99e373964cb316189883b74eb15f428ee5c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LunaLogger

Vendor detections: 11

Intelligence 11 IOCs YARA 19 File information Comments

SHA256 hash:	3fa4786f54c609e7e5e88c79eb7f99e373964cb316189883b74eb15f428ee5c0
SHA3-384 hash:	dd3a227b78c2c1ba74731592989775226cd7f283a02e70ba8e6c20264ce85399f183e3c3ee193dee3f5ac782b9f71f1e
SHA1 hash:	b11bdad106223e222f4483c7e8317a7b58a0dbb1
MD5 hash:	05522ed977c613937fe6b9067abd8ca5
humanhash:	virginia-black-avocado-zebra
File name:	SecuriteInfo.com.Win64.Evo-gen.3508.11571
Download:	download sample
Signature	LunaLogger Create hunting rule
File size:	17'691'933 bytes
First seen:	2024-04-27 20:23:17 UTC
Last seen:	2024-04-27 21:16:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4f2e2b03fe5666a721620fcea3aea9b (15 x BlankGrabber, 10 x PythonStealer, 6 x CrealStealer)
ssdeep	393216:Vv90+5gDTTh2Jp5MwurEUWjsrfT7E5PKk9buK+x:B9PkThidb8fT7bkEK+
TLSH	T12E0733D937A018A0F986503B956BC8019777FCB25798C35F0AF832A61F537E08D3AE65
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	exe LunaLogger

Intelligence

File Origin

# of uploads :

# of downloads :

333

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3fa4786f54c609e7e5e88c79eb7f99e373964cb316189883b74eb15f428ee5c0.exe

Verdict:

Malicious activity

Analysis date:

2024-04-27 20:24:51 UTC

Tags:

discord generic stealer python

Link:

https://app.any.run/tasks/254fdd51-46bb-4faf-b3fd-047178325c2f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Delayed reading of the file

Sending a custom TCP request

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

expand lolbin overlay packed

Link:

https://www.filescan.io/uploads/662d5ee654bafb7d21e1e628/reports/b2e989ae-8c1b-4043-aef7-3c200233175e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3fa4786f54c609e7e5e88c79eb7f99e373964cb316189883b74eb15f428ee5c0

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b2cabb88-ce76-4f44-abfb-16ce2b4cfee5

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3fa4786f54c609e7e5e88c79eb7f99e373964cb316189883b74eb15f428ee5c0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3fa4786f54c609e7e5e88c79eb7f99e373964cb316189883b74eb15f428ee5c0/

Threat name:

Win64.Trojan.Casdet

Status:

Malicious

First seen:

2024-04-27 20:24:10 UTC

File Type:

PE+ (Exe)

Extracted files:

1574

AV detection:

15 of 22 (68.18%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h6shq32uyye6pzpirr46w74z4nzzmtftcymjra5xj2yv6quo4xaa._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller spyware stealer upx

Link:

https://tria.ge/reports/240427-y6qtxagb3s/

Behaviour

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Unpacked files

SH256 hash:

3fa4786f54c609e7e5e88c79eb7f99e373964cb316189883b74eb15f428ee5c0

MD5 hash:

05522ed977c613937fe6b9067abd8ca5

SHA1 hash:

b11bdad106223e222f4483c7e8317a7b58a0dbb1

Detections:

PyInstaller

Link:

https://www.unpac.me/results/92bce267-40c4-4133-a3cf-f0e4e9cafd69/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3fa4786f54c6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3fa4786f54c609e7e5e88c79eb7f99e373964cb316189883b74eb15f428ee5c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	PyInstaller_Packed_April_2024 Create hunting rule
Author:	NDA0N
Description:	Detects files packed with PyInstaller

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::RemoveDirectoryW KERNEL32.dll::SetDllDirectoryW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample