MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41b17b6cb357f4df76f67cb22fada9ece9ea1e981807a5ae859b2ab59d975735. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41b17b6cb357f4df76f67cb22fada9ece9ea1e981807a5ae859b2ab59d975735
SHA3-384 hash: c7bf0fff8e061613c029b26ae8c864a27c10825357fb0d485591ba42cea7688b9425c6c6e79e7f1b9cae1f488bfc5d5f
SHA1 hash: 5dc9d9f8dba8b802ac74d68d9601303d31d51d88
MD5 hash: 6feb8a80f84403fc92af947c8f3204c7
humanhash: cola-michigan-monkey-utah
File name:file
Download: download sample
File size:2'762'072 bytes
First seen:2023-09-15 16:06:32 UTC
Last seen:2023-09-15 16:43:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e744e739eeab312fc7533618533b13e4
ssdeep 49152:d47Nlau359JvDrTvEbzTpzw0AKy5Qhc7DwPUtCAs0FpifSXWg:deNlau3nJzqzemsCN0e8
Threatray 327 similar samples on MalwareBazaar
TLSH T1D5D58A102E7E8425F462863C492C9577D9BBBBDCBB1F449722B4263B1B23780992D773
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70e0f8fc9c9af870 (1 x ArkeiStealer, 1 x Rhadamanthys, 1 x SystemBC)
Reporter jstrosch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-09-15 16:07:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/051a29b4-3a68-4dbc-8d00-224f4c043664

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448886/
Detection(s):
SecuriteInfo.com.FileRepMalware.15114.45.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control crypto dotnet explorer greyware keylogger lolbin lolbin mshtml msiexec overlay packed packed remote replace rundll32 shell32
Link:
https://www.filescan.io/uploads/6504812c49c6a4ce497b7eb0/reports/c50d67f6-a3b4-4c30-a345-d607bb572d94/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/41b17b6cb357f4df76f67cb22fada9ece9ea1e981807a5ae859b2ab59d975735
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ade94b02-0601-400c-8065-46836f751a55
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1309089
Signature
Antivirus detection for dropped file
Contains functionality to modify clipboard data
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309089 Sample: file.exe Startdate: 15/09/2023 Architecture: WINDOWS Score: 84 46 Antivirus detection for dropped file 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Machine Learning detection for dropped file 2->52 7 file.exe 4 2->7         started        11 nvidia_updater.exe 2 2->11         started        process3 dnsIp4 36 artic.edu 198.40.30.252, 443, 49716, 49725 THE-ART-INSTUS United States 7->36 38 ipv4.imgur.map.fastly.net 146.75.28.193, 443, 49718 SCCGOVUS Sweden 7->38 44 3 other IPs or domains 7->44 54 Contains functionality to modify clipboard data 7->54 56 Maps a DLL or memory area into another process 7->56 13 cmd.exe 5 7->13         started        40 13.225.214.128, 443, 49726 AMAZON-02US United States 11->40 42 www.artic.edu 11->42 17 cmd.exe 11->17         started        signatures5 process6 file7 28 C:\Users\user\AppData\Local\Temp\oyepaw, PE32 13->28 dropped 58 Writes to foreign memory regions 13->58 60 Found hidden mapped module (file has been removed from disk) 13->60 19 file.exe 6 13->19         started        22 conhost.exe 13->22         started        30 C:\Users\user\AppData\Local\Temp\kmewmxa, PE32 17->30 dropped 24 nvidia_updater.exe 6 17->24         started        26 conhost.exe 17->26         started        signatures8 process9 dnsIp10 32 t.me 149.154.167.99, 443, 49735, 49737 TELEGRAMRU United Kingdom 19->32 34 91.103.252.176, 45247, 49736, 49738 HOSTGLOBALPLUS-ASRU Russian Federation 19->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41b17b6cb357f4df76f67cb22fada9ece9ea1e981807a5ae859b2ab59d975735/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-13 21:57:44 UTC
File Type:
PE (Exe)
Extracted files:
206
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igyxw3ftk72n65xwpszc7lnj5tu6uhuydad2lluftmvllhmxk42q._file
Verdict:
malicious
Similar samples:
044fd4b9787d109ad1dad51d8858dd6834d261dcd0bdc88567078de1818fec3a
3c645242b178e6248f189ace55b2c3c0af905b5f35a0cc7d03600dd148ae915a
44cb5f67a1313320c87d07074faf1c5d98fb8e7731293558b03a834d4aac6511
591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1
68c1f88ca465c2a423a823c58fa157936edbbe9583ccfb6f4276a51f98921691
9aa5d19ccf5e211cfaf74b1bdbd2de4540db796062b2486786d22b8680bbfdb2
af04ee03d69a7962fa5350d0df00fafc4ae85a07dff32f99f0d8d63900a47466
c30dcc5778a3244a322b3683c05c0b93380bf3bf02d2db8cd102e282b6889f77
fb651d07bc1ee0b1676123399c358c9f3a276448b4938b46cfd2b9b701956913
fce1030962997ccaf65a9ac2fcb94e4f834ff6f9b007f757773202a0ebdc5ebb
+ 317 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230915-tkm4nsdd3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
41b17b6cb357f4df76f67cb22fada9ece9ea1e981807a5ae859b2ab59d975735
MD5 hash:
6feb8a80f84403fc92af947c8f3204c7
SHA1 hash:
5dc9d9f8dba8b802ac74d68d9601303d31d51d88
Link:
https://www.unpac.me/results/aa7f5b3d-a3bf-4db5-a6e4-816ed309604a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41b17b6cb357f4df76f67cb22fada9ece9ea1e981807a5ae859b2ab59d975735

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 41b17b6cb357f4df76f67cb22fada9ece9ea1e981807a5ae859b2ab59d975735

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2710934/
Cape
Cape
https://www.capesandbox.com/analysis/448886/

Comments