MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909
SHA3-384 hash: 6624473374ebf1bfc9872f8ec7b74c6ed66c53050781233d0a97327c8b2b365e715f8fc4c545edf1ededa63bd1465bb6
SHA1 hash: afc838d54e58bd456e4e371e44f3b7b572f951d9
MD5 hash: 8af8b50b111cfe0c605ffbf197f53c9c
humanhash: glucose-river-bulldog-mexico
File name:47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909
Download: download sample
File size:39'424 bytes
First seen:2022-02-28 07:47:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7045005ef4130348fa4cbfc30a6f9d04 (1 x LimeRAT, 1 x MimiKatz, 1 x DiskWriter)
ssdeep 768:cCQqKpiV8puATpBoRQ0CtfcJ5j5wZUnzm3qzGEIuDvdvBycL:cCIpYoBoRAcJ5jKqpzG7uJpyc
Threatray 1'272 similar samples on MalwareBazaar
TLSH T1C003E1BB612CF8FDE73927359A230248FF97782295098B4F548C2037ADB7A955F30660
Reporter struppigel
Tags:batch batch2exe cordimik DiscordTokenStealer exe Python

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245164/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
ammyy packed remoteadmin shell32.dll
Link:
https://www.filescan.io/uploads/621c7e370cd58dbd925132a2/reports/9e47b3db-e167-482d-a973-6f98f0e231be/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57fc9592-9cb8-42d0-b44c-67c730354eae
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/947164
Signature
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Check external IP via Powershell
Sigma detected: Suspicious Script Execution From Temp Folder
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 579646 Sample: DuThJ88QX1 Startdate: 28/02/2022 Architecture: WINDOWS Score: 80 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Check external IP via Powershell 2->53 55 Machine Learning detection for sample 2->55 57 2 other signatures 2->57 8 DuThJ88QX1.exe 5 2->8         started        process3 file4 35 C:\Users\user\AppData\Local\...\Token.bat, ASCII 8->35 dropped 11 cmd.exe 2 8->11         started        15 conhost.exe 8->15         started        process5 file6 37 C:\Users\user\AppData\Local\Temp\bnt.ps1, ASCII 11->37 dropped 59 Uses ping.exe to sleep 11->59 61 Uses ping.exe to check the status of other devices and networks 11->61 17 cmd.exe 1 11->17         started        20 cmd.exe 1 11->20         started        22 powershell.exe 19 11->22         started        25 3 other processes 11->25 signatures7 process8 dnsIp9 49 Uses ping.exe to sleep 17->49 27 PING.EXE 1 17->27         started        30 findstr.exe 1 17->30         started        32 powershell.exe 14 17 20->32         started        39 discord.com 162.159.136.232, 443, 49739, 49745 CLOUDFLARENETUS United States 25->39 signatures10 process11 dnsIp12 41 192.168.2.3, 137, 138, 443 unknown unknown 27->41 43 api.ipify.org.herokudns.com 52.20.78.240, 49740, 80 AMAZON-AESUS United States 32->43 45 api.ipify.org 32->45 47 May check the online IP address of the machine 32->47 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909/
Threat name:
Win64.Infostealer.Disco
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 03:12:58 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
10 of 42 (23.81%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
04ff00131dc81c785b075d33b1ab543f68e3aafa4ed1d52f8a19d16cbf66f3f2
2560cc6fef94164b1e60d22763fc15dfb84314b6b5f7f581b1ea3a09af2e3021
4d041237f6dbd08e6d88a1a526fa2dc3f1e4ce19348200105a0fa749195bce36
5502146fcab8739ffd8de25a8ae6656058ec0da0a5f121e014226c0863cf2f64
668c5486d1680bd9bb7f687ff7573b53d22d594937083fd8e752062f7f9fd6e7
8ccaed7c504359bba64e038edf5284fc059e34c7f57793b223b92704efe4d028
9c07c93f9a190f10c080d8077dd34db1deb715a4e928509767c9b80a36ce8753
b999ca69b211c89b669c18ec8543d34f203f73a1c793db6d481da5c917c3f116
+ 1'262 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx
Link:
https://tria.ge/reports/220228-jm5rdsfack/
Behaviour
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://discord.com/api/webhooks/947523898352763001/gIjqjRvqoxzCBCvDzpPxPasv0cyqXR86gT3F-m2J9Jygqi1mA3x5pl_OEYm5QkgHToePoo
Unpacked files
SH256 hash:
47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909
MD5 hash:
8af8b50b111cfe0c605ffbf197f53c9c
SHA1 hash:
afc838d54e58bd456e4e371e44f3b7b572f951d9
Link:
https://www.unpac.me/results/556aef76-b754-4ff8-88b4-ca9aa301975d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/245164/

Comments