MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a2708b03dc190d7a2bb26c5ebcbd380ddc2d21f5bd8991be7f581d8b8e79737. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a2708b03dc190d7a2bb26c5ebcbd380ddc2d21f5bd8991be7f581d8b8e79737
SHA3-384 hash: 836f80aab3f60402bbda8c7443d6a8698a819c8b0091df0055fea11308c60bade24ea06e102d3a0ca4b1b5ec80bd3c37
SHA1 hash: 693768f6d5e89df228e315c8c909bd0456e1d503
MD5 hash: ab6c035049f56e6e93ed8a4192663c25
humanhash: jupiter-michigan-stairway-purple
File name:ab6c035049f56e6e93ed8a4192663c25.exe
Download: download sample
File size:2'838'422 bytes
First seen:2021-05-30 06:21:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:65+hFWIXbvIlj5A6xXrK/TU0wlLKDWYeswKPu2/mNMxiz8lVHTIioOFZQ+D:65aFlbvIfLxXeS6jeswKGQmexiqZ7D
Threatray 194 similar samples on MalwareBazaar
TLSH B2D533317BD550FAC86B3E704C58EB614AAAEF642B1995CBEA713902BD444C0DFBE0D1
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab6c035049f56e6e93ed8a4192663c25.exe
Verdict:
No threats detected
Analysis date:
2021-05-30 06:23:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5f751506-ebab-4182-bf35-01589df571a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163239/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Enabling the 'hidden' option for files in the %temp% directory
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file
Deleting a recently created file
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Stealing user critical data
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/794340
Signature
Contains functionality to register a low level keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426736 Sample: VPRUA2eO6t.exe Startdate: 30/05/2021 Architecture: WINDOWS Score: 72 48 Multi AV Scanner detection for domain / URL 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Machine Learning detection for dropped file 2->52 9 VPRUA2eO6t.exe 7 2->9         started        process3 file4 34 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 9->34 dropped 36 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 9->36 dropped 54 Contains functionality to register a low level keyboard hook 9->54 13 cmd.exe 2 9->13         started        signatures5 process6 process7 15 OHPnEaFpaP.exe 14 25 13->15         started        19 7z.exe 2 13->19         started        22 7z.exe 2 13->22         started        24 11 other processes 13->24 dnsIp8 38 apocalypsee.fun 185.10.68.108, 49727, 80 FLOKINETSC Seychelles 15->38 40 ip-api.com 208.95.112.1, 49726, 80 TUT-ASUS United States 15->40 42 3 other IPs or domains 15->42 44 May check the online IP address of the machine 15->44 46 Tries to harvest and steal browser information (history, passwords, etc) 15->46 32 C:\Users\user\AppData\...\OHPnEaFpaP.exe, PE32 19->32 dropped 26 cmd.exe 1 22->26         started        file9 signatures10 process11 process12 28 conhost.exe 26->28         started        30 choice.exe 1 26->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a2708b03dc190d7a2bb26c5ebcbd380ddc2d21f5bd8991be7f581d8b8e79737/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-05-29 17:29:49 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
06607b04da0cd27e4a7abff3df7ee0be86df8226e81a5706351526a3101d2aa2
3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c169c9fb4adb317f1d571f
73188b6122dcf35a0d26fedf3679c9713e6f21ccf78499d8788ed39feb7fdb4a
79638b28279f6fc16f4d3a24a73ac67a405aa548aa09d6ca09f485b8e7e13901
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
f6e01e745aac03b46befca8daff61626ab55cbabbef93e31c2c3b01928f9c756
+ 184 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210530-x7sgpfw4p2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a2708b03dc190d7a2bb26c5ebcbd380ddc2d21f5bd8991be7f581d8b8e79737

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4a2708b03dc190d7a2bb26c5ebcbd380ddc2d21f5bd8991be7f581d8b8e79737

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1288365/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/163239/

Comments