MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4db9a09c601209baf38c40a4347c1d73fc3907d11133696cf2c6332bb42be6f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mispadu

Vendor detections: 13

Intelligence 13 IOCs YARA 15 File information Comments

SHA256 hash:	4db9a09c601209baf38c40a4347c1d73fc3907d11133696cf2c6332bb42be6f6
SHA3-384 hash:	f0453c483ad52ef9a453ea5066708837f767d046cd6a0902b20aee335b71da60c93504387755205bbc7894fa24a1bbfb
SHA1 hash:	aacb88c9e27ddf96b348d679a01644f3b01d1cb0
MD5 hash:	8eb63115083f508f70dc4161983e5d67
humanhash:	arkansas-rugby-don-oklahoma
File name:	zu01.dll
Download:	download sample
Signature	Mispadu Create hunting rule
File size:	6'268'416 bytes
First seen:	2023-11-10 15:12:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e3bd87be67cd52cc55889c46604dcafe (3 x Mispadu)
ssdeep	98304:koO7KtDcE19x6OILIdb5s5FUcybUqcnqKcqKkadYB5:0KtD5m7nBcBkadYr
TLSH	T1E456AF23B288553BD0671F3A58279694993F7B202A25DC8F7BFC098C4F376406E26797
TrID	47.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 26.4% (.EXE) Inno Setup installer (109740/4/30) 10.3% (.EXE) InstallShield setup (43053/19/16) 10.0% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 2.5% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	225690a6242c0215 (3 x Mispadu)
Reporter	0xToxin
Tags:	exe Mispadu Ursa

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Tool.WebBrowserPassView-9831120-0

Win.Tool.WebBrowserPassView-9831121-0

Win.Tool.WebBrowserPassView-9831122-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Searching for the window

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm apt babyshark control dllhost evasive explorer fingerprint greyware keylogger lolbin masquerade packed rat remote replace stealer threat virus

Link:

https://www.filescan.io/uploads/654e487f993fbf888b6e6819/reports/b48390d9-7ec4-412f-b97c-35cb975a28d4/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/4db9a09c601209baf38c40a4347c1d73fc3907d11133696cf2c6332bb42be6f6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mispadu

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/43f475d2-05cb-4b80-a625-bb5662768218

Result

Threat name:

MailPassView

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1340730

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses Windows timers to delay execution

Yara detected MailPassView

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4db9a09c601209baf38c40a4347c1d73fc3907d11133696cf2c6332bb42be6f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4db9a09c601209baf38c40a4347c1d73fc3907d11133696cf2c6332bb42be6f6/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-11-10 15:13:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jw42bhdacie3v44micsdi7a5op6dsb6rcezws3hsyyzsxnbl433a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/231110-slq2aahd8x/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Unpacked files

SH256 hash:

f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

MD5 hash:

053778713819beab3df309df472787cd

SHA1 hash:

99c7b5827df89b4fafc2b565abed97c58a3c65b8

Link:

https://www.unpac.me/results/1e783b80-1d03-4ccc-8cfd-344aedaad45d/

SH256 hash:

400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342

MD5 hash:

54e8ded7b148a13d3363ac7b33f6eb06

SHA1 hash:

63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9

Link:

https://www.unpac.me/results/1e783b80-1d03-4ccc-8cfd-344aedaad45d/

Parent samples :

e6b3160e17f1c4c0ce9136d7e19089f9e7e759bbd2989c27f8eb6083a627bfb9
c0498d7a70e78c236241d0e91b3bb599c1961ea62a10bd76a16fe7b18824f646
c2d23332a28fd0f2f0b404e53d9820ba0f5f8070043cfa0b2fbb18a4a33466b6

SH256 hash:

4db9a09c601209baf38c40a4347c1d73fc3907d11133696cf2c6332bb42be6f6

MD5 hash:

8eb63115083f508f70dc4161983e5d67

SHA1 hash:

aacb88c9e27ddf96b348d679a01644f3b01d1cb0

Link:

https://www.unpac.me/results/1e783b80-1d03-4ccc-8cfd-344aedaad45d/

Malware family:

MailPassView

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4db9a09c6012/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4db9a09c601209baf38c40a4347c1d73fc3907d11133696cf2c6332bb42be6f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DustSquad_PE_Nov19_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Bolonyokte Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	UnknownDotNet RAT - Bolonyokte

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CMD_Shutdown Create hunting rule
Author:	adm1n_usa32

Rule name:	davivienda Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample