MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e03b2deef682173ffa436566ddf905dbff708ed61a911ce5dd97a47e0a98362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	4e03b2deef682173ffa436566ddf905dbff708ed61a911ce5dd97a47e0a98362
SHA3-384 hash:	d4a5ec8640938704a34e1ff57cb2e49145c7ae214625ef248986639631103bc03255f58f0d531c513ed80b1dc49973d7
SHA1 hash:	f2b10b8623fab5d7abdbeb937ebecce115844364
MD5 hash:	e0c94096a841d09bbf41410d185df572
humanhash:	white-fillet-robert-bakerloo
File name:	file
Download:	download sample
File size:	2'525'400 bytes
First seen:	2022-11-26 20:09:04 UTC
Last seen:	2022-11-27 12:41:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2fc7821fade06f95eaa02aadc204dcd9
ssdeep	49152:KPC6I2sVv0WT95RXVkEhk+Ml2lfN57A6Wjaf6kRd8GvMY5c7cDXgJzAV/3:uC6IrVv0WT95rkv9l2BNI7kn8GvZc7c9
Threatray	25 similar samples on MalwareBazaar
TLSH	T107C58C58EA0380BED82315F1067BF7FF9530563548A08C5BEA8CDD74AE729A2532971F
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from https://vk.com/doc760750097_656916091?hash=oB00h88XCF6aq7mHUs4FicoJymVwXePdqkoTqO6ZYGw&dl=G43DANZVGAYDSNY:1669492796:WqrtUahaxwIHzBWBKZy8i0ZRcJOdkpGyFpowyhJY1Ic&api=1&no_preview=1#daf2

Intelligence

File Origin

# of uploads :

527

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Suspicious activity

Analysis date:

2022-11-26 20:10:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0b87eb36-6e53-44d5-98cc-e51b30bd9775

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/338855/

Detection(s):

SecuriteInfo.com.Win32.SpywareX-gen.6694.27501.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Changing a file

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug hacktool overlay packed

Link:

https://www.filescan.io/uploads/6382729b559d07a06f47a16b/reports/b73def71-fd20-4d73-bd79-04dafad34385/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/52c42a82-77c5-4f7b-b062-5a4b539a8ef0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1121694

Signature

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e03b2deef682173ffa436566ddf905dbff708ed61a911ce5dd97a47e0a98362/

Threat name:

Win32.Trojan.BebraStealer

Status:

Malicious

First seen:

2022-11-26 20:10:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jyb3fxxpnaqxh75egzlg3x4qlw77ochnmgurdts53f5epyfjqnra._file

Verdict:

malicious

6485a029e9a15283f4834f89dfbbd87b19a77629a9a7eba0fd6639562e11208b

84565046d0a0bf9a0bc5576da0e9569012388a196c85156eaae28539bf4063b4

8e1e08c92f3a7abd76de079490335c47cbaedfc3f7895d9e03305ff45cef2eb0

93c37274d14ecdf415aaeed8516bcb3486b68173a97525d4936f94685011e870

a964be69ae3a3b5aa6b824909ea7d3a65e3b6230aba8d5199dfca82284029b72

d53858652b5a1d5c9b30f70f85db725b10494564bf08136cd8afdc7f7788f2bc

fc708c22acda37fb50cea6d603cb794852d8311349970461b178ff66dedccc0b

+ 15 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/221126-yxn9qaee7t/

Behaviour

Reads user/profile data of web browsers

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3f6f4fda-71af-4473-bf7a-658e78f92c7a

Unpacked files

SH256 hash:

4e03b2deef682173ffa436566ddf905dbff708ed61a911ce5dd97a47e0a98362

MD5 hash:

e0c94096a841d09bbf41410d185df572

SHA1 hash:

f2b10b8623fab5d7abdbeb937ebecce115844364

Link:

https://www.unpac.me/results/d33709cc-fc2f-4263-9811-71e030fb89b8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.49

Link:

https://yomi.yoroi.company/submissions/4e03b2deef682173ffa436566ddf905dbff708ed61a911ce5dd97a47e0a98362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/338855/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample