MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e99779daa53bffef62592a796d7fdc620ba3edc4f397d92343d3b89cb3a5e1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	4e99779daa53bffef62592a796d7fdc620ba3edc4f397d92343d3b89cb3a5e1a
SHA3-384 hash:	043f59a9e71c0e6a3333f31f130013604781c99cda3ad6dcbac8061a1fa1e9bd4b4342831ced25c9c3ae1846d41720f4
SHA1 hash:	01fdadc371bb2ca7585770763d7d8fad466e51a1
MD5 hash:	017f5780b4b0e6d97fb6f581ec3df8cb
humanhash:	maryland-nineteen-triple-autumn
File name:	017f5780b4b0e6d97fb6f581ec3df8cb.exe
Download:	download sample
File size:	6'724'096 bytes
First seen:	2023-07-20 06:58:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ea2d297e3bd3b5b7def0556d0ff46651 (1 x AsyncRAT, 1 x LummaStealer, 1 x RedLineStealer)
ssdeep	196608:XPnQG14cH4xvtSsUEFXYjFxQzNhHR//9QK:XPfbYKsTxYjPQzjHc
Threatray	2 similar samples on MalwareBazaar
TLSH	T18766231239C08036DB7330334665E3BA46BEF8B41B2515DF17D81ABA1F746C26B3A65B
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

017f5780b4b0e6d97fb6f581ec3df8cb.exe

Verdict:

Malicious activity

Analysis date:

2023-07-20 07:01:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b852a0e9-eff5-4922-a847-e42e016f2bfb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/425779/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.1930.31026.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware lolbin packed

Link:

https://www.filescan.io/uploads/64b8db38f52c3e1a014aa8a5/reports/89b29cb7-9237-4fc0-b004-c50beae31bd1/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4e99779daa53bffef62592a796d7fdc620ba3edc4f397d92343d3b89cb3a5e1a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75b7a36c-0858-4764-806a-91899e7bbaae

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1276486

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e99779daa53bffef62592a796d7fdc620ba3edc4f397d92343d3b89cb3a5e1a/

Threat name:

Win32.Trojan.Smokeloader

Status:

Suspicious

First seen:

2023-07-20 01:57:10 UTC

File Type:

PE (Exe)

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j2mxphnkko7755rfsktznv75yyqlupw4j44x3eruhu5ytsz2lyna._file

Verdict:

unknown

9abf9cd94bb4fbbbbb189d3e318d45dd6042532c7f73c6a4a920c1a256ecc09f

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230720-hr3l6adh2s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

d7808e1cb1c02680e24980130816cabace6e60a2a16523c93d9669bfb921f7e6

MD5 hash:

ed347ff465ef04b6c3bffa4ca881a13a

SHA1 hash:

d819f29d3724a554827132b9720065dfd2b2508a

Link:

https://www.unpac.me/results/e14e3070-c855-4c06-8ed2-2cbbde16b082/

SH256 hash:

4e99779daa53bffef62592a796d7fdc620ba3edc4f397d92343d3b89cb3a5e1a

MD5 hash:

017f5780b4b0e6d97fb6f581ec3df8cb

SHA1 hash:

01fdadc371bb2ca7585770763d7d8fad466e51a1

Link:

https://www.unpac.me/results/e14e3070-c855-4c06-8ed2-2cbbde16b082/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4e99779daa53/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e99779daa53bffef62592a796d7fdc620ba3edc4f397d92343d3b89cb3a5e1a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/425779/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample