MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc
SHA3-384 hash: c55dcfaf5bd49095e64d9852995619a790c798168180271e96fc544183b61cdb8ca596dc37a9aa89cb835a01656ae211
SHA1 hash: cb9ce38c31c69d312fc75f2cd1f1dfe971ee51d8
MD5 hash: 375bbc45ef0707c32b8fef120a02c9a9
humanhash: sink-east-autumn-michigan
File name:Nitro-gen.exe
Download: download sample
File size:6'941'416 bytes
First seen:2021-10-21 23:29:15 UTC
Last seen:2021-10-22 01:16:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2cdcfb3a828433ba76b5b41f45519bd9 (2 x ROKRAT, 1 x IcedID)
ssdeep 196608:AMox7QICteEroXxWVfEqlbkkwR7VTEJZFAhk7RrNQsL:+QInEroXgfEqirRRoJZyi7Xp
Threatray 38 similar samples on MalwareBazaar
TLSH T17366330863500DECF1B20031A6A08535D13ABC724744D94B666CA7679FA7FE5BEBBF84
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nitro-gen.exe
Verdict:
No threats detected
Analysis date:
2021-10-21 23:29:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55600f16-6be1-4f4e-acef-5f4a3d028f13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PyInstaller
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199217/
Detection(s):
SecuriteInfo.com.Python.Stealer.137.19059.20611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Deleting a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed python
Link:
https://www.filescan.io/uploads/6171f7fcdb358dd15ed0bf9f/reports/427bf7df-8909-4e0e-8552-87ec3d04a4b3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GetYourFilesBack Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f563605a-1b1a-4ac5-a7d9-4a11d82a1986
Result
Threat name:
Discord Token Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/874931
Signature
Connects to a pastebin service (likely for C&C)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Discord Token Grabber
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc/
Threat name:
Win64.Infostealer.Disco
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 10:56:36 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
053e7603d2776f39c17d74cd5a095d2fa4727ce019cb91274c135be4b9732358
622fb838298b78969dfbe0d1ff0c2fcea071b77e9a30332805a532683a039570
6239fb903c570cff86d4a21391c9a012dd27016243cc5ba67b3c93828a8badd4
8d11da2582a4e82ff7ca02288211613a1f7326b7426eb245138a1160e3dddfb4
8f8efcd4031721a458abbf5a0e164eb9d318fe8f5a16c5d1a174e13125128539
a11e597e813bde2241d999f3c2aa8fdecc7f1131507e4aa5fba6ba82dbd75459
b371f1cb76629e00e4cd545187ea722a7e5e98ac10ef5ff35495499136ed28cd
e18efb7cff387e8b7ab7e7882841d21e5d6c3e9bddaa289a30315a54352bc39a
e8f57a83f154fb0c67f6064d3dc6914ad4278e5f79d054ec66c3b8383aeb5b5e
ed3588a0ea55834f7964684d9b97f05a70aea91fbc9eb4f1c5d0a1248acc7fbf
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/211021-3g6ahsahf6/
Behaviour
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc
MD5 hash:
375bbc45ef0707c32b8fef120a02c9a9
SHA1 hash:
cb9ce38c31c69d312fc75f2cd1f1dfe971ee51d8
Link:
https://www.unpac.me/results/a32daa88-8557-43bc-aae7-d48fa0851441/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199217/

Comments