MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50606b38ed6452d7a22a857f30b4f05e0d4b24351b838e346f2e1b603f03004a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50606b38ed6452d7a22a857f30b4f05e0d4b24351b838e346f2e1b603f03004a
SHA3-384 hash: e79339d4546e7a88f2c090a9a97863621525e2a5293373df3c1a16e40da10b988ac958c7b850e93762b6076ecbe5962c
SHA1 hash: 9c7206147911cbf9333605f5a9471255cf3a6be4
MD5 hash: 39f1366b2e64639a419d43c656bd7d4b
humanhash: kansas-hamper-lake-four
File name:Nexty 1.2.2.exe
Download: download sample
File size:69'184'786 bytes
First seen:2024-01-29 13:51:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:JrziNx5qwFpB8KBeBDOiR3hpVTBxdfqXFLWxixdM1iei1s9DC7:kx5qwLADPR7VtxNqXFLWxAM1ir1a27
TLSH T1CCE733D3BEDA8067ED0479FA6B805CA06D0D341086357B63E156385F1833DC6EA6B27B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter e24111111111111
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
GR GR
Vendor Threat Intelligence
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
78%
Tags:
installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65b7ad8ef9733b1319ad7842/reports/e2d667c4-5ad3-4956-8973-994b005f36b6/overview
Verdict:
Malicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/50606b38ed6452d7a22a857f30b4f05e0d4b24351b838e346f2e1b603f03004a
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1382716
Signature
Antivirus detection for URL or domain
Drops large PE files
Drops PE files to the startup folder
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1382716 Sample: Nexty_1.2.2.exe Startdate: 29/01/2024 Architecture: WINDOWS Score: 72 61 vendanetbr.com 2->61 63 discord.com 2->63 65 api.gofile.io 2->65 81 Antivirus detection for URL or domain 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil 2->85 9 Nexty_1.2.2.exe 179 2->9         started        13 Nexty.exe 2->13         started        signatures3 process4 file5 53 C:\Users\user\AppData\Local\...53exty.exe, PE32+ 9->53 dropped 55 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->55 dropped 57 C:\Users\user\AppData\Local\...\System.dll, PE32 9->57 dropped 59 12 other files (none is malicious) 9->59 dropped 87 Drops large PE files 9->87 15 Nexty.exe 15 9->15         started        signatures6 process7 dnsIp8 69 api.gofile.io 151.80.29.83, 443, 49719, 49721 OVHFR Italy 15->69 71 vendanetbr.com 154.56.48.197, 443, 49718 COGENT-174US United States 15->71 73 discord.com 162.159.138.232, 443, 49720, 49722 CLOUDFLARENETUS United States 15->73 45 C:\Users\user\AppData\Roaming\...45exty.exe, PE32+ 15->45 dropped 47 C:\Users\user\AppData\Local\...\webdata.db, SQLite 15->47 dropped 49 C:\Users\user\AppData\Local\...\passwords.db, SQLite 15->49 dropped 51 2 other files (none is malicious) 15->51 dropped 75 Drops PE files to the startup folder 15->75 77 Tries to harvest and steal browser information (history, passwords, etc) 15->77 79 Drops large PE files 15->79 20 Nexty.exe 1 15->20         started        23 cmd.exe 1 15->23         started        25 cmd.exe 1 15->25         started        27 4 other processes 15->27 file9 signatures10 process11 dnsIp12 67 chrome.cloudflare-dns.com 162.159.61.3, 443, 49732 CLOUDFLARENETUS United States 20->67 29 powershell.exe 15 23->29         started        31 conhost.exe 23->31         started        33 powershell.exe 15 25->33         started        35 conhost.exe 25->35         started        37 mshta.exe 27->37         started        39 tasklist.exe 1 27->39         started        41 tasklist.exe 1 27->41         started        43 3 other processes 27->43 process13
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/50606b38ed6452d7a22a857f30b4f05e0d4b24351b838e346f2e1b603f03004a
Gathering data
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 13:57:02 UTC
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbqgwohnmrjnpirkqv7tbnhqlyguwjbvdoby4ndpfynwapydabfa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240129-q6esmscfek/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
An obfuscated cmd.exe command-line is typically used to evade detection.
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

rar e95fce5ddbf7cb03f4929fc163682f64d2e06c9663abe7e42843e040fa581e3b

Executable exe 50606b38ed6452d7a22a857f30b4f05e0d4b24351b838e346f2e1b603f03004a

(this sample)

  
Dropped by
SHA256 e95fce5ddbf7cb03f4929fc163682f64d2e06c9663abe7e42843e040fa581e3b
  
Dropped by
MD5 023ba51b5e447dd15c898ecd9a7a3de6

Comments