MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53e3745ca6205148ae25709bd6c96773dd9b7b886eda41ca2d5b0e7eb9dcabcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	53e3745ca6205148ae25709bd6c96773dd9b7b886eda41ca2d5b0e7eb9dcabcb
SHA3-384 hash:	076dcd30f232967b7a07d73f843d044fff7b060bae4aa9da75b6afe824c67ea93617b6f77d055e11b40263ff2d0994ae
SHA1 hash:	88eb0c1e25543cd5ea92fc2fa1038a71e9c59dfa
MD5 hash:	d45d997ca4eb28adddd640a025d7856a
humanhash:	april-johnny-mike-alaska
File name:	file
Download:	download sample
File size:	5'320'704 bytes
First seen:	2022-09-21 18:19:35 UTC
Last seen:	2022-09-24 01:12:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:uOc3t3ljiaQB3iwsAjQdFxXrN4K5y8gtRRg+cKVJqRqgvt9Rmvo:uOelmp34dFBfJvVKVJqRqdvo
TLSH	T1C136338F3BE7759CDA3B2B71D9C4DBC12842AFFAA48086867CC2691168D370C6E51F15
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from http://45.155.165.132/ec5be/b269a.exe

Intelligence

File Origin

# of uploads :

# of downloads :

364

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-09-21 18:20:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/36317fc6-dc45-484d-971c-64c9931f2cc8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312114/

Detection(s):

SecuriteInfo.com.Heuristic.HEUR.AGEN.1216915.32214.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a file in the system32 subdirectories

Creating a file

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/632b55dfe64c53f047fb4548/reports/3ec8e5a3-1b94-4dfc-9736-07e937d235fb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/171cfa03-87f2-48d6-8b64-1f9fc66e516c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1074812

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/53e3745ca6205148ae25709bd6c96773dd9b7b886eda41ca2d5b0e7eb9dcabcb/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2022-09-21 18:20:29 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kprxixfgebiurlrfocn5nslhopozw64in3nedsrnlmhh5oo4vpfq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer upx

Link:

https://tria.ge/reports/220921-wyrecsghb4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

UPX packed file

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/cdfd5679-87e6-4883-97e8-bf99d3f50455

Unpacked files

SH256 hash:

ad707b42b19587ad31a72799e5479479856cbb7448a9cda0213b06c138c79dee

MD5 hash:

f979554425386518d03f1889923ea82b

SHA1 hash:

1c9212e09ed460b61fba2101c9a6fc35a241ae93

Link:

https://www.unpac.me/results/8c762ba1-c987-42e6-8006-a818db694687/

SH256 hash:

53e3745ca6205148ae25709bd6c96773dd9b7b886eda41ca2d5b0e7eb9dcabcb

MD5 hash:

d45d997ca4eb28adddd640a025d7856a

SHA1 hash:

88eb0c1e25543cd5ea92fc2fa1038a71e9c59dfa

Link:

https://www.unpac.me/results/8c762ba1-c987-42e6-8006-a818db694687/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/53e3745ca6205148ae25709bd6c96773dd9b7b886eda41ca2d5b0e7eb9dcabcb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/312114/

URLhaus

https://urlhaus.abuse.ch/url/2309304/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample