MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53e891f9b9098e2f7f29c3129ff55d16faa213ac9d07efbb5443d0d42809adf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53e891f9b9098e2f7f29c3129ff55d16faa213ac9d07efbb5443d0d42809adf2
SHA3-384 hash: 98003226b4126ec0d8c8a15a3b4549195dff416db6c7273cbca140fba286695fd2e6c6cd81e0a49de2e9138fd5c36a79
SHA1 hash: 366de59ddda44aef246e4e61a06682af15852214
MD5 hash: 1c2d00ad527ad7a0d3165c78e6a42cdf
humanhash: seven-oranges-cold-july
File name:CAMSCANNER-2023.07.11.exe
Download: download sample
File size:87'040 bytes
First seen:2023-07-11 13:36:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:sTdw6Mf5lpZBYkDkhEzF3sydyc4F9nY++cuq/x8ir0ct41qyfZbdTsUXU8wU2gud:QdFS5lKStmFpJJ/xvr0cSPTdYNj11z
Threatray 682 similar samples on MalwareBazaar
TLSH T1F2837B04BF8CC667CA6C497890E315110374EDF67212F3CBADC4B6ADE95BBD0A604A97
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon fce0d0c0c0ccf030 (5 x Formbook)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CAMSCANNER-2023.07.11.exe
Verdict:
Malicious activity
Analysis date:
2023-07-11 13:37:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0421eab-005b-4503-8c93-65b68a547b1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/415754/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.29380.29285.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Reading critical registry keys
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/64ad5afe6e9f7019de9f3775/reports/31521e95-830a-4207-8dd5-b002b5e53b2c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/53e891f9b9098e2f7f29c3129ff55d16faa213ac9d07efbb5443d0d42809adf2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed71d3ad-15cd-4853-a7f3-e20e5c9600af
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270928
Signature
.NET source code contains potential unpacker
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Deletes itself after installation
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270928 Sample: CAMSCANNER-2023.07.11.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Sigma detected: Set autostart key via New-ItemProperty Cmdlet 2->70 72 .NET source code contains potential unpacker 2->72 74 Uses dynamic DNS services 2->74 8 CAMSCANNER-2023.07.11.exe 15 5 2->8         started        13 Onlyxwfsz.exe 4 2->13         started        15 Onlyxwfsz.exe 14 5 2->15         started        process3 dnsIp4 64 files.catbox.moe 108.181.20.35, 443, 49691, 49695 ASN852CA Canada 8->64 66 192.168.2.1 unknown unknown 8->66 50 C:\Users\user\AppData\Roaming\Onlyxwfsz.exe, PE32+ 8->50 dropped 52 C:\Users\...\Onlyxwfsz.exe:Zone.Identifier, ASCII 8->52 dropped 54 C:\Users\...\CAMSCANNER-2023.07.11.exe.log, ASCII 8->54 dropped 90 Modifies the context of a thread in another process (thread injection) 8->90 92 Injects a PE file into a foreign processes 8->92 17 CAMSCANNER-2023.07.11.exe 8 8->17         started        21 Onlyxwfsz.exe 13->21         started        94 Multi AV Scanner detection for dropped file 15->94 23 Onlyxwfsz.exe 15->23         started        file5 signatures6 process7 dnsIp8 56 purenew.duckdns.org 194.59.31.150, 2028, 49697, 49698 COMBAHTONcombahtonGmbHDE Germany 17->56 58 229.116.3.0.in-addr.arpa 17->58 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->76 78 Tries to steal Mail credentials (via file / registry access) 17->78 80 Tries to harvest and steal Bitcoin Wallet information 17->80 25 powershell.exe 17->25         started        28 powershell.exe 17->28         started        60 229.116.3.0.in-addr.arpa 21->60 82 Tries to harvest and steal browser information (history, passwords, etc) 21->82 30 powershell.exe 21->30         started        32 powershell.exe 21->32         started        62 229.116.3.0.in-addr.arpa 23->62 34 powershell.exe 23->34         started        36 powershell.exe 23->36         started        signatures9 process10 signatures11 84 Creates autostart registry keys with suspicious names 25->84 86 Creates multiple autostart registry keys 25->86 38 conhost.exe 25->38         started        88 Deletes itself after installation 28->88 40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53e891f9b9098e2f7f29c3129ff55d16faa213ac9d07efbb5443d0d42809adf2/
Threat name:
Win64.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 13:37:04 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
20
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpujd6nzbghc67zjymjj75k5c35kee5mtud67o2uipinikajvxza._file
Verdict:
malicious
Similar samples:
05c4f71a5caa0ed6809fdfa57b44836f5ee6408d73f6b97cd9a751b696091101
379d1597e3930745f2652d746d6671a801390d86e16c8694e0ff46132d915aba
389a7b386cf1cb266462813f116b66c1e01fea86116a9c9c9630c890418fb2f1
4a269414d116334ba8837a573d824a3ff46c3b7d274b7b8e3c3ffd688a2e3729
4e1e9baa83e4e1f612490a1348ba9d6aa431563ad96320705d3ea886a8ede4e9
5732c82b705016d7bf79058f82f45b01d18d2986fbc8454deeb2894da020a519
66ec3c9fb1339c6925fb508c17190aa7869e24b149abcedd771aa53ea9de27fa
bcf619de91d54b32858baabce229d3073a02f0f090c9190c5e80cd8f74d82561
cffee94b2fed3ea5bf85eb7bab308ac9488d1ed882c02787ee318760b1a90350
+ 672 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230711-qwsxhshc96/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
53e891f9b9098e2f7f29c3129ff55d16faa213ac9d07efbb5443d0d42809adf2
MD5 hash:
1c2d00ad527ad7a0d3165c78e6a42cdf
SHA1 hash:
366de59ddda44aef246e4e61a06682af15852214
Link:
https://www.unpac.me/results/12d2d8f7-8e5c-4a8d-ad52-42485cf49361/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 53e891f9b9098e2f7f29c3129ff55d16faa213ac9d07efbb5443d0d42809adf2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/415754/

Comments