MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 545065c7cba4015f39989b316d3c7ec8997d5e5c31039fe696da3eaaf832c7c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	545065c7cba4015f39989b316d3c7ec8997d5e5c31039fe696da3eaaf832c7c9
SHA3-384 hash:	87c4c34a0e224d2013d8bc7f0ce3736200768473edb68fe7a952d167469a3f9596cd3a5a85434dd48c37d8996b2ccdfb
SHA1 hash:	8a36b0c2bba3ba15c97dd3a725d4fbba68b3bd15
MD5 hash:	2ae495e8c63c15c0305cdf8cfaeed244
humanhash:	nebraska-vermont-pasta-burger
File name:	2ae495e8c63c15c0305cdf8cfaeed244.exe
Download:	download sample
File size:	15'715'918 bytes
First seen:	2022-10-31 15:59:35 UTC
Last seen:	2022-10-31 18:19:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c37e09c5b0695a85a9bc5acc3c3be323
ssdeep	393216:wBFClEpWJKlh2pQtaL/dPG2yLTtPzVuoRR:wPClk+IQp1Je2yLTtPhuo
Threatray	229 similar samples on MalwareBazaar
TLSH	T124F6330066A146FFF97D503AD4B2890365FA35AF0B71C49BDA6012622F93BE67F34B50
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2ae495e8c63c15c0305cdf8cfaeed244.exe

Verdict:

No threats detected

Analysis date:

2022-10-31 16:00:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/91cfade0-ba6e-4c08-83c5-ec84c1b0ff53

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.13789.30694.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a file

DNS request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/47040/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed python

Link:

https://www.filescan.io/uploads/635ff1099eb103bc04e51e5c/reports/0e0f014d-6373-4200-9ba7-9ba3f9f26f37/overview

Result

Verdict:

MALICIOUS

Malware family:

ElevenClock

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a55112f9-67a0-4706-8659-526b048ad9b0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1101847

Signature

Contains functionality to infect the boot sector

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/545065c7cba4015f39989b316d3c7ec8997d5e5c31039fe696da3eaaf832c7c9/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-10-27 23:18:00 UTC

File Type:

PE+ (Exe)

Extracted files:

1375

AV detection:

3 of 26 (11.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kriglr6luqav6omytmyw2pd6zcmx2xs4gebz7zuw3i7kv6bsy7eq._file

Verdict:

malicious

63499ea2f5bb554931547eb8cda06ce7e862a0c81ab68ba42b71a722fa2fc853

996c4e5418405912b929e7916def0a6c0aaedf77065ec5725f4782b00fb1464e

af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794

b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae

b8e807fd68dc28227145b1fed9a72e925c24ab76495dce4733e9656740732b1b

bf6915895b1bc041c3f1b89467b9b293385a3837d4cc59ac8a8d32adb0742ebe

d18e18eeee28b729ec305ddbafd393f3b36a8e5d6a3ba66d8c6d0eb6a1a210d0

+ 219 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/221031-tfnjmsbdc2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Loads dropped DLL

Unpacked files

SH256 hash:

545065c7cba4015f39989b316d3c7ec8997d5e5c31039fe696da3eaaf832c7c9

MD5 hash:

2ae495e8c63c15c0305cdf8cfaeed244

SHA1 hash:

8a36b0c2bba3ba15c97dd3a725d4fbba68b3bd15

Link:

https://www.unpac.me/results/89dafb26-6f1f-4050-b659-80f7a6d2a305/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/545065c7cba4015f39989b316d3c7ec8997d5e5c31039fe696da3eaaf832c7c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample