MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
SHA3-384 hash: 87cc69c08dfa61036774bbd2b729d75357c81c5e18f467b21c228531d7b4db4118fb019a85c53b647f737d1744ce3b2d
SHA1 hash: 71c988096ffbe3e4b6d9976fee29427c9bdbf23f
MD5 hash: c12317b003ebc503c85bab87c2104120
humanhash: ceiling-nevada-pip-angel
File name:PO_2024_056209_MQ04865_ENQ_1045.exe
Download: download sample
Signature Expiro
Create hunting rule
File size:1'442'304 bytes
First seen:2024-12-31 08:03:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:K5h0WNJ6H+ZIxFu1Zv4bteRJ9or8SM9UuoPzKn6St0KPLbQebMxQqjts19g:WrK+Zkbt6J9ooSxuow6aJMepQODg
TLSH T1556533CDECA7A111CA8C6F7AC863085441F09767F062F20908A69D799F99BE447EFD13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 70b269e8cccccc28 (2 x RemcosRAT, 1 x Expiro, 1 x Formbook)
Reporter Anonymous
Tags:exe Expiro

Intelligence

File Origin
# of uploads :
1
# of downloads :
422
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_2024_056209_MQ04865_ENQ_1045.exe
Verdict:
Malicious activity
Analysis date:
2024-12-31 08:14:11 UTC
Tags:
evasion snake keylogger m0yv stealer
Link:
https://app.any.run/tasks/a6dcb856-1898-4946-bcc6-bb516732b814

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.2156.2197.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6773a57474a2bd296e24b5f8
Tags:
autorun micro shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Creating a file
Modifying an executable file
Launching a service
Searching for synchronization primitives
Modifying a system executable file
Creating a file in the Windows subdirectories
Connection attempt to an infection source
Loading a system driver
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Modifying a system file
Unauthorized injection to a recently created process
Enabling autorun for a service
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Infecting executable files
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Trojan.Mailer.GenericS
Link:
https://www.hybrid-analysis.com/sample/5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5faa5f5f-dd02-4792-9ad0-3314ef3f5603
Result
Threat name:
MassLogger RAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582674
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates files in the system32 config directory
Drops executable to a common third party application directory
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582674 Sample: PO_2024_056209_MQ04865_ENQ_... Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 102 reallyfreegeoip.org 2->102 104 ww7.przvgke.biz 2->104 106 35 other IPs or domains 2->106 120 Suricata IDS alerts for network traffic 2->120 122 Found malware configuration 2->122 124 Malicious sample detected (through community Yara rule) 2->124 128 20 other signatures 2->128 10 alg.exe 2->10         started        15 PO_2024_056209_MQ04865_ENQ_1045.exe 7 2->15         started        17 zeXKjViL.exe 2->17         started        19 8 other processes 2->19 signatures3 126 Tries to detect the country of the analysis system (by using the IP) 102->126 process4 dnsIp5 110 yunalwv.biz 208.117.43.225, 49853, 49916, 80 STEADFASTUS United States 10->110 112 przvgke.biz 72.52.178.23, 49746, 49757, 49827 LIQUIDWEBUS United States 10->112 114 13 other IPs or domains 10->114 84 C:\Program Files\...\updater.exe, PE32+ 10->84 dropped 86 C:\Program Files\...\private_browsing.exe, PE32+ 10->86 dropped 88 C:\Program Files\...\plugin-container.exe, PE32+ 10->88 dropped 98 120 other malicious files 10->98 dropped 148 Creates files in the system32 config directory 10->148 150 Writes data at the end of the disk (often used by bootkits to hide malicious code) 10->150 152 Drops executable to a common third party application directory 10->152 154 Infects executable files (exe, dll, sys, html) 10->154 90 C:\Users\user\AppData\Roaming\zeXKjViL.exe, PE32 15->90 dropped 92 C:\Users\...\zeXKjViL.exe:Zone.Identifier, ASCII 15->92 dropped 100 2 other malicious files 15->100 dropped 156 Uses schtasks.exe or at.exe to add and modify task schedules 15->156 158 Adds a directory exclusion to Windows Defender 15->158 21 PO_2024_056209_MQ04865_ENQ_1045.exe 6 15->21         started        26 powershell.exe 23 15->26         started        28 powershell.exe 23 15->28         started        30 schtasks.exe 1 15->30         started        94 C:\Users\user\AppData\Local\...\tmp6E4E.tmp, XML 17->94 dropped 96 C:\Users\user\AppData\...\zeXKjViL.exe.log, ASCII 17->96 dropped 32 schtasks.exe 17->32         started        34 zeXKjViL.exe 17->34         started        36 zeXKjViL.exe 17->36         started        160 Contains functionality to behave differently if execute on a Russian/Kazak computer 19->160 162 Found direct / indirect Syscall (likely to bypass EDR) 19->162 file6 signatures7 process8 dnsIp9 108 cvgrf.biz 54.244.188.177, 49738, 49739, 49744 AMAZON-02US United States 21->108 64 C:\Windows\System32\alg.exe, PE32+ 21->64 dropped 66 C:\Windows\System32\FXSSVC.exe, PE32+ 21->66 dropped 68 DiagnosticsHub.Sta...llector.Service.exe, PE32+ 21->68 dropped 76 5 other malicious files 21->76 dropped 132 Writes data at the end of the disk (often used by bootkits to hide malicious code) 21->132 134 Drops executable to a common third party application directory 21->134 136 Infects executable files (exe, dll, sys, html) 21->136 38 Trading_AIBot.exe 21->38         started        42 Microsofts.exe 21->42         started        70 C:\...\__PSScriptPolicyTest_zccguk4f.xmq.ps1, ASCII 26->70 dropped 78 4 other malicious files 26->78 dropped 138 Loading BitLocker PowerShell Module 26->138 45 conhost.exe 26->45         started        72 C:\...\__PSScriptPolicyTest_xvfd5szs.lt0.psm1, ASCII 28->72 dropped 74 C:\...\__PSScriptPolicyTest_xbjhbjfb.ggs.ps1, ASCII 28->74 dropped 80 2 other malicious files 28->80 dropped 47 conhost.exe 28->47         started        49 conhost.exe 30->49         started        51 conhost.exe 32->51         started        file10 signatures11 process12 dnsIp13 82 C:\Users\user\AppData\Roaming\...\apihost.exe, PE32 38->82 dropped 140 Drops large PE files 38->140 142 Adds a directory exclusion to Windows Defender 38->142 53 powershell.exe 38->53         started        56 schtasks.exe 38->56         started        58 apihost.exe 38->58         started        116 checkip.dyndns.com 132.226.8.169, 49741, 80 UTMEMUS United States 42->116 118 reallyfreegeoip.org 188.114.96.3, 443, 49752 CLOUDFLARENETUS European Union 42->118 144 Tries to steal Mail credentials (via file / registry access) 42->144 146 Tries to harvest and steal browser information (history, passwords, etc) 42->146 file14 signatures15 process16 signatures17 130 Loading BitLocker PowerShell Module 53->130 60 conhost.exe 53->60         started        62 conhost.exe 56->62         started        process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83/
Threat name:
Win32.Trojan.Mailer
Create hunting rule
Status:
Malicious
First seen:
2024-12-31 08:04:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krkimlxea2o7huqfq5r2xdmoagv3iekomkhtemcyc7zr6cwr72bq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
snakekeylogger
Create hunting rule
asyncrat
Create hunting rule
expiro
Create hunting rule
Similar samples:
error
Expiro
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution spyware stealer
Link:
https://tria.ge/reports/241231-jx9hbssjfl/
Behaviour
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/99d38e4e-3168-453c-b990-2736fcbbf86c
Unpacked files
SH256 hash:
f19763b48b2d2cc92e61127dd0b29760a1c630f03ad7f5055fd1ed9c7d439428
MD5 hash:
e91a1db64f5262a633465a0aaff7a0b0
SHA1 hash:
396e954077d21e94b7c20f7afa22a76c0ed522d0
Link:
https://www.unpac.me/results/0c7cebc8-1064-4d78-945d-886b90b97192/
SH256 hash:
23a4e2d452bf1307a330cf0ae85084b977fb23cb45de559d0a198d0854419a88
MD5 hash:
10bab11261baa5225d02b21a74bf5aef
SHA1 hash:
f825ff549c7037ee9ed84f7d847ca3e6cff29424
Detections:
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/0c7cebc8-1064-4d78-945d-886b90b97192/
Parent samples :
5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
SH256 hash:
dc74c7f0d7231921462b9e3aae4ba45259ae9aca83c58f0518710153517babdf
MD5 hash:
fa62a6039e6efc9e3a1d9d3c2daf191d
SHA1 hash:
c82d6db86baf81d84b58620c79f24281413bec90
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0c7cebc8-1064-4d78-945d-886b90b97192/
SH256 hash:
c6bafe73d265549c6a1e3acc40832b353afa3da6ed9fcfcb29a1b9a0ab295873
MD5 hash:
82c10f642acffece8950e5b00b7c95a8
SHA1 hash:
734cfec8a3d3ae46e05e1bb658e06a640efbc777
Link:
https://www.unpac.me/results/0c7cebc8-1064-4d78-945d-886b90b97192/
SH256 hash:
5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
MD5 hash:
c12317b003ebc503c85bab87c2104120
SHA1 hash:
71c988096ffbe3e4b6d9976fee29427c9bdbf23f
Link:
https://www.unpac.me/results/0c7cebc8-1064-4d78-945d-886b90b97192/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5454862ee406/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments