MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133
SHA3-384 hash: 4f1edb7d284c5263c43f179254ac10e82abd903f01cb7173eba8370713a9755b59202cecff446450227f10dfd154463d
SHA1 hash: 83130d95220bc2ede8645ea1ca4ce9afc4593196
MD5 hash: e00cb21590e1d0cb89eeb16897be82e7
humanhash: queen-massachusetts-july-snake
File name:e00cb21590e1d0cb89eeb16897be82e7
Download: download sample
File size:13'945'911 bytes
First seen:2023-01-24 18:24:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep 393216:YxEt9c5hlERzlh2pMMRFJzFcguLEA1AuGO2b:YAEhkhQpMqGNC
Threatray 276 similar samples on MalwareBazaar
TLSH T152E63329A2100CDAF875A43AC47BE1214571F50E5F40D20FABA826F75F97BD4AFB9360
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.moongallery.com.tw/upload/py.exe
Verdict:
No threats detected
Analysis date:
2023-01-24 12:07:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a5cfd374-396f-48e4-b412-50a0f309eff7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W64.S-f7bcf467.Eldorado.13723.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62818/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed python
Link:
https://www.filescan.io/uploads/63d0227f447edb203a00a833/reports/4f6e38cf-deae-4143-942f-eb159b6a058f/overview
Result
Verdict:
MALICIOUS
Malware family:
ElevenClock
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/85029055-a947-4ef4-ba34-d77ff94570c9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1158202
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-24 15:11:19 UTC
File Type:
PE+ (Exe)
Extracted files:
1433
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwcxkdwrqiau7jhfeqkp64ztjdo5gjhsf6gkfndwiybhhs5d2ezq._file
Verdict:
malicious
Similar samples:
02bcec1a52dfab672277e65d9b7713543a62d4c27bddb20c9152b3b35c79e62a
08da286f669199a5c2b131f66614bbb3718b159e48885f4a2b1c9af718256dd0
2e3cdb3559db5119f449f279fe3e839fb7783d25b860a4c679d782f58eb106ef
30b39abec09a0975936b022b05e4a8b6e2fe34cb52c533a1fdfb2f9832152b74
4c3e6e0a44cec929b36ea43075ddb2d952c8fe7c19ee1b61de1e4f5b896a2147
80b90b4b0df36a34d6acc85eda876fa45e400b8450b1000a629d02bb21e03f45
b71c27f07c3367ed0733d3bfc17eec9d101a955cf1f8af003ed8977584778d87
d1833d29e63b708289b27d78dbe7604f2a072f2fa853121e29ca13428d81e35e
de6705a5123be501fd35e7025b439b07fb0f43227b0bf071ff2167927a418da9
ec5ab723a255e763e9c87a23d44794b70108b988c7053432177d5dadafd7e645
+ 266 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230124-w2lnaaef5w/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Unpacked files
SH256 hash:
5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133
MD5 hash:
e00cb21590e1d0cb89eeb16897be82e7
SHA1 hash:
83130d95220bc2ede8645ea1ca4ce9afc4593196
Link:
https://www.unpac.me/results/6a4f5478-a016-4c85-9c8e-f82d7cc73d76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2517399/

Comments


Avatar
zbet commented on 2023-01-24 18:24:22 UTC

url : hxxp://www.holybaby.com.tw/api/ms.exe