MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d
SHA3-384 hash:	97c9466a2f752e79b8034c1aaaece2c43b48d16e2d719e8fff9b2eab8cd020263cf9555ebc162d7863e8ba91d040c24f
SHA1 hash:	0fdf2377bb4b6bf058f3d648cd97d7dbb34456ba
MD5 hash:	3ae9787299f45788e9e215934a4f97a6
humanhash:	magnesium-arizona-freddie-monkey
File name:	3ae9787299f45788e9e215934a4f97a6.bin
Download:	download sample
File size:	7'669'760 bytes
First seen:	2024-07-23 16:22:39 UTC
Last seen:	2024-07-23 17:21:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e3a85b65b6302d84664aac8f0facbb52 (3 x PythonStealer)
ssdeep	49152:WYHLfeAj9MkLX2dC95cN3r3L5F1pShji3S5pY/iZGtvjsnp0So3xp3Z7DMNgAsS4:WYuTbLidCZ3jACaNmi13HvHI9wS
Threatray	29 similar samples on MalwareBazaar
TLSH	T175769D7BB7A9926AC25E813FC0F38F40E53372352B33C5D7429505258B86AD49E3F6A1
TrID	77.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 14.1% (.EXE) Win64 Executable (generic) (10523/12/4) 2.7% (.EXE) OS/2 Executable (generic) (2029/13) 2.6% (.EXE) Generic Win/DOS Executable (2002/3) 2.6% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	a2551525951329c2
Reporter	abuse_ch
Tags:	bin exe

Intelligence

File Origin

# of uploads :

# of downloads :

366

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Python.Agent.17594.10128.UNOFFICIAL

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=669fd8e9a97e13ad9de79025

Tags:

Stealth Heur

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

embarcadero_delphi fingerprint keylogger masquerade

Link:

https://www.filescan.io/uploads/669fd8f3a537d9330be25567/reports/ac996a60-751b-4af6-b60e-dace21bb2efc/overview

Verdict:

Malicious

Labled as:

Trojan/PWSX

Link:

https://www.hybrid-analysis.com/sample/569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ba087733-ba47-40bb-8134-584caf0f8b40

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1479540

Signature

AI detected suspicious sample

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Score:

61%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k2nmgl3jejj3rk37iep6za7td3i7ppsavroeaj7udjmaop7prv6q._file

Verdict:

unknown

66282239297c60bad7eeae274e8a2916ce95afeb932d3be64bb615ea2be1e07a

78e9f4dd5d71ae80d1e1e6d7cccb425a6a9dbdfdaad58c0d46c4a94045f002f5

a6f6175998e96fcecad5f9b3746db5ced144ae97c017ad98b2caa9d0be8a3cb5

e24c311a64f57fd16ffc98f339d5d537c16851dc54d7bb3db8778c26ccb5f2d1

fef3e39ab2f0bf91171d7adb203f38ab38b3d8e50a5b6b36f2a6e2de2ce43f7b

+ 19 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240723-tvsrxa1gqb/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/349c3b90-bcec-4b93-969d-a34d403d2839

Unpacked files

SH256 hash:

569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d

MD5 hash:

3ae9787299f45788e9e215934a4f97a6

SHA1 hash:

0fdf2377bb4b6bf058f3d648cd97d7dbb34456ba

Link:

https://www.unpac.me/results/d11dc57b-58ac-44de-b749-50a679f56f10/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
MULTIMEDIA_API	Can Play Multimedia	gdi32.dll::StretchDIBits
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryW kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoW kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileW kernel32.dll::GetFileAttributesW kernel32.dll::FindFirstFileW version.dll::GetFileVersionInfoSizeW version.dll::GetFileVersionInfoW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegConnectRegistryW advapi32.dll::RegCreateKeyExW advapi32.dll::RegDeleteKeyW advapi32.dll::RegLoadKeyW advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryInfoKeyW
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::EmptyClipboard user32.dll::FindWindowExW user32.dll::FindWindowW user32.dll::OpenClipboard

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample