MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57af616ef689e2003eb380a6b802453804cbdc0fd2f7ee29069ed983a7052a8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57af616ef689e2003eb380a6b802453804cbdc0fd2f7ee29069ed983a7052a8b
SHA3-384 hash: 86f76dc5b2b8ea52e539dcb8d99f67cc3736867d11c6355ffc697e5d1d06eba210639f20b1b6e3e1a9c6a778a88a340d
SHA1 hash: 896e656a0f9c58a4dd02dbfd569716656d0c9156
MD5 hash: 0b731ecd61cbe95cee04719b0d7189b1
humanhash: jig-juliet-zebra-september
File name:thwit4.exe
Download: download sample
File size:20'420'781 bytes
First seen:2023-08-20 21:28:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5546933531fafa869b1f86a4e2a959 (10 x DCRat, 3 x RedLineStealer, 2 x RemcosRAT)
ssdeep 393216:RdPigVb3qnIuZLUeIL8ij1eMZdyp7T7MVmD8BPzMqlkL2V76m3c/ewoRJk/:nigNYIuZLUeIvjkU87bMbzkyV7VuMQ/
Threatray 87 similar samples on MalwareBazaar
TLSH T1F227330422040482FEA94536D4E1E17D9FFA2C62034EF65B83B0D6DA1F636E79D77B62
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter ULTRAFRAUD
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
AT AT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
thwit4.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-20 21:33:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1f640a46-e38b-4144-9b35-1906b2274299

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.29467.15994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a file
Launching a process
Creating a window
Сreating synchronization primitives
Running batch commands
Gathering data
Verdict:
Suspicious
Labled as:
Trojan.Shelm
Link:
https://www.hybrid-analysis.com/sample/57af616ef689e2003eb380a6b802453804cbdc0fd2f7ee29069ed983a7052a8b
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1294189
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Hides user accounts
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1294189 Sample: thwit4.exe Startdate: 20/08/2023 Architecture: WINDOWS Score: 80 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 Contains functionality to hide user accounts 2->53 8 thwit4.exe 54 2->8         started        12 msiexec.exe 2->12         started        process3 file4 41 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->41 dropped 43 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 8->43 dropped 45 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->45 dropped 47 48 other files (none is malicious) 8->47 dropped 59 Uses cmd line tools excessively to alter registry or file data 8->59 61 Bypasses PowerShell execution policy 8->61 63 Modifies the windows firewall 8->63 14 thwit4.exe 3 8->14         started        17 conhost.exe 8->17         started        signatures5 process6 signatures7 67 Uses cmd line tools excessively to alter registry or file data 14->67 19 cmd.exe 1 14->19         started        22 cmd.exe 1 2 14->22         started        24 cmd.exe 1 14->24         started        26 11 other processes 14->26 process8 signatures9 55 Uses cmd line tools excessively to alter registry or file data 19->55 28 reg.exe 1 1 19->28         started        57 Uses netsh to modify the Windows network and firewall settings 22->57 31 netsh.exe 76 6 24->31         started        33 netsh.exe 3 26->33         started        35 netsh.exe 3 26->35         started        37 netsh.exe 3 26->37         started        39 3 other processes 26->39 process10 signatures11 65 Hides user accounts 28->65
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6xwc3xwrhraapvtqctlqasfhacmxxap2l364kigt3myhjyffkfq._file
Verdict:
unknown
Similar samples:
3f8e30e4408a436a10be48d37a1290afa9d91c2cdb7979197db295fc95f8104d
6da5530eff5617af7c73aa5c1211971702a8ba5dffb67d76aad7c889185b2f46
882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb
ac3ee6a458ee9538514cb1c5af9c7f2f94ec0325ba88459b36870c1c50945992
bb95df37be69e6b1b662a1a5936a77da4e87ec1a16bfc108919ed7eb836f0f80
cbafa6b5a5a5141801e04ad135271a9e0169e120582ed96c4136c0b2b2ae4d98
d074db16525688d38bd4d33669e2406e7ab6cc6f5e2d039dafe019f419622416
d6e06566022198c237f99355cc70743a67d6a59f67dd153ba13a56d021997769
edbfeb8823137279327b61ab1c7d73c8f6e72f2234fc0558ed43a99315171023
fecc5f0ecda63fab65cc46fd2b92a3817505f28562cadd787d7915baa4869099
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion pyinstaller
Link:
https://tria.ge/reports/230820-1bwssahe33/
Behaviour
Modifies registry key
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57af616ef689e2003eb380a6b802453804cbdc0fd2f7ee29069ed983a7052a8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 57af616ef689e2003eb380a6b802453804cbdc0fd2f7ee29069ed983a7052a8b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2705859/
  
Delivery method
Distributed via web download

Comments