MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f
SHA3-384 hash: 9746694e7a735e3a74fc2ca83f8ecc23c1d4951c1a2f0dd12871252dbf5833a5d8679c5e9b8f7482783c79fe90471705
SHA1 hash: b269ef2b72ca0953d69a463e8c9cb44669b8acac
MD5 hash: 7900efd5f98edd9dbf42b2c9a17594c8
humanhash: cardinal-april-five-utah
File name:PURCHASE ORDERS.pdf.exe
Download: download sample
Signature VectorStealer
Create hunting rule
File size:1'717'248 bytes
First seen:2023-03-08 07:53:39 UTC
Last seen:2023-03-08 09:27:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:am9bhKXZshdT4sa00eCGhx1VhhtbRIKzNH:aVpszTq0jCix1VhTWK
Threatray 44 similar samples on MalwareBazaar
TLSH T17C85E0A56E19A257EBC1A0B32804E7B7EBAC7D5D1427C0883ED13D8FB1B9D2C0115E6D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe VectorStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDERS.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 07:55:40 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/5992af58-7ef7-45d6-a0d5-018e5ff59f0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372494/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64083f1c2cb59660146f8b01/reports/a0aed042-0764-46fb-bf4b-4192cf133eab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/788e3746-014f-4f1b-93b5-b6666a4cf55e
Result
Threat name:
Vector Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189220
Signature
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected Vector Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 23:33:27 UTC
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7h7his5byqjvyllnrarzfn6s6ea7xzqoxjlgozsuig5vdlbdvpq._file
Verdict:
malicious
Similar samples:
04806bf0d8bf3a0aeebceff61c565d2da8c2883a23098a2de284154d671f69eb
VectorStealer
1e45e4cb7d2e0ecd7ca9cf8c4470526d31dd78367c7e05d2b0f49c85e5aeafbe
VectorStealer
22cc0f0f7f87f0afd0fd17465e04682c8bc6d868103a09ae9922b39276113d63
VectorStealer
67ad48248241d2c2eab1c3577523b39ffac1d22cfcc2809dbff73b5766da3e31
VectorStealer
7e0dd3b9557b18226181b4c0356499edd472030f975bcfc44a7fbfd56f7661a4
VectorStealer
b8812397545808ecf86c5dc5202ca5d05fedd2ee21090808f51fb5d315910851
VectorStealer
bd3704c36cc99d990c773ae12328f7938e7a5bf230e18501f2f8b869532b28d5
VectorStealer
c7118fec7d8d5039bdddef1ca99be4a490a036a792cd65085c61814848667fe8
VectorStealer
ca0b1b8a0b420154b135f21acdc3612ad594ab31a56f0216979017514443c428
VectorStealer
f3927a993fa7a545f2ccbce547e0b7cd6e1c3e728b05ea5ad5d0afd1600d34f4
VectorStealer
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230308-jrj1gseg34/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3e16e55be2251c6fe5ecec6b0122834de9d8f509f25adebf984ab4c53d3a3c02
MD5 hash:
968fedf9f9fdd587cdafef029ff3f1b2
SHA1 hash:
daedfd5488d72e367c3d2bcfbc04d3b622cc8b01
Link:
https://www.unpac.me/results/fe77324b-7882-4653-86fd-c4551d9dc87e/
SH256 hash:
fff6a6c9ee13b021fa856b5b10ae5666583d55a58943d88e1ad51d0c2d427a41
MD5 hash:
9d0176518f7144eac3ae66555a26e2c1
SHA1 hash:
d1b95cce7a081bb9d78c5adb65e6c83d2a2a3c83
Link:
https://www.unpac.me/results/fe77324b-7882-4653-86fd-c4551d9dc87e/
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/fe77324b-7882-4653-86fd-c4551d9dc87e/
SH256 hash:
2820cbb187c890359d0cc712e20c1afc52de2a0193793a0c7e956a163418ec2e
MD5 hash:
6206885b0bc4c53fbd55eb0efae25c58
SHA1 hash:
a464c9a7ea4d020ef1c7eed8c85d3d5b66c4f7d6
Link:
https://www.unpac.me/results/fe77324b-7882-4653-86fd-c4551d9dc87e/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/fe77324b-7882-4653-86fd-c4551d9dc87e/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f
MD5 hash:
7900efd5f98edd9dbf42b2c9a17594c8
SHA1 hash:
b269ef2b72ca0953d69a463e8c9cb44669b8acac
Link:
https://www.unpac.me/results/fe77324b-7882-4653-86fd-c4551d9dc87e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VectorStealer

Executable exe 57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/372494/

Comments