MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 589150c2bc7dcf12cccaccc54ee8ee02eee1c96c6e928c91e3ed62cf8470739f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BluStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 589150c2bc7dcf12cccaccc54ee8ee02eee1c96c6e928c91e3ed62cf8470739f
SHA3-384 hash: 3e43830908187a459a89990041b42d1b0e0cb80b5aea6128f1dde29f76de409cba916925ae7d71c5b494fc8013bcfbdb
SHA1 hash: 8af83dc976063288ab0cf3f60fffce8fc44c4092
MD5 hash: fd544f9bd0ce115f50d33cd567190ed3
humanhash: five-finch-football-robin
File name:XINGTAI NET PISTON CO.,LTD ORDER CONFIRMATION SO094552-1, PO PO 3707.exe
Download: download sample
Signature BluStealer
Create hunting rule
File size:671'601 bytes
First seen:2022-10-13 10:46:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:iNe3mbVTxZvWxUFBl8ceEWR3JUu00pjgUQuiNh2zedwC1UiU05:iNe3wjpWmFBdezxJUupqUti32ad3
Threatray 3'656 similar samples on MalwareBazaar
TLSH T17BE46BDE06F1105FD11946B4AD59AFE029A1ECB87B52C625BD40FCCEBE323E154622F2
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4bada9ae8cca4c8 (13 x Formbook, 6 x AgentTesla, 5 x AveMariaRAT)
Reporter madjack_red
Tags:BluStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319853/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Porcupine.Win32.Injector.ESDC.28724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42898/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6347eca7f2794c622d28b1b0/reports/895dce6f-3caa-4eec-89ce-a41daf12e069/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a327d69d-7ba8-44a3-9294-28862f826dc3
Result
Threat name:
BluStealer, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089733
Signature
Antivirus detection for dropped file
Drops PE files to the user root directory
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected BluStealer
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722342 Sample: XINGTAI NET PISTON CO.,LTD ... Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 75 Antivirus detection for dropped file 2->75 77 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 5 other signatures 2->81 7 XINGTAI NET PISTON CO.,LTD ORDER CONFIRMATION SO094552-1, PO PO 3707.exe 18 2->7         started        10 fribourg.exe 2 2->10         started        13 fribourg.exe 1 2->13         started        process3 file4 37 C:\Users\user\AppData\Local\Temp\wolnl.exe, PE32 7->37 dropped 15 wolnl.exe 1 7->15         started        39 C:\Users\user\AppData\Local\Temp7F9.tmp, PE32 10->39 dropped 41 C:\Users\user\AppData\Local\Temp316.tmp, PE32 10->41 dropped 83 Machine Learning detection for dropped file 10->83 85 Found hidden mapped module (file has been removed from disk) 10->85 87 Maps a DLL or memory area into another process 10->87 89 Writes or reads registry keys via WMI 10->89 19 fribourg.exe 4 10->19         started        22 WerFault.exe 10 10->22         started        24 fribourg.exe 10->24         started        43 C:\Users\user\AppData\Local\Temp\12C1.tmp, PE32 13->43 dropped 26 fribourg.exe 13->26         started        28 WerFault.exe 13->28         started        signatures5 process6 dnsIp7 45 C:\Users\user\AppData\Local\Temp\7642.tmp, PE32 15->45 dropped 61 Machine Learning detection for dropped file 15->61 63 Drops PE files to the user root directory 15->63 65 Found hidden mapped module (file has been removed from disk) 15->65 71 2 other signatures 15->71 30 wolnl.exe 1 10 15->30         started        35 WerFault.exe 23 9 15->35         started        51 mail.dioceseofcubao.ph 19->51 53 dioceseofcubao.ph 19->53 67 Tries to harvest and steal browser information (history, passwords, etc) 19->67 69 Tries to steal Crypto Currency Wallets 19->69 55 192.168.2.1 unknown unknown 22->55 file8 signatures9 process10 dnsIp11 57 dioceseofcubao.ph 67.215.227.245, 465, 49700, 49701 ASN-QUADRANET-GLOBALUS United States 30->57 59 mail.dioceseofcubao.ph 30->59 47 C:\Users\user\AppData\...\fribourg.exe, PE32 30->47 dropped 49 C:\Users\Public\vbsqlite3.dll, PE32 30->49 dropped 73 Tries to steal Crypto Currency Wallets 30->73 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/589150c2bc7dcf12cccaccc54ee8ee02eee1c96c6e928c91e3ed62cf8470739f/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 07:11:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcivbqv4pxhrftgkztcu52hoalxodslmn2jizepd5vrm7bdqoopq._file
Verdict:
malicious
Similar samples:
167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e
BluStealer
3586599d4978f9857550a52a8397edd027afe7f2eafb4f66e4af98dcd0337d22
BluStealer
4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc
BluStealer
71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719
BluStealer
9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0
BluStealer
+ 3'646 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221013-mvjqnscab5/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/5c8c7bc4-c11e-43ba-b96e-466efa9ab8d0/
SH256 hash:
ee008dce440c4bd6d24077f200e5a3a10037e9455e19239295e03cd884075d20
MD5 hash:
80ea238f5995345050735510cffea8ca
SHA1 hash:
44805fa90f798d8f1f48757d6ce2231ac2810f52
Link:
https://www.unpac.me/results/5c8c7bc4-c11e-43ba-b96e-466efa9ab8d0/
SH256 hash:
f183aaf44804dbd25378678d18e265492f177e89c60ebb723b88ecfc18e338f8
MD5 hash:
cbfa38d4bc7447c918397d5592980f99
SHA1 hash:
76965507566888da6fdad986e0337aebe432e5d3
Link:
https://www.unpac.me/results/5c8c7bc4-c11e-43ba-b96e-466efa9ab8d0/
SH256 hash:
589150c2bc7dcf12cccaccc54ee8ee02eee1c96c6e928c91e3ed62cf8470739f
MD5 hash:
fd544f9bd0ce115f50d33cd567190ed3
SHA1 hash:
8af83dc976063288ab0cf3f60fffce8fc44c4092
Link:
https://www.unpac.me/results/5c8c7bc4-c11e-43ba-b96e-466efa9ab8d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/589150c2bc7dcf12cccaccc54ee8ee02eee1c96c6e928c91e3ed62cf8470739f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319853/

Comments