MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e
SHA3-384 hash: 6a599a7023c67b7449503bd160311c4b358bb2d7785c2e8e79a76a63e9832b328004940d5473f81d1c341cbc24805d28
SHA1 hash: cfb4e918eb066d47cde442f17b4a9f1ade064f38
MD5 hash: 1b7fe53dac5a1138f87f302fbe7bc6e8
humanhash: edward-comet-lake-stream
File name:1b7fe53dac5a1138f87f302fbe7bc6e8
Download: download sample
File size:2'551'808 bytes
First seen:2023-11-30 19:14:43 UTC
Last seen:2023-11-30 21:23:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e5ae6cc10dc285649629531255a1db5a
ssdeep 49152:AhkA6tNoaadSLLvjminkR08cdogA1KMAoL3l1c+gufXpe:Aht07L6rmH3A4K3RgufXpe
Threatray 55 similar samples on MalwareBazaar
TLSH T123C51222F6F05833D16B17798C2B5765AD2EBF102D38A4863BE42D4C6F39781792D293
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13097/50/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon d4c4c4d4d4d4dce4
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461499/
Detection(s):
SecuriteInfo.com.Trojan.TR.Drop.Agent.owpfe.22920.18050.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Searching for the window
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Running batch commands
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dca9a803-bb8e-406c-8a8d-4f0eb61ecba6
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1350777
Signature
Contains functionality to inject code into remote processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1350777 Sample: P1TktPX5MG.exe Startdate: 30/11/2023 Architecture: WINDOWS Score: 96 55 api4.ipify.org 2->55 57 api.ipify.org 2->57 59 EceaGulYLjQzsyZDxpEVA.EceaGulYLjQzsyZDxpEVA 2->59 75 Multi AV Scanner detection for submitted file 2->75 77 Sigma detected: Drops script at startup location 2->77 79 Contains functionality to inject code into remote processes 2->79 11 P1TktPX5MG.exe 13 2->11         started        14 wscript.exe 1 1 2->14         started        signatures3 process4 file5 49 C:\Users\user\AppData\Local\Temp\...\Prime, PE32+ 11->49 dropped 17 cmd.exe 1 11->17         started        89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->89 20 EventPlanner.pif 14->20         started        signatures6 process7 signatures8 65 Uses ping.exe to sleep 17->65 67 Drops PE files with a suspicious file extension 17->67 69 Uses ping.exe to check the status of other devices and networks 17->69 22 cmd.exe 1 17->22         started        25 conhost.exe 17->25         started        71 Modifies the context of a thread in another process (thread injection) 20->71 73 Injects a PE file into a foreign processes 20->73 27 EventPlanner.pif 6 20->27         started        process9 dnsIp10 81 Uses ping.exe to sleep 22->81 30 Analysis.pif 4 22->30         started        34 cmd.exe 2 22->34         started        36 cmd.exe 2 22->36         started        38 6 other processes 22->38 61 api4.ipify.org 64.185.227.156, 443, 49725 WEBNXUS United States 27->61 63 194.87.31.20, 15666, 49724 ASBAXETNRU Russian Federation 27->63 83 Tries to steal Mail credentials (via file / registry access) 27->83 85 Tries to harvest and steal browser information (history, passwords, etc) 27->85 87 Tries to harvest and steal Bitcoin Wallet information 27->87 signatures11 process12 file13 51 C:\Users\user\AppData\...ventPlanner.pif, PE32+ 30->51 dropped 91 Drops PE files with a suspicious file extension 30->91 93 Modifies the context of a thread in another process (thread injection) 30->93 95 Injects a PE file into a foreign processes 30->95 40 cmd.exe 2 30->40         started        43 Analysis.pif 30->43         started        53 C:\Users\user\AppData\Local\...\Analysis.pif, PE32+ 34->53 dropped signatures14 process15 file16 47 C:\Users\user\AppData\...ventPlanner.url, MS 40->47 dropped 45 conhost.exe 40->45         started        process17
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 09:36:18 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6bn43rgtqfop4ptwrc3zgir5sgnhutnmhwkfoqcal5hth7vai7a._file
Verdict:
malicious
Similar samples:
0796818dc3510e88a966f0aaacd201ba162c46e0bc0f7c670ffbd43df485f5a7
57bd1d7a3ce9a10797575f75af56a675b3739ab5901e383a7870b17fa328ecb4
9f7b7f84298ff1ca0a0bdd87fc2d6ea25b89cea705ea37c61c95df03b7791348
a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638
ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
ade3cb4d8d6dc56650eb1b32afb7cf7797c52d262a686db30aca473754b7029d
c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f
f18e085889d9d7324c57ecb800563ba2e808c0ef8ad52b7b1f1f3afa169bf836
+ 45 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/231130-xx9d8agh21/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e
MD5 hash:
1b7fe53dac5a1138f87f302fbe7bc6e8
SHA1 hash:
cfb4e918eb066d47cde442f17b4a9f1ade064f38
Link:
https://www.unpac.me/results/8df87228-bf1b-4ce9-a59a-b011e909c11d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2736436/
Cape
Cape
https://www.capesandbox.com/analysis/461499/

Comments


Avatar
zbet commented on 2023-11-30 19:14:44 UTC

url : hxxps://marrakechfolkloredays.ma/wp-content/uploads/2022/05/tecn.jpg