MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60f57be591e54e5d90ce837593518e23e826aa623d48816ea2bf397cedae6441. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60f57be591e54e5d90ce837593518e23e826aa623d48816ea2bf397cedae6441
SHA3-384 hash: b5859582fa0e2ab505fbac19ed5ba3f6742fae03f9d2435046bb9229201c35a1040a55351e99e9c7e171a13301559769
SHA1 hash: f23867dba7bb4ea7ffaa2d29b0729a68e1b78b2a
MD5 hash: abb344d9640f18c36c8537bbf41ec874
humanhash: juliet-sink-nineteen-emma
File name:60f57be591e54e5d90ce837593518e23e826aa623d48816ea2bf397cedae6441
Download: download sample
File size:18'377'728 bytes
First seen:2023-09-05 12:25:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 393216:o/gfGhijo3hVoYYo/giRTxkS8uBb3V75rbQndRu23rR2kIiBRqGQ/VkCpuZj3NG7:vGhiGgwV75r4u239uvZoMiw6A1
Threatray 10 similar samples on MalwareBazaar
TLSH T1E207E111F9612174D84630B2782CBB3E5E380A2BC77589DBE9946CD47FB85D2323A35B
TrID 72.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.3% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 868c720d00018082
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60f57be591e54e5d90ce837593518e23e826aa623d48816ea2bf397cedae6441
Verdict:
Malicious activity
Analysis date:
2023-09-05 12:28:32 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/2be63100-fbe1-4304-89c7-89dd721b683d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28816.30854.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a window
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug control expand greyware lolbin packed remote
Link:
https://www.filescan.io/uploads/64f71e5de29c52e38dc78410/reports/4357185f-b8b5-4773-bf53-3f169bea662d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/60f57be591e54e5d90ce837593518e23e826aa623d48816ea2bf397cedae6441
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/90e2833f-4bd2-4193-be73-d82ca3e7d3bb
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303512
Signature
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303512 Sample: 6NCrknlt7S.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 4 other signatures 2->55 8 6NCrknlt7S.exe 16 43 2->8         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        process3 dnsIp4 43 api.telegram.org 149.154.167.220, 443, 49736, 49737 TELEGRAMRU United Kingdom 8->43 45 geolocation-db.com 159.89.102.253, 443, 49734, 49735 DIGITALOCEAN-ASNUS United States 8->45 47 2 other IPs or domains 8->47 35 C:\Users\user\Documents\...\CrashHandler.data, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\handler.data, PE32 8->37 dropped 39 C:\Users\user\AppData\...\chromedriver.exe, PE32 8->39 dropped 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->59 61 Drops PE files to the document folder of the user 8->61 63 Tries to steal Mail credentials (via file / registry access) 8->63 65 2 other signatures 8->65 17 chromedriver.exe 7 8->17         started        20 CrashHandler.data 3 13->20         started        23 conhost.exe 13->23         started        25 CrashHandler.data 2 15->25         started        27 conhost.exe 15->27         started        file5 signatures6 process7 dnsIp8 41 127.0.0.1 unknown unknown 17->41 29 chrome.exe 39 17->29         started        31 conhost.exe 17->31         started        57 Multi AV Scanner detection for dropped file 20->57 signatures9 process10 process11 33 chrome.exe 1 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60f57be591e54e5d90ce837593518e23e826aa623d48816ea2bf397cedae6441/
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 21:47:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
52
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=md2xxzmr4vhf3egoqn2zgumoepucnktchveic3vcx44xz3nomraq._file
Verdict:
unknown
Similar samples:
6086e4f73c541441dbf8b365b54b6cafaecc00ca6a0df1b768abeefb25736cdf
64714a3c434c8dbe3c5a062bccf91042e5ff35ca27438dd663ac127da41a5b14
7aede26814390ce8fbdfecd526a98e407f473f15d918356aede0344a4cd9bf6b
808c5a48460a554e1e548b6c3051cc6c305010abe9226b028a65d6129914e1f7
9616a9ed1fb31b9f760267564a37ec8175e5f8adee180823042f50ab191189b9
971725f4443df9cf72b74a296e54352bd0f91bf74517fb28980a1916f89d56e2
aab0369f03c447a10dbb8221c4fa34797cdbc893d0a1fece13cdec77882439f6
ce13fbbb2b1659be87c5852abc0c15009051e164b696a8943ceaec78747dbc29
f52db36593133648786002411f0fe9cde78c3fab4bbb30a628a97e17238b6b87
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230905-pl6vysfc9s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Drops file in Program Files directory
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
11985ea7d2c5c7ad3565228bb72484d4074ca88d827bf210339b5a6cd730bebb
MD5 hash:
dba5d1165b7aae7b70009654ede26d71
SHA1 hash:
a6aef54b94f1a2a54ce1cd2a4bd8cce441985dcc
Link:
https://www.unpac.me/results/62190df9-4fbf-46ff-bd26-fced326b45a0/
SH256 hash:
64789093d9d95e05aa8279d650a137971d4290f8a971aaa9303be3286f8e4980
MD5 hash:
b86328149d226bfde1a150f4845b5200
SHA1 hash:
5fb1cd7f0e082bd4f165c6028d669ad6e5808185
Link:
https://www.unpac.me/results/62190df9-4fbf-46ff-bd26-fced326b45a0/
SH256 hash:
60f57be591e54e5d90ce837593518e23e826aa623d48816ea2bf397cedae6441
MD5 hash:
abb344d9640f18c36c8537bbf41ec874
SHA1 hash:
f23867dba7bb4ea7ffaa2d29b0729a68e1b78b2a
Link:
https://www.unpac.me/results/62190df9-4fbf-46ff-bd26-fced326b45a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60f57be591e54e5d90ce837593518e23e826aa623d48816ea2bf397cedae6441

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments