MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61944d63af0a88ab927fa3bfb88eadd93435c4a851c2010756819cfaa90acde1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61944d63af0a88ab927fa3bfb88eadd93435c4a851c2010756819cfaa90acde1
SHA3-384 hash: a63005523babcc63699d5e4d9c763755cb0b9dbfbec2dec5dc32e3632fb90991c0b9af60b83f2391183e6fd5393ae21d
SHA1 hash: 0e58a7d955138453a4bbe66ffd2499bcd114a8f5
MD5 hash: b4f3287fb0e259429a367e81bfef326e
humanhash: high-princess-wisconsin-emma
File name:b4f3287fb0e259429a367e81bfef326e.exe
Download: download sample
File size:4'471'808 bytes
First seen:2022-11-11 13:21:50 UTC
Last seen:2022-11-11 16:43:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:0gCBT3UCfNpM68/jezA7+VjkxRwXgoX85XUslp8eg/ullXTF5WHkN:GpffDqezA7pLwXgoMNUt/eYE
Threatray 172 similar samples on MalwareBazaar
TLSH T1182633CA175A1B27DA714A38EB37FCD1336BCE7BB1064D86887115C12BFB842496163E
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b4f3287fb0e259429a367e81bfef326e.exe
Verdict:
No threats detected
Analysis date:
2022-11-11 13:23:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/287e07c2-243f-4e4f-9f3c-f8c01d5fa80f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332482/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.20629.6984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/636e4c7b20a0b4943a8ee7cf/reports/c4f900b8-7923-4076-9470-ef6131e27c82/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08c12db0-92a7-40f6-bdf3-01d5f42f0216
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
spyw
Score:
22 / 100
Link:
https://www.joesandbox.com/analysis/1111295
Signature
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 743991 Sample: 1qlPpzCVPv.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 22 6 1qlPpzCVPv.exe 2->6         started        dnsIp3 16 youtube-ui.l.google.com 142.250.203.110, 443, 49698 GOOGLEUS United States 6->16 18 www.youtube.com 6->18 20 Tries to harvest and steal browser information (history, passwords, etc) 6->20 10 cmd.exe 1 6->10         started        signatures4 process5 process6 12 conhost.exe 10->12         started        14 choice.exe 1 10->14         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61944d63af0a88ab927fa3bfb88eadd93435c4a851c2010756819cfaa90acde1/
Threat name:
Win64.Infostealer.Goback
Create hunting rule
Status:
Malicious
First seen:
2022-11-11 13:22:24 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgke2y5pbkekxet7uo73rdvn3e2dlrfikhbacb2wqgopvkikzxqq._file
Verdict:
unknown
Similar samples:
01c783217c63735fbd5ceca453426e30bcf34b548b8d0bd4e0390b0c1b3c3ffa
02c1c4241e1211580f078778611ae7c11d6f7a5bdef75cf01cbb6a5185f1c3a8
2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc
4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1
52fbe26c4b9fd1f8fae6d4840ef6741eb6c8bcd4f137f9139ae49b15d1590b20
6f6e8e9441fa7b35c0b1676a69957404081ca8a357b38a6640adb38375a7424d
75520762f93c99c79ebac6081437b0b1ebf7122b1bcc1942484ea5de8e06a1ea
77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8
f8a941938484a00306232e77b8af41e7f81df56e4aa9864a2b59ea8ebfbc892b
fe98e1419e9ffe47ad09dfb3495b9c357bf3b4ae4b1bc179d2fd67c13a253068
+ 162 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/221111-ql8j8aff79/
Behaviour
Suspicious use of WriteProcessMemory
Deletes itself
Reads user/profile data of web browsers
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/63eea082-adde-4bf9-b0a4-b3728292c345
Unpacked files
SH256 hash:
cc1ffaa8d4a2703b2d36fc81bccd913dc321401bc8d6349e261b43289d427d6f
MD5 hash:
fb6a137d7f651165bc61000bad8126c9
SHA1 hash:
becaa90a705862386dcf98e31943616ee1a4ce8c
Link:
https://www.unpac.me/results/7bc2c3f0-a585-41c7-b912-18da25f8db2a/
SH256 hash:
61944d63af0a88ab927fa3bfb88eadd93435c4a851c2010756819cfaa90acde1
MD5 hash:
b4f3287fb0e259429a367e81bfef326e
SHA1 hash:
0e58a7d955138453a4bbe66ffd2499bcd114a8f5
Link:
https://www.unpac.me/results/7bc2c3f0-a585-41c7-b912-18da25f8db2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61944d63af0a88ab927fa3bfb88eadd93435c4a851c2010756819cfaa90acde1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 61944d63af0a88ab927fa3bfb88eadd93435c4a851c2010756819cfaa90acde1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2407898/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/332482/

Comments