MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 648926c5d9a339ee75cddfe0731bc4c6dad66afbe0171b3d858993ed0f2640a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StealthWorker


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 648926c5d9a339ee75cddfe0731bc4c6dad66afbe0171b3d858993ed0f2640a4
SHA3-384 hash: 13826f375fd512316b6638914a1f036b8c16a8885c9dab382898995b05468d9ec37ea58d32d3234daf9c7643a0e45772
SHA1 hash: 4a0c769127844b5d7f46ace6f063b15c97f0bc86
MD5 hash: bd922bb3afb7ccd59784774de19d7e7d
humanhash: oklahoma-victor-four-salami
File name:mixazed.exe
Download: download sample
Signature StealthWorker
Create hunting rule
File size:2'324'480 bytes
First seen:2021-07-14 21:27:48 UTC
Last seen:2021-07-14 22:41:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 249389cf3ddc95dbd917b52599185344 (1 x StealthWorker, 1 x RaccoonStealer)
ssdeep 49152:UyH1W7GGAaUGTjoyQBZmrkah/qANeBIiK5hAcoJ7nbochWyP:UyVWJTnQBsh/qANcK55oZP
Threatray 233 similar samples on MalwareBazaar
TLSH T127B5332090B0C8B3E9F311705529ABE17B3B72622B7486DF773105A54F36A71A6B630F
Reporter benkow_
Tags:exe gcleaner StealthWorker


Avatar
benkow_
Dropped by GCleaner 14th July 2021
139.60.161. 63:8888

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mixazed.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 21:28:26 UTC
Tags:
trojan phishing
Link:
https://app.any.run/tasks/46db2ce3-f896-4fbd-858f-b303c0b73b5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171833/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.39632.10950.22420.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2587d0db-54e9-431c-b41a-a4f4ac4ff4b5
Result
Threat name:
GoBrut
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816589
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses known network protocols on non-standard ports
Yara detected GoBrut
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/648926c5d9a339ee75cddfe0731bc4c6dad66afbe0171b3d858993ed0f2640a4/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 19:08:00 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=msesnrozum4645on37qhgg6ey3nnm2x34alrwpmfrgj62dzgicsa._file
Verdict:
unknown
Similar samples:
0dc8b267631d1894fbc6644468e5a9d9b9543257e0a85c271af230c757831496
StealthWorker
6c19d7e749c5fb3b7dee5906be8a944b52352ccaf7fc4970caf58769988874f6
StealthWorker
7ee0c62e76613b5cdf12f2fa8d408ba952d9ac828e97d65411f8e9f8619cfc6b
StealthWorker
890407f2497d9d1d7fbe7f5f823438821b458cf8f5e62eb7f0e3220c342cd68b
StealthWorker
8e32c98dd5c642b06be652eb257ebdc1222be4eb00677dbdd31e9dcb2eff033a
StealthWorker
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
StealthWorker
a3bfec359a9f54a10f2660a5587cedd9d9bc7724d4c29aacb4e791b0992ad912
StealthWorker
a567c1bce69110434087f78f3778878036cd56b79819d35b3a0cff29cf836824
StealthWorker
a58cf7753cdff434e81e0163ec97f8e1a8b32c80ddfa7cbf021778a759f78842
StealthWorker
abf24499470a3d16f45c1b747820a07784a1f98a5e29b2eb8414adcefe83012b
StealthWorker
+ 223 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
phishing
Link:
https://tria.ge/reports/210714-3rd2tlrw9s/
Behaviour
Suspicious use of WriteProcessMemory
Drops startup file
Detected phishing page
Unpacked files
SH256 hash:
08397b3a659073f0a8537b626d3b54242f63af7395f7c6bb16b0b1722867428a
MD5 hash:
b93a5524133233b4655834c3321bf3c8
SHA1 hash:
ab25e28c40a17a2d95204f39ae81dcab407fa736
Link:
https://www.unpac.me/results/1c66bf94-6876-43a3-a622-e503fba5417d/
SH256 hash:
648926c5d9a339ee75cddfe0731bc4c6dad66afbe0171b3d858993ed0f2640a4
MD5 hash:
bd922bb3afb7ccd59784774de19d7e7d
SHA1 hash:
4a0c769127844b5d7f46ace6f063b15c97f0bc86
Link:
https://www.unpac.me/results/1c66bf94-6876-43a3-a622-e503fba5417d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/648926c5d9a339ee75cddfe0731bc4c6dad66afbe0171b3d858993ed0f2640a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StealthWorker

Executable exe 648926c5d9a339ee75cddfe0731bc4c6dad66afbe0171b3d858993ed0f2640a4

(this sample)

  
Link
https://blogs.akamai.com/sitr/2020/06/stealthworker-golang-based-brute-force-malware-still-an-active-threat.html
  
Dropped by
GCleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171833/

Comments