MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 668434940877f747a5d3adc745548bcfdcc881418f02e705204df2ad54a311cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 668434940877f747a5d3adc745548bcfdcc881418f02e705204df2ad54a311cb
SHA3-384 hash: 5ab8fa439447116213765d835c31894799ef790ecb26788bd4fad362f995595f722eebc4e5ea721c7120a1eb5fd843c6
SHA1 hash: ad8fb5301c5a526f7a1c7d4d0e2c67671f7fbf9b
MD5 hash: 174633c99b52d42cfcbbfaf5f81f0f13
humanhash: mississippi-floor-robin-carbon
File name:174633c99b52d42cfcbbfaf5f81f0f13.exe
Download: download sample
File size:5'227'366 bytes
First seen:2021-09-29 11:35:08 UTC
Last seen:2021-11-25 12:36:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 98304:8Sir2GLhfKDyTuwdbvLMv4JROOLYG0WU7TKhhd1gonPcMH:LGRKDyTjDMvwOavbQWL1/ce
Threatray 57 similar samples on MalwareBazaar
TLSH T1FB36123FF268A53EC46A173245B39350997BBE64A81A8C1B07FC380DCF765601E3B656
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
174633c99b52d42cfcbbfaf5f81f0f13.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-29 11:46:07 UTC
Tags:
installer
Link:
https://app.any.run/tasks/904cf69c-cb7e-4009-8ed4-2c081bff3b89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193122/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d544c5d8-529c-4cef-a93d-84e29961b642
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/861439
Signature
.NET source code contains in memory code execution
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Potentially malicious time measurement code found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 493867 Sample: q9DlqQfWRg.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 88 54 Multi AV Scanner detection for domain / URL 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Vidar stealer 2->58 60 4 other signatures 2->60 11 q9DlqQfWRg.exe 2 2->11         started        process3 file4 48 C:\Users\user\AppData\...\q9DlqQfWRg.tmp, PE32 11->48 dropped 14 q9DlqQfWRg.tmp 3 13 11->14         started        process5 file6 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->50 dropped 17 q9DlqQfWRg.exe 2 14->17         started        process7 file8 34 C:\Users\user\AppData\...\q9DlqQfWRg.tmp, PE32 17->34 dropped 20 q9DlqQfWRg.tmp 5 237 17->20         started        process9 file10 36 C:\Users\user\...\evreporter.exe (copy), PE32 20->36 dropped 38 C:\Users\user\...\swresample-1.dll (copy), PE32 20->38 dropped 40 C:\Users\user\...\pthreadGC2.dll (copy), PE32 20->40 dropped 42 36 other files (none is malicious) 20->42 dropped 23 evreporter.exe 127 20->23         started        process11 dnsIp12 52 185.215.113.39, 49753, 80 WHOLESALECONNECTIONSNL Portugal 23->52 44 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 23->44 dropped 46 C:\ProgramData\sqlite3.dll, PE32 23->46 dropped 62 Tries to harvest and steal browser information (history, passwords, etc) 23->62 64 Tries to steal Crypto Currency Wallets 23->64 28 cmd.exe 1 23->28         started        file13 signatures14 process15 process16 30 conhost.exe 28->30         started        32 timeout.exe 1 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/668434940877f747a5d3adc745548bcfdcc881418f02e705204df2ad54a311cb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-29 11:36:06 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
268525c7023d25f141e7b756092d7566a1d1ce9407d3d31325dd4bf231208d6c
2ab38fdbe562dd5a6be9651562e1523dbf7f3fd7d720d57bc9a25b0e2b665640
2ae6703e19002c43074774727b96a0de197208bef65f33b52272ea5327cb586d
384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c
4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026
a17c6408274001d2fcebc143b080044734f6b1f3600a2d97cb8cd990e05d0f7c
ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9
f5a558eba4843612e1b2e7bbfb431932a94bdc86f9411c0529f4216bcfe0ef02
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210929-nqkylseher/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
4d1fb84d2034c51f62e6e895e246d423f7b4fb2f1c2817a1aafc0a9c2cd68dc6
MD5 hash:
19d3e925bd3944acf03a70e2da39e46f
SHA1 hash:
b7710e87fecbd6abf2d1e60cfdf4f524f184850a
Link:
https://www.unpac.me/results/56777ca0-ade9-4009-aaf8-2e5e8e3bb1e0/
SH256 hash:
a8014d9047beb7201555aac8491102af562e5589d8ff4301444004b94c612c34
MD5 hash:
bc9107f6dc5b0d3e3d4f144cf04cd305
SHA1 hash:
d8dbd9b5fc55b7a8ece905ca5c053c7966517cd2
Link:
https://www.unpac.me/results/56777ca0-ade9-4009-aaf8-2e5e8e3bb1e0/
SH256 hash:
6bd01d242a26a19415d92fc9d73ba719f1ac72d153943b94d9c82234e708f920
MD5 hash:
57af4d20558e5c4f26e43986fc871e53
SHA1 hash:
7c30c2a975dd14e2fca9bca1994ea1bdc275cd26
Link:
https://www.unpac.me/results/56777ca0-ade9-4009-aaf8-2e5e8e3bb1e0/
SH256 hash:
668434940877f747a5d3adc745548bcfdcc881418f02e705204df2ad54a311cb
MD5 hash:
174633c99b52d42cfcbbfaf5f81f0f13
SHA1 hash:
ad8fb5301c5a526f7a1c7d4d0e2c67671f7fbf9b
Link:
https://www.unpac.me/results/56777ca0-ade9-4009-aaf8-2e5e8e3bb1e0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/668434940877/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/668434940877f747a5d3adc745548bcfdcc881418f02e705204df2ad54a311cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 668434940877f747a5d3adc745548bcfdcc881418f02e705204df2ad54a311cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642815/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193122/

Comments