MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202
SHA3-384 hash:	301cb7b236edf2867d93e79eb3351c64f912ec3e9fd33633a34384796b4f99576a19b44037871a0534f4247ce467eba0
SHA1 hash:	54b311d2c9909ac9f03d26b30db6c94dadde4cdb
MD5 hash:	410e91a252ffe557a41e66a174cd6dcb
humanhash:	magazine-pluto-mirror-angel
File name:	file
Download:	download sample
File size:	2'755'072 bytes
First seen:	2024-07-26 17:56:51 UTC
Last seen:	2024-12-18 10:28:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e49b63183dc452ee4abc90a6e47f6582
ssdeep	49152:wXduhClX5Td3dKHJH2u4DTUN8A0AAlFnK9O5JDW0ZX+Gh8e9waVp/EoQ4PKw/n0+:LkUixA0Zea
TLSH	T1D1D56C2B4979558AE3D6C07CF52B1792AC3136884E39B37715FAC3913B30A1C6B6D362
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	Bitsight
Tags:	DeerStealer exe

Bitsight

url: http://185.215.113.16/inc/build2.exe

Intelligence

File Origin

# of uploads :

# of downloads :

386

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202.exe

Verdict:

Malicious activity

Analysis date:

2024-07-27 12:50:30 UTC

Tags:

stealer deerstealer xfiles

Link:

https://app.any.run/tasks/d08f39f5-32ce-4509-bc9b-1af8e84d2221

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.TrojanX-gen.18363.21028.UNOFFICIAL

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66a3e389de3a92a81b2bb6ec

Tags:

Stealth Kryptik

Result

Verdict:

Clean

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/66a3e3708f66298c01f3e50d/reports/bed6566f-0665-41cc-9714-f8e2b27e4b96/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2edd66dd-2c6d-4531-96c7-8be139c39c95

Result

Threat name:

n/a

Detection:

suspicious

Classification:

n/a

Score:

26 / 100

Link:

https://www.joesandbox.com/analysis/1483189

Signature

AI detected suspicious sample

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202/

Threat name:

Win64.Trojan.Smokeloader

Status:

Suspicious

First seen:

2024-07-26 17:08:25 UTC

File Type:

PE+ (Exe)

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m7hdrxwfj7mwh7zi6srfpvmbgpvsiheqt6panscz3yfh6aexmiba._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access discovery spyware stealer

Link:

https://tria.ge/reports/240726-wjkm9syapb/

Behaviour

Suspicious behavior: EnumeratesProcesses

Browser Information Discovery

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b6ab2049-8471-4b72-9df5-01c7a791fded

Unpacked files

SH256 hash:

67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202

MD5 hash:

410e91a252ffe557a41e66a174cd6dcb

SHA1 hash:

54b311d2c9909ac9f03d26b30db6c94dadde4cdb

Link:

https://www.unpac.me/results/05ed9646-1b75-4e65-84f4-6c00a89266be/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/67ce38dec54f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3071940/

URLhaus

https://urlhaus.abuse.ch/url/3073446/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample