MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69feda37be2541c14f33cecb954e8ec996119d6e92c3b20f6b6c41a5664c2f9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69feda37be2541c14f33cecb954e8ec996119d6e92c3b20f6b6c41a5664c2f9f
SHA3-384 hash: 02949b8afabcaf89a809cdbc152506722d0b136da4c292b15884a41ad5999bc06fe4a2cb7d3163650c11c05b0a04e340
SHA1 hash: 6a1f2dd7c6a5db00b287a1654d1cebe71b5be141
MD5 hash: eab000ffba2ba00b9b6d5b18296f2482
humanhash: idaho-uncle-neptune-lima
File name:setup.exe
Download: download sample
File size:205'312 bytes
First seen:2022-12-27 15:25:38 UTC
Last seen:2022-12-27 16:40:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:9eM9ybJ1XjJ91QDtOkSbPTygQF3f1xjcLc6XnLwj4NsmsnWtPzWTPghvou0y4Cu:9O7jNQhTSDkZfDjgXLwMN6Agy4r
Threatray 136 similar samples on MalwareBazaar
TLSH T11814E03EF7C89F6BD26A1CBB54D22E79073DC8261A4BD31768CA06295C663D1DE024D3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon de8e9e989e9e98b0 (2 x RedLineStealer, 1 x Stealc, 1 x LummaStealer)
Reporter r3dbU7z
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2022-12-27 15:28:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7e28fc9-9ad8-4718-aa24-d6d5e509e876

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.57455.22463.23256.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63ab0e8b40e878e304206757/reports/0d599ca6-7026-4543-915b-ad2aa0cdff0d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fe3fb9c-2885-4421-a29b-f71224419478
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1141620
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 774350 Sample: setup.exe Startdate: 27/12/2022 Architecture: WINDOWS Score: 72 32 Multi AV Scanner detection for submitted file 2->32 34 .NET source code contains potential unpacker 2->34 36 Machine Learning detection for sample 2->36 8 setup.exe 3 2->8         started        12 svcupdater.exe 1 2->12         started        14 svcupdater.exe 2->14         started        process3 file4 28 C:\Users\user\AppData\Local\...\setup.exe.log, CSV 8->28 dropped 38 Writes to foreign memory regions 8->38 40 Allocates memory in foreign processes 8->40 42 Injects a PE file into a foreign processes 8->42 16 vbc.exe 3 8->16         started        20 conhost.exe 12->20         started        signatures5 process6 file7 26 C:\Users\user\AppData\...\svcupdater.exe, PE32 16->26 dropped 30 Uses schtasks.exe or at.exe to add and modify task schedules 16->30 22 schtasks.exe 1 16->22         started        signatures8 process9 process10 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69feda37be2541c14f33cecb954e8ec996119d6e92c3b20f6b6c41a5664c2f9f/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-12-27 15:26:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nh7nun56eva4ctztz3fzktuozglbdhloslb3ed3lnra2kzsmf6pq._file
Verdict:
malicious
Similar samples:
2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b
2ad9af4d99a267b9999bf64ae074415083055d48381a60556d38265c2a167c49
38d5e22812d54ff37736eed314bbf4dbb8ab42a4c0129e164c002571da77d6a3
438536b11aafa429cb30bcbcea58cdd24ec138c0e9986991d2869f259618d863
6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114
99697e7265b579f6e6b19470f0b7daf6b150b57e78f28041a63cc0bbae76caf8
aa5311c24ad72ce3b4c6d6529d8b15ceb8e12399ee04389d6b3aea4ac3b241b1
c10fe68e67f0f68cd89d7133403b1025269ae70475d3500db5e45912d965d991
e1e772249eb7a2d67c72aa6725ae5739d7e2f4ff26eb4a2ad00a8a3f900cff5b
+ 126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221227-st63gaac5w/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Executes dropped EXE
Unpacked files
SH256 hash:
f81fc949bf0cb44669e9c6df4128945d4c47243a90af79ef18a8cbd07103a4a2
MD5 hash:
4a2d7f1e10107ca47e6ab053dc614c2e
SHA1 hash:
d225c3c441422b8ce328fe5b3694319bb99dafc6
Link:
https://www.unpac.me/results/e6d58163-f72a-499b-b172-6e4c3c003459/
SH256 hash:
ab5534a81fcffc50ee8892db18709df239acbc9442d1152bc12c3ff8bec11ffb
MD5 hash:
171ad8a8908b6a4760114f66005494b3
SHA1 hash:
30b09410ca2793e468c60392b4ce96eebe9a401c
Link:
https://www.unpac.me/results/e6d58163-f72a-499b-b172-6e4c3c003459/
SH256 hash:
69feda37be2541c14f33cecb954e8ec996119d6e92c3b20f6b6c41a5664c2f9f
MD5 hash:
eab000ffba2ba00b9b6d5b18296f2482
SHA1 hash:
6a1f2dd7c6a5db00b287a1654d1cebe71b5be141
Link:
https://www.unpac.me/results/e6d58163-f72a-499b-b172-6e4c3c003459/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69feda37be25/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69feda37be2541c14f33cecb954e8ec996119d6e92c3b20f6b6c41a5664c2f9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 69feda37be2541c14f33cecb954e8ec996119d6e92c3b20f6b6c41a5664c2f9f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2489074/

Comments