MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a40681afe1af44980983beff83ee9cf8e6de80c49f3d8c7e8abf51e8d7dc83d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CredentialFlusher


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a40681afe1af44980983beff83ee9cf8e6de80c49f3d8c7e8abf51e8d7dc83d
SHA3-384 hash: 35dbe0875001c9cfc420c2eedbeffce3d20e10ea489d48da219222ef01b884e7b683419b658050cb321ea23e52665bec
SHA1 hash: f7bd377e184dfc0c3b174298ce18a8651e830639
MD5 hash: 4982632eec3d2bad041ed5583fb4bf41
humanhash: alabama-connecticut-ohio-pasta
File name:file
Download: download sample
Signature CredentialFlusher
Create hunting rule
File size:922'624 bytes
First seen:2024-11-28 04:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 12288:wqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaNT0:wqDEvCTbMWu7rQYlBQcBiT6rprG8aJ0
TLSH T112159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter Bitsight
Tags:CredentialFlusher exe


Avatar
Bitsight
url: http://185.215.113.16/well/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-28 04:32:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8c143c42-8260-4053-9c51-b5f6a2f5d529

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6747f360b31374f098355034
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Searching for the window
Using the Windows Management Instrumentation requests
Launching a process
Searching for the browser window
Connection attempt
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
autoit compiled-script fingerprint keylogger kiosk microsoft_visual_cc
Link:
https://www.filescan.io/uploads/6747f2088f37cc1861ff42ae/reports/010fce16-8cfb-4c72-a612-1603e7fdc1f9/overview
Verdict:
Malicious
Labled as:
Trojan.Win64.Injects
Link:
https://www.hybrid-analysis.com/sample/6a40681afe1af44980983beff83ee9cf8e6de80c49f3d8c7e8abf51e8d7dc83d
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4ea78344-aadb-401b-8866-e6beb6dbe4aa
Result
Threat name:
Credential Flusher
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1564286
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Credential Flusher
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564286 Sample: file.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 72 51 youtube.com 2->51 53 youtube-ui.l.google.com 2->53 55 34 other IPs or domains 2->55 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected Credential Flusher 2->67 69 Binary is likely a compiled AutoIt script file 2->69 71 2 other signatures 2->71 8 file.exe 2->8         started        11 firefox.exe 1 2->11         started        13 firefox.exe 1 2->13         started        signatures3 process4 signatures5 73 Binary is likely a compiled AutoIt script file 8->73 75 Found API chain indicative of sandbox detection 8->75 15 taskkill.exe 1 8->15         started        17 taskkill.exe 1 8->17         started        19 taskkill.exe 1 8->19         started        27 9 other processes 8->27 21 firefox.exe 3 211 11->21         started        25 firefox.exe 38 13->25         started        process6 dnsIp7 29 conhost.exe 15->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        57 youtube.com 142.250.181.78, 443, 49730, 49731 GOOGLEUS United States 21->57 59 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49732, 49745, 49749 GOOGLEUS United States 21->59 63 9 other IPs or domains 21->63 47 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 21->47 dropped 49 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 21->49 dropped 43 2 other processes 21->43 61 127.0.0.1 unknown unknown 25->61 35 firefox.exe 1 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        45 4 other processes 27->45 file8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6a40681afe1af44980983beff83ee9cf8e6de80c49f3d8c7e8abf51e8d7dc83d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a40681afe1af44980983beff83ee9cf8e6de80c49f3d8c7e8abf51e8d7dc83d/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-11-28 04:31:06 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=njagqgx6dl2etaeyhpx7qpxjz6hg32amjhz5rr7ivp2r5dl5za6q._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/241128-e5dcmsvrdv/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/86eaed2c-5a25-4e09-ad94-37b54c955868
Unpacked files
SH256 hash:
6a40681afe1af44980983beff83ee9cf8e6de80c49f3d8c7e8abf51e8d7dc83d
MD5 hash:
4982632eec3d2bad041ed5583fb4bf41
SHA1 hash:
f7bd377e184dfc0c3b174298ce18a8651e830639
Link:
https://www.unpac.me/results/50d012ce-5cba-4e9d-b015-2b85d40df8bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a40681afe1af44980983beff83ee9cf8e6de80c49f3d8c7e8abf51e8d7dc83d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CredentialFlusher

Executable exe 6a40681afe1af44980983beff83ee9cf8e6de80c49f3d8c7e8abf51e8d7dc83d

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067426/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments