MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2e51f4c3cadfd3441d843a96ebb56c50cb132ced3083bbf2f0ac760aca121c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b2e51f4c3cadfd3441d843a96ebb56c50cb132ced3083bbf2f0ac760aca121c
SHA3-384 hash: b097de18026cd5fb270e2920d6556a9814003c01d579ea54e133e43a113964da96e55e85d80479a3465a6801ef91c708
SHA1 hash: f35be99d9b50bbddd3e8af3fa955e1be4401f894
MD5 hash: 9a929e07041c7f73f38addf39099738f
humanhash: uncle-fifteen-failed-black
File name:Planets Therapy Installer.exe
Download: download sample
File size:82'587'443 bytes
First seen:2024-02-05 12:39:47 UTC
Last seen:2024-02-05 14:28:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:3D6LBYYcLL+oX5YQxwhoZHBFdNYZvpXm6IKEp:36upnX5RxGozFC3IKE
TLSH T1BB0833AA0A45311AF0E933FA3F3E6DEEF634C0012B5555F3AC955686CC83CE66C6846D
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
RO RO
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65c0d72e19fc3809142227e9/reports/2a25633a-4b66-47bd-8ae9-cff8baa10513/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6b2e51f4c3cadfd3441d843a96ebb56c50cb132ced3083bbf2f0ac760aca121c
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1386762
Signature
Drops large PE files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386762 Sample: Planets_Therapy_Installer.exe Startdate: 05/02/2024 Architecture: WINDOWS Score: 32 57 ipinfo.io 2->57 7 Planets_Therapy_Installer.exe 12 196 2->7         started        11 PlanetsTherapy.exe 5 2->11         started        process3 dnsIp4 43 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 7->43 dropped 45 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->45 dropped 47 C:\Users\user\AppData\Local\...\System.dll, PE32 7->47 dropped 53 15 other files (none is malicious) 7->53 dropped 61 Drops large PE files 7->61 14 cmd.exe 1 7->14         started        59 ipinfo.io 34.117.186.192, 443, 49718 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 11->59 49 c533d5a6-983e-4145...6572078feb.tmp.node, PE32+ 11->49 dropped 51 2d5fabe8-03e2-4b45...09e2db7e15.tmp.node, PE32+ 11->51 dropped 16 PlanetsTherapy.exe 1 11->16         started        19 cmd.exe 1 11->19         started        21 cmd.exe 1 11->21         started        23 5 other processes 11->23 file5 signatures6 process7 dnsIp8 25 conhost.exe 14->25         started        27 tasklist.exe 1 14->27         started        29 find.exe 1 14->29         started        55 chrome.cloudflare-dns.com 172.64.41.3, 443, 49717 CLOUDFLARENETUS United States 16->55 39 2 other processes 19->39 41 2 other processes 21->41 31 conhost.exe 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        37 conhost.exe 23->37         started        process9
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmxfd5gdzlp5gra5qq5jn25vnrimwezm5uyiho7s6cwhmcwkcioa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/240205-pv8e5saafm/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6b2e51f4c3cadfd3441d843a96ebb56c50cb132ced3083bbf2f0ac760aca121c

(this sample)

  
Delivery method
Distributed via web download

Comments