MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ba3b57d0094661dbd89a3415a56a302bbb1018915037879ae99a5e5eaa26a00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ba3b57d0094661dbd89a3415a56a302bbb1018915037879ae99a5e5eaa26a00
SHA3-384 hash: 82ceee2321e8af3c1f607db8b5a96677105497a3fc114525c15bbcff17485e3e41b55bd935cd49e935a2fc54813fbd90
SHA1 hash: ec331c010b8cb25e1f807352bc2a4f77a10c7140
MD5 hash: 49a72b91a8311b1aa4a78277e7f4e91e
humanhash: violet-lithium-muppet-golf
File name:Imagelogger.exe
Download: download sample
File size:11'462'447 bytes
First seen:2022-09-11 16:03:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep 196608:/1+UGFDgsyw62XhQWmCsXDjDyfTZk/RiEFmMGxEbJr/cmME8:t+UwcsywdhQbCED4Zk/RiEF1J7cm
Threatray 15 similar samples on MalwareBazaar
TLSH T160B6338962A44DB9FD77103EE89AC425C6B0786A1760DA4F0726715B2FE37743A3EF40
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter tech_skeech
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Imagelogger.exe
Verdict:
No threats detected
Analysis date:
2022-09-11 16:06:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/facfa44c-220d-4a35-834c-da54c94de6ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309351/
Detection(s):
SecuriteInfo.com.Multi.Agent-EK.8234.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37413/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/631e06f7a90642bcbb01b06f/reports/08b1a2ce-335b-4673-a911-479f4f6d1b6b/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/602e422f-9d3c-46b6-948c-e6e1a7bf095b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1068516
Signature
Connects to a pastebin service (likely for C&C)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ba3b57d0094661dbd89a3415a56a302bbb1018915037879ae99a5e5eaa26a00/
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-09-10 22:32:12 UTC
File Type:
PE+ (Exe)
Extracted files:
750
AV detection:
15 of 26 (57.69%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nor3k7iasrtb3pmjunavuvvdak53camjcubxq6notgs6l2vcniaa._file
Verdict:
unknown
Similar samples:
141d54581eb69e9edfa0361f7acbe33df1563d0d85d4242934381d651e97fbd3
476a05d5c8ef4444f96cbd02c3a315c56227b7510f75e82249a449bb79e977fc
4b56d8713523dea09695ec6beef98608c234e5f8a9be77be931a687c080fb0f1
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
5c718efeb3b955290112362f4d95e2e5f9c32080d14de40106cae9f42a796d52
906d1ee4c61e1fa0b1417bbf60d5087ceb1e817a75d314b8471099d0a89e8575
a07afb3f48c05bc311adc6a9473310e6b35e14f14920e543ee8ca032a0af637f
acb6ddc1461c0d9e81f482f4e5738f330d01f0365b6f95e44aa5792fbe8d7376
b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae
b8e807fd68dc28227145b1fed9a72e925c24ab76495dce4733e9656740732b1b
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/220911-thxkbsbhe9/
Behaviour
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6ba3b57d0094661dbd89a3415a56a302bbb1018915037879ae99a5e5eaa26a00
MD5 hash:
49a72b91a8311b1aa4a78277e7f4e91e
SHA1 hash:
ec331c010b8cb25e1f807352bc2a4f77a10c7140
Link:
https://www.unpac.me/results/fb42f28b-f869-4855-b7e0-740d95d7f7e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ba3b57d0094661dbd89a3415a56a302bbb1018915037879ae99a5e5eaa26a00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6ba3b57d0094661dbd89a3415a56a302bbb1018915037879ae99a5e5eaa26a00

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/309351/

Comments