MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eed9e803c9a3279c5f1d97df326e7c6fc169d6495a27c84bce368dbca15f0b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	6eed9e803c9a3279c5f1d97df326e7c6fc169d6495a27c84bce368dbca15f0b8
SHA3-384 hash:	e90d50624e079e76d5e28e58d680ab28492e3b2888d2757ed9d97e9c9dbaeea453be40d554f348254ac9e879e1a1413b
SHA1 hash:	b92920d7a63c7a7ce52e038bae57469de8bd0d3d
MD5 hash:	ff08997fd579e8e1a3401587600117b3
humanhash:	kentucky-indigo-tennis-lithium
File name:	file
Download:	download sample
File size:	1'513'872 bytes
First seen:	2022-12-21 00:48:57 UTC
Last seen:	2022-12-31 01:59:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	32ce588131d544a6a161db018285a422
ssdeep	24576:MCU0ZPWQ8zNgS9JLgqazoDaL+gBBO2xLlAN/UEswJmD41:MCU0ZPp8zNgS9JLgPkDaagBBO2V2N/Ue
Threatray	17 similar samples on MalwareBazaar
TLSH	T18E65F2D962978623C8ED40327908FBAB2E587438ED7B8DED6E503BCECEB41556118707
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0dc8e9e96b6f4cc
Reporter	andretavare5
Tags:	exe signed

Code Signing Certificate

Organisation:	legit.ng
Issuer:	R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-10-17T11:51:24Z
Valid to:	2023-01-15T11:51:23Z
Serial number:	04b6c84e085a52163d1d95508dc12795e86e
Thumbprint Algorithm:	SHA256
Thumbprint:	f6cc2ee4b8278be9e8af7352faec346cb88632ba233abe1620c340e12af28e66
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://91.213.50.96/files/hobnob.exe

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-12-21 00:51:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/24977d9c-e51b-4036-b65e-39446cfd16a3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/348553/

Detection(s):

SecuriteInfo.com.Malware-Cryptor.Limpopo.21185.15910.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

DNS request

Verdict:

No Threat

Threat level:

2/10

Confidence:

60%

Tags:

greyware overlay packed rat

Link:

https://www.filescan.io/uploads/63a2580059212d118a3b2661/reports/d1eb5db8-0641-4575-b6b4-1386b5fa9fb9/overview

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/80336a41-ab2a-4d2a-8a94-292f4d06b6b4

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1138321

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6eed9e803c9a3279c5f1d97df326e7c6fc169d6495a27c84bce368dbca15f0b8/

Threat name:

Win32.Trojan.GenSteal

Status:

Malicious

First seen:

2022-12-21 00:49:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n3wz5ab4tizhtrpr3f67gjxhy36bnhleswrhzbf44nunxsqv6c4a._file

Verdict:

malicious

23bfe23863ee4df2f5279e93f85b19c8bc2a826ca97841d7ccf790cebe07f48f

346ae48c6de340510a3db1fcf1a60d8c1b1b6892ef5242ed2e25c70097ed1e68

366e015f3ab40776810c6c6b3e2c26c294311ff0b7f3232ce7ad2a3445649301

611ad3e4ed3e0961e1904108c0481468017d9035d3c3f9d7757b01da901067ea

ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da

ce6cc42aa09da7448f7ba9a992584cdd69e76b3759edfabb1cfcadea4edf2abe

cf7e87560e6226eca45aa85b0b0b7b0791c08a94c105e7263cd762a56b02154b

dc1d7f4ca1fc8217390f2f58971a2e695fb293b49d0ceda0bc962c72a12139bd

e9dfa7091ae536608ed7d95240cb6abba1033e14af969d271c804edf477ea387

+ 7 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221221-a6cehsbd42/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Program crash

Unpacked files

SH256 hash:

2190edb51e9f3abb3a145b2704ecc886504b24f8746dc02a83cecae5560e94cb

MD5 hash:

b53b71678d8878b3f9dc2ef8c57540cb

SHA1 hash:

e65c56c4bab6cdcdd27ab58ec88cc207b6eae153

Link:

https://www.unpac.me/results/8738f461-5b25-4196-86f4-6822379c71ed/

SH256 hash:

6eed9e803c9a3279c5f1d97df326e7c6fc169d6495a27c84bce368dbca15f0b8

MD5 hash:

ff08997fd579e8e1a3401587600117b3

SHA1 hash:

b92920d7a63c7a7ce52e038bae57469de8bd0d3d

Link:

https://www.unpac.me/results/8738f461-5b25-4196-86f4-6822379c71ed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.27

Link:

https://yomi.yoroi.company/submissions/6eed9e803c9a3279c5f1d97df326e7c6fc169d6495a27c84bce368dbca15f0b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2468701/

Cape

https://www.capesandbox.com/analysis/348553/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample