MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72387970568c1851c69084ec5a8b20816cd74e9bedcc269b065bff6cffc497ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72387970568c1851c69084ec5a8b20816cd74e9bedcc269b065bff6cffc497ea
SHA3-384 hash: d84cfd21c4a0bff0e067b17f533b5936ccaa0874439b5b9796aa5a29b8132754b3a712757e952d3c7dec465470059026
SHA1 hash: e29f155972549a32dd54178f112bd6d00de5b658
MD5 hash: 222f051f53a97ee9615dbc1f0cdf4e84
humanhash: spaghetti-foxtrot-west-mexico
File name:222f051f53a97ee9615dbc1f0cdf4e84.exe
Download: download sample
File size:378'368 bytes
First seen:2025-05-17 06:28:52 UTC
Last seen:2025-05-17 08:19:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:KunyLH8oo15hmBzdR4CwYzbATeJEq03/sIbWcY6j+JYfSzSE5y4XSbBxQLnf8n37:kL/oLhmBpRFwC0vL6mSfSVxQL03u6NJ
TLSH T13C842346866DAB30EBD98B7D2DF35A861C70D1A3F5126F68B09563428A33B47EF407C4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
430
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3332.27871.28840.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68282cc9e5aa44ec2e1a194a
Tags:
dropper virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68282cbe0de036ed65aa7d79/reports/5dbbc14b-f828-4322-b630-b9d2a2b05f81/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/72387970568c1851c69084ec5a8b20816cd74e9bedcc269b065bff6cffc497ea
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b3fa14c-8e9a-4719-b04d-a1a04ccb542f
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1692647
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72387970568c1851c69084ec5a8b20816cd74e9bedcc269b065bff6cffc497ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72387970568c1851c69084ec5a8b20816cd74e9bedcc269b065bff6cffc497ea/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-05-17 02:37:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oi4hs4cwrqmfdruqqtwfvczaqfwnotu35xgcngyglp7wz76es7va._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/250517-g81nfsylv6/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/53b06fd6-1f0b-40f2-8902-e84a1f625f5a
Unpacked files
SH256 hash:
72387970568c1851c69084ec5a8b20816cd74e9bedcc269b065bff6cffc497ea
MD5 hash:
222f051f53a97ee9615dbc1f0cdf4e84
SHA1 hash:
e29f155972549a32dd54178f112bd6d00de5b658
Link:
https://www.unpac.me/results/fb5e179d-517d-46c2-adaa-2fee85d80a50/
SH256 hash:
a424ba6b8d4f3050ac554752b414fad8fbb908743eb2f8454a36e214601a5cb2
MD5 hash:
3fa89280eb2470779af4c7e1a5e394f8
SHA1 hash:
0a6379aeeb2f6abe837f168dfd2e85772354c8c0
Link:
https://www.unpac.me/results/fb5e179d-517d-46c2-adaa-2fee85d80a50/
SH256 hash:
86f40b5fed8b51a8c512fa0cd931d7b57ad93855b494af5e9088072c88ce75d7
MD5 hash:
df9a11dde6610ee89fce233858461b6e
SHA1 hash:
53d45358f3d636f4f105ec1b58c2708d96797d51
Link:
https://www.unpac.me/results/fb5e179d-517d-46c2-adaa-2fee85d80a50/
SH256 hash:
13d9bdb0ef69db79c2ff3f718ae50f762a459adbc95596cc08c881abb896b7a6
MD5 hash:
3943603ac249b0261d1ad1e4aaea8660
SHA1 hash:
cbd4ea0c9d15fd8dc2005a4fc0705dfee802c2cd
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fb5e179d-517d-46c2-adaa-2fee85d80a50/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72387970568c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72387970568c1851c69084ec5a8b20816cd74e9bedcc269b065bff6cffc497ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 72387970568c1851c69084ec5a8b20816cd74e9bedcc269b065bff6cffc497ea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3545536/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments