MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74e1d8874281b83e12848379cc866367fc74c5958cf69b57ead6039b5f9a3184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74e1d8874281b83e12848379cc866367fc74c5958cf69b57ead6039b5f9a3184
SHA3-384 hash: dfabfaddb0d088bcad59af7c8099f5a8a0f1b7f993ee6449c1fe477e21b920b83e6786e20d865833ee2b6e4f0b2153b9
SHA1 hash: e1c1bab56b3e653666dde549a13b3af84c463091
MD5 hash: 36bd30a6fb524e19002080fbd6273646
humanhash: mobile-carpet-jupiter-steak
File name:36bd30a6fb524e19002080fbd6273646.exe
Download: download sample
File size:9'863'275 bytes
First seen:2023-08-16 12:38:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:HPMXM8K/OY3acuuDfyGKb21X5Sp6GemDMPwuWLEYT2kUw1YPGAfhzA:v+ML/OY3aADfDKCpfaMPfYT2R4Et
Threatray 8 similar samples on MalwareBazaar
TLSH T19CA6339161711DE9E8B3523AC6858A509A72BC2707A0EECF53A0375B0F376E12D7EF11
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 6464c6f4deec84e1 (1 x DCRat)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36bd30a6fb524e19002080fbd6273646.exe
Verdict:
No threats detected
Analysis date:
2023-08-16 12:40:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de7e0b6c-69ed-405d-aa3f-946b831f5006

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443023/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Running batch commands
Launching a process
Searching for the window
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Labled as:
Trojan.Shelm
Link:
https://www.hybrid-analysis.com/sample/74e1d8874281b83e12848379cc866367fc74c5958cf69b57ead6039b5f9a3184
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/53288d7e-6313-4764-825b-b82f3176a793
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1292104
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to infect the boot sector
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1292104 Sample: YYe14HqiVl.exe Startdate: 16/08/2023 Architecture: WINDOWS Score: 60 97 pastebin.com 2->97 109 Multi AV Scanner detection for submitted file 2->109 111 Connects to a pastebin service (likely for C&C) 2->111 11 YYe14HqiVl.exe 77 2->11         started        14 YYe14HqiVl.exe 77 2->14         started        16 YYe14HqiVl.exe 77 2->16         started        18 YYe14HqiVl.exe 77 2->18         started        signatures3 process4 file5 61 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->61 dropped 63 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 11->63 dropped 65 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 11->65 dropped 71 59 other files (none is malicious) 11->71 dropped 21 YYe14HqiVl.exe 1 11->21         started        73 62 other files (none is malicious) 14->73 dropped 23 YYe14HqiVl.exe 1 14->23         started        67 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 16->67 dropped 69 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 16->69 dropped 75 60 other files (none is malicious) 16->75 dropped 25 YYe14HqiVl.exe 1 16->25         started        77 62 other files (none is malicious) 18->77 dropped 107 Contains functionality to infect the boot sector 18->107 27 YYe14HqiVl.exe 1 18->27         started        signatures6 process7 dnsIp8 30 YYe14HqiVl.exe 21->30         started        33 YYe14HqiVl.exe 23->33         started        35 YYe14HqiVl.exe 25->35         started        105 pastebin.com 104.20.68.143, 443, 49730, 49762 CLOUDFLARENETUS United States 27->105 37 cmd.exe 1 27->37         started        process9 file10 79 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 30->79 dropped 81 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 30->81 dropped 83 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 30->83 dropped 91 59 other files (none is malicious) 30->91 dropped 40 YYe14HqiVl.exe 30->40         started        85 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 33->85 dropped 87 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 33->87 dropped 89 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 33->89 dropped 93 59 other files (none is malicious) 33->93 dropped 43 YYe14HqiVl.exe 33->43         started        95 62 other files (none is malicious) 35->95 dropped 113 Uses schtasks.exe or at.exe to add and modify task schedules 37->113 45 conhost.exe 37->45         started        47 schtasks.exe 1 37->47         started        signatures11 process12 dnsIp13 99 104.20.67.143, 443, 49749, 49764 CLOUDFLARENETUS United States 40->99 101 pastebin.com 40->101 49 cmd.exe 40->49         started        103 pastebin.com 43->103 51 cmd.exe 43->51         started        process14 process15 53 conhost.exe 49->53         started        55 schtasks.exe 49->55         started        57 conhost.exe 51->57         started        59 schtasks.exe 51->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74e1d8874281b83e12848379cc866367fc74c5958cf69b57ead6039b5f9a3184/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otq5rb2cqg4d4eueqn44zbtdm76hjrmvrt3jwv7k2ybzwx42ggca._file
Verdict:
unknown
Similar samples:
16a9bd04b1d92c0853acb7a0e7e9d3a047e9a55829245be9aa23b5088a072f4a
2cfc440437912967432b4ba2448071b441b40e44fe5ccf5614b3f4a4be7d58b1
2e980d28c6be548d0a56d93996707332786fa014ea2cae481dd38375a7e6d4ae
4be357460889b0a692758973d803beca3aab18a17a7be7080c4f1b34b1c036b9
50b73c4132c9240c404a85b5d2843436fe8d5022a7104b5faeab827f558c52e4
74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169
88214cd533e440416cb5fec9e1a419ad952cd3524274110eaa8ce8e1dbcd826a
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence pyinstaller
Link:
https://tria.ge/reports/230816-pvmtfaag98/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Unpacked files
SH256 hash:
74e1d8874281b83e12848379cc866367fc74c5958cf69b57ead6039b5f9a3184
MD5 hash:
36bd30a6fb524e19002080fbd6273646
SHA1 hash:
e1c1bab56b3e653666dde549a13b3af84c463091
Link:
https://www.unpac.me/results/fa2190b2-1dc9-493c-8b8b-1060e4cc0edf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74e1d8874281/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/74e1d8874281b83e12848379cc866367fc74c5958cf69b57ead6039b5f9a3184

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/443023/

Comments