MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PythonStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a
SHA3-384 hash:	940e4b3a9e76540eabd4f18cc44b21fc64c8eaf287e361f9b1dfc1284975f5ca1c1cfe18bc5898bc512d88add0ae4a88
SHA1 hash:	5c5d6af10bd1ab99b926770c23613b8ff88a7f6c
MD5 hash:	15364923bbeeffbc51b7592f97030bcc
humanhash:	wolfram-alabama-maryland-august
File name:	15364923bbeeffbc51b7592f97030bcc.exe
Download:	download sample
Signature	PythonStealer Create hunting rule
File size:	18'050'048 bytes
First seen:	2024-01-13 05:50:01 UTC
Last seen:	2024-01-13 07:21:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a7b0793ae6dd3f16ef244d19e4de0c24 (17 x PythonStealer, 1 x CoinMiner, 1 x StinkStealer)
ssdeep	393216:mgIylbDWeXz9Jg8WBJWvVPtMkwek5VJFvXZ6:MyVSrBJKPtOn5zFx6
TLSH	T1DD07330D81D7EDACD523F176A816F3B3BC36F8D01B2196BB9A99B1702773524121A378
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe PythonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Nuitka-9992781-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a file

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug expand lolbin packed redcap shell32

Link:

https://www.filescan.io/uploads/65a2248c8369fab94debf24d/reports/51ecbd00-6d6f-42e1-92bb-dd11d3f5a7a6/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a

Result

Verdict:

MALICIOUS

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e656fa4d-6292-4aad-94ea-64273a6b5926

Result

Threat name:

Python Stealer

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1374179

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Generic Python Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a/

Threat name:

Win64.Adware.RedCap

Status:

Malicious

First seen:

2024-01-13 02:31:35 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=otzrhabw475mmrsojc4gmgl27rlnqcz37kobsrgtejrfr3cjjeva._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/240113-gjk7gadbal/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a

MD5 hash:

15364923bbeeffbc51b7592f97030bcc

SHA1 hash:

5c5d6af10bd1ab99b926770c23613b8ff88a7f6c

Link:

https://www.unpac.me/results/e665ed19-0db7-43df-8172-13b88244ff00/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PythonStealer

exe 74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2748296/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample