MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79b30159c6eaabe98bef0992b5c26e83249ed532c47da8ff24d3688eda8e8f79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79b30159c6eaabe98bef0992b5c26e83249ed532c47da8ff24d3688eda8e8f79
SHA3-384 hash: 34c9b4a70fbd9ab5edf594115622fb21f4a9a07705ea910f9229b610c31e7dbc4484c0bb10c57a832afe6943ac628793
SHA1 hash: 8f77981394b79ed398e71daecdea9df877a4fea8
MD5 hash: 25de13d9891f5c6a7ad8cd27dcd94f1b
humanhash: yankee-ink-princess-princess
File name:setup_x86_x64_install.exe
Download: download sample
File size:1'751'793 bytes
First seen:2021-07-14 12:48:59 UTC
Last seen:2021-07-14 13:55:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e04eb610508ddb951732064297e50b65 (6 x CryptBot)
ssdeep 49152:l1GBif9TlYPt0ksUv43BWzR7uj0nOSkcQWkDKhlVvEemAo9:l1xf9GOEvn1knWkDl9
Threatray 308 similar samples on MalwareBazaar
TLSH T109851241F8E38976E1A7F276702CE1945925FC6F17248AC77784FF0A95E1A802E38673
Reporter Anonymous
Tags:exe installer

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 12:49:52 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/9b092ce2-66a5-4846-8b18-d4a81f51cfd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171651/
Detection(s):
SecuriteInfo.com.Artemis25DE13D9891F.18201.29470.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6edeb0f1-b3c2-48f9-ba65-8d999db3ea87
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/816205
Signature
Contains functionality to register a low level keyboard hook
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448616 Sample: setup_x86_x64_install.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 88 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Found many strings related to Crypto-Wallets (likely being stolen) 2->44 9 setup_x86_x64_install.exe 7 2->9         started        process3 signatures4 46 Contains functionality to register a low level keyboard hook 9->46 12 cmd.exe 1 9->12         started        process5 signatures6 48 Submitted sample is a known malware sample 12->48 50 Obfuscated command line found 12->50 52 Uses ping.exe to sleep 12->52 54 Uses ping.exe to check the status of other devices and networks 12->54 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 62 Obfuscated command line found 15->62 64 Uses ping.exe to sleep 15->64 20 Antichi.exe.com 15->20         started        22 PING.EXE 1 15->22         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 28 Antichi.exe.com 20 20->28         started        34 127.0.0.1 unknown unknown 22->34 32 C:\Users\user\AppData\...\Antichi.exe.com, Targa 25->32 dropped file11 process12 dnsIp13 36 hofxuo04.top 47.243.129.23, 49724, 49725, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 28->36 38 yovGqIVlhkjSmkVJHYQEHOkKUGTT.yovGqIVlhkjSmkVJHYQEHOkKUGTT 28->38 56 Tries to harvest and steal ftp login credentials 28->56 58 Tries to harvest and steal browser information (history, passwords, etc) 28->58 60 Tries to steal Crypto Currency Wallets 28->60 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79b30159c6eaabe98bef0992b5c26e83249ed532c47da8ff24d3688eda8e8f79/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 12:49:05 UTC
AV detection:
6 of 29 (20.69%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2afd735ca5d2ad8a8478c4832e4827b150e30d5f0b7c1dc174ce934017ee1d76
2ea8a6e52838153831b064c6c9a797705e3acc60cfe34bdb237cbd8a360cc73b
6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4
7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8
78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16
fe0921df62f37332cab9e56fbbfe050e204e196e55eb323657c1f0469a6ff27b
+ 298 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210714-xbr8n3dntx/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Blocklisted process makes network request
Unpacked files
SH256 hash:
109c16f50f9ae04cf6793d0f92f47509bf2fc878eaef96956c17368a95c8f300
MD5 hash:
26b41f7db7b7d19ef44a41e4f157cacd
SHA1 hash:
13cf5e5e448eece3101fd64c9f9dd1d742b00a6e
Link:
https://www.unpac.me/results/c3e5f58f-3610-48e5-bf71-34a8d2b7c3f2/
SH256 hash:
79b30159c6eaabe98bef0992b5c26e83249ed532c47da8ff24d3688eda8e8f79
MD5 hash:
25de13d9891f5c6a7ad8cd27dcd94f1b
SHA1 hash:
8f77981394b79ed398e71daecdea9df877a4fea8
Link:
https://www.unpac.me/results/c3e5f58f-3610-48e5-bf71-34a8d2b7c3f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79b30159c6eaabe98bef0992b5c26e83249ed532c47da8ff24d3688eda8e8f79

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171651/

Comments