MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79cf69dfb121cfdd2652fc085ebbc4883d3c317e0af826655dfec2badc0d93e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79cf69dfb121cfdd2652fc085ebbc4883d3c317e0af826655dfec2badc0d93e0
SHA3-384 hash: 6d87546f57ac3b4ebd291d8717168d0121d95c40879a4cb23e0ee9df16a96c344ebaca48d694d9eb264c2dcef04d12ef
SHA1 hash: 494125193a36326356b21bddff94ddeec8cf1748
MD5 hash: 12b7354905a6ed76882b313bfd5fd777
humanhash: mango-cold-zulu-lima
File name:12b7354905a6ed76882b313bfd5fd777
Download: download sample
Signature Emotet
Create hunting rule
File size:6'003'621 bytes
First seen:2021-02-23 13:46:41 UTC
Last seen:2021-02-23 16:01:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c1063b9ff707a38ff65c062d195945a1 (1 x CoderWare, 1 x Emotet)
ssdeep 98304:Wgwqie0aQl44/kxMX0MzLWW/TU4POqIFK81slGHbCKR0xi+Pjm67RupR3gURNNg+:k4LQl4Ik+i8I4GA81G+L9+Paiup9BN
Threatray 21 similar samples on MalwareBazaar
TLSH ED563320B144807BF5725A3654B1D274696ABF2CB7F4025FB3A03F2A6D31FD16C1EA64
Reporter c3rb3ru5d3d53c2
Tags:Emotet NitroStealer


Avatar
c3rb3ru5d3d53c
NitroSteale

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NitroGenerator_v.1.2.4.exe
Verdict:
Malicious activity
Analysis date:
2021-01-07 01:19:12 UTC
Tags:
installer
Link:
https://app.any.run/tasks/cdd8c5a2-5a3a-4b27-99ba-b8d223c68a90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118588/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45362368.1934.3732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/615381
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79cf69dfb121cfdd2652fc085ebbc4883d3c317e0af826655dfec2badc0d93e0/
Threat name:
Win32.Infostealer.Disco
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 03:03:00 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
0f4238a14d0c6dbd53c84513df03d0d3be5f8452aa858e2273788690fe7c59dc
Emotet
1b87f2ef8a0150578ab639316e6f392ccac181c9fa18df5a04ccc56963644d02
Emotet
2b6160a9720ed2cf3b818dafc81e4f092111d4df2e0db161b994b39a5ceb78f3
Emotet
2c9a56116d34514c98f71a77cd80ab3b32d6523b2d7aa9b89b6e4f5c1cd8a8df
Emotet
434ea880ad59cffded73a776f3a01a75e6afef21fc6dca45b364fd3f0ba54de3
Emotet
6e6db1ad82efc117c9a344dea662fc8fe8742999af83276fd534c57d8991b971
Emotet
9165bc75e1a727c886b97c5dd3bdc42ed33d22f2895e8a830b94bd27fdeec2eb
Emotet
95e35f1614df92a318a749a8f62a35b9c03f2f34f08ad5606b45c9d817ff1d93
Emotet
a4e1a5b0197b59eb99538327584f8294e81259fd704c281469ec6b7ab7a2c046
Emotet
f29a85a0a8d5c438141903be9402dfea15cc0eb89e356da5b53d31edfabed15e
Emotet
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware
Link:
https://tria.ge/reports/210223-bv1eecmqd2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c0dfcc76c3a5f92628567490ddcb23f52eaf2d13c96b19514c9c35de56cb7903
MD5 hash:
a496a692119f555e19f7afa14656bc18
SHA1 hash:
3ca28a46ce04eebbe01321591d1ee063fb2ac7b1
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
53ad8bc73f11f7143ae52346f10515300c2757c9e37950cb6ed4e791e4e77659
MD5 hash:
6909211e0a138431c2168ecb4c5a6ca1
SHA1 hash:
b5a1aeaa5d2d8d8c36f1a92217f0d2fbfcd32963
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
de2e8af7ce1beb041d7fc485953fb66930194b95955cf458bbf76c46db237fe6
MD5 hash:
ea008af01fedc159321bdf557ee93eac
SHA1 hash:
9ce96a44583cb8b3d58a1a3f36b3fd556e7f9a8b
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
cbada96cf9bc51836a8366faa4abac2994e808622c3f6d1e319db461ac968a4e
MD5 hash:
d788e42d5952fe22f436ad562a6bb6d4
SHA1 hash:
dcfd5d81312d579c4b590bd87e44daee35be186a
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
0f48d774cd18d2d026930cebe39d7e5594f0b015831ea14954e9d06bb38f37d3
MD5 hash:
55553cc61148869fff421f00f5f608cf
SHA1 hash:
f1abde7ea8a1d9f0a93da1069c3bd73f53d99cc8
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
67fda1a04e0e275f3df6f1fbbb7390e08c11b68ab493f5edce3a4ea69c2e26d6
MD5 hash:
0e38eb7181deed991ddef0a0b3c5126f
SHA1 hash:
eb16ec1e2ebc4912359180f8aa2e254b7b4e45ee
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
8fdb2179235c23084fbb952f679e830665fd96eb2e53166ee4230caa19645be9
MD5 hash:
d7a5e7ec4099348dc561134cb1d91c5d
SHA1 hash:
89d0b2917bb7fa9123c53d6df2da8777ee54a351
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
feb65064757e38188edc125fe616bb53103c0ae4ae293f5240b45336c262742e
MD5 hash:
f9caf8d2cc58f7baf576478f5014e9b5
SHA1 hash:
295848542ff794672859af6d7332dcfac8fe267f
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
cba5d3cb0e3f14a473cde6a56c8bda693569b70a666d102041ad49c944f249b3
MD5 hash:
7b7ca4a89718f17e305eb1de39a1fd40
SHA1 hash:
2067b261909eb36d37b0512b377c69f459d0bb89
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
048b4fbba9193c68a44e1f3cd458126d557cf6097b458709108fd712176fd300
MD5 hash:
3ec3612a203ad2cf518771d98a21a7f8
SHA1 hash:
1cb39863cbf7fa39b4af6fdfcf231f32fd2c7eaf
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
e34d160efb4b759e3879a3d210355db16c8f03a2eaba49af8cba3507c5e12a59
MD5 hash:
ec8d9ad734ee60cce9f2a41b07dd3c48
SHA1 hash:
1a75423d5075b6995d3360c6e05e618bea3f3a95
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
SH256 hash:
79cf69dfb121cfdd2652fc085ebbc4883d3c317e0af826655dfec2badc0d93e0
MD5 hash:
12b7354905a6ed76882b313bfd5fd777
SHA1 hash:
494125193a36326356b21bddff94ddeec8cf1748
Link:
https://www.unpac.me/results/e7ac2b1a-cb70-427b-90b8-dfc13737e952/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79cf69dfb121cfdd2652fc085ebbc4883d3c317e0af826655dfec2badc0d93e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://twitter.com/c3rb3ru5d3d53c/status/1363302686486069254
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/118588/

Comments