MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0
SHA3-384 hash:	2a75bd89bcb58f8ff88b36f8bbe2c7bfb7aa278373547e03d462cfc547f3f33571e5b17839f7e6932871f0f3e98e6397
SHA1 hash:	f30cc8c8056e6943a4114e557615552f16cb8e2f
MD5 hash:	2cd8134f58cdbda71373f5ea79d5a422
humanhash:	gee-aspen-xray-neptune
File name:	123.scr
Download:	download sample
Signature	44CaliberStealer Alert Create hunting rule
File size:	562'176 bytes
First seen:	2023-12-14 00:39:52 UTC
Last seen:	2023-12-14 02:15:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:nYhJzH0hGN8nVY5cdFWOh+0H0uc1k7EIKxih+sgPrv6KfNcyFEOYw76:YfwM+nVMcPVY0U7qHKxugjdeyFm
Threatray	1 similar samples on MalwareBazaar
TLSH	T1B7C423DE7654328ECC0BD039CD480EB83790697FAB8F4667552354E7860DAE28F252B7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	1331170717176933 (2 x 44CaliberStealer)
Reporter	smica83
Tags:	44CaliberStealer exe UKR

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

489

Origin country :

HU

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467344/

ClamAV Detected

Detection(s):

PUA.Win.Packed.ConfuserEx-6582917-0

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Creating a file

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Stealing user critical data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

confuser confuserex masquerade net packed packed

Link:

https://www.filescan.io/uploads/657a4ee38b5ba47db2e1acbf/reports/7da42d6a-e32f-442c-9049-7da08a235bbd/overview

Hybrid Analysis MSILHeracles.Generic

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/05232158-969c-405c-aefd-2b379558c3cd

Joe Sandbox Rags Stealer

Result

Threat name:

Rags Stealer

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1361824

Signature

Antivirus / Scanner detection for submitted sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Rags Stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0/

ReversingLabs TitaniumCloud Win32.Trojan.Znyonm

Threat name:

Win32.Trojan.Znyonm

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-13 18:14:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

1

AV detection:

24 of 36 (66.67%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pyaghg4wfylhvocgh6uhd6h6cl3ohalgusl5p3mm6ordoact2hya._file

Threatray malicious

Verdict:

malicious

Similar samples:

7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0

44CaliberStealer

Hatching Triage 44caliber

Result

Malware family:

44caliber

Alert

Create hunting rule

Score:

  10/10

Tags:

family:44caliber spyware stealer

Link:

https://tria.ge/reports/231214-az7xvaaddk/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Reads user/profile data of web browsers

44Caliber

UnpacMe SUSP_NET_NAME_ConfuserEx INDICATOR_EXE_Packed_ConfuserEx

Unpacked files

SH256 hash:

d41de115d580791b9551949f8e773d2ad71e6bc0416e5baf4e10882a6bccef4e

MD5 hash:

83ec72a6e4d2fd77a5b15cc01ed2063a

SHA1 hash:

9869325eaf1376b80f52d67aa5cbbfa41b5eb429

Link:

https://www.unpac.me/results/c3797a8a-ad52-45e0-82dd-c483a9b86302/

SH256 hash:

d6b5667249634c615a289b09f0fabaacc777ae17dc93008a2a99280161d984fb

MD5 hash:

7646c125618a8b894bb14125bad32328

SHA1 hash:

0052972c60844d50788093e6804409d1f0c4ba26

Detections:

SUSP_NET_NAME_ConfuserEx

Alert

Create hunting rule

INDICATOR_EXE_Packed_ConfuserEx

Alert

Create hunting rule

Link:

https://www.unpac.me/results/c3797a8a-ad52-45e0-82dd-c483a9b86302/

SH256 hash:

7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0

MD5 hash:

2cd8134f58cdbda71373f5ea79d5a422

SHA1 hash:

f30cc8c8056e6943a4114e557615552f16cb8e2f

Detections:

SUSP_NET_NAME_ConfuserEx

Alert

Create hunting rule

INDICATOR_EXE_Packed_ConfuserEx

Alert

Create hunting rule

Link:

https://www.unpac.me/results/c3797a8a-ad52-45e0-82dd-c483a9b86302/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7e00639b962e/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/467344/