MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82b53444cb1607da0d82f371e6976f765a236a1468e88f6385ee24f2e6f5d1bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	82b53444cb1607da0d82f371e6976f765a236a1468e88f6385ee24f2e6f5d1bb
SHA3-384 hash:	5adf9bb3dd1c2383e2e0deeedc4809b6972018c300c1e8dd362cc18ea562f69ca6c4ce9bcbe0d6287bfcea039fe0550a
SHA1 hash:	04a8cb67707728a82df5d8193647ab01761d061c
MD5 hash:	29404c47f7fdab045b3ec0404563a03d
humanhash:	five-ink-johnny-shade
File name:	stub2.exe
Download:	download sample
File size:	21'396'737 bytes
First seen:	2022-12-31 06:02:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep	393216:MflgwHGyvAhWIzA9QsrloKn3e/m3pZeWG2QXBv8SxRoJNW8DVMF3PV:Mflbmyv6WLqbdKZMv/4NW8D2F3P
Threatray	3'843 similar samples on MalwareBazaar
TLSH	T1BF273397B3440A98F495733BAC8B912655E67C064BA8C28B45C81A501EFF1D2FD7BF32
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter	r3dbU7z
Tags:	exe pyinstaller spyware

Intelligence

File Origin

# of uploads :

# of downloads :

379

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

stub2.exe

Verdict:

Malicious activity

Analysis date:

2022-12-31 06:06:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cf27a35e-ce71-4024-8cbf-b0d740066058

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.12574.23298.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed python

Link:

https://www.filescan.io/uploads/63afd099a70bef46551c5385/reports/50e2260b-5d07-416e-bd48-6c7d417eea66/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1143444

Signature

Connects to a pastebin service (likely for C&C)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-12-31 06:03:47 UTC

File Type:

PE+ (Exe)

Extracted files:

3250

AV detection:

5 of 26 (19.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qk2tirglcyd5udmc6ny6nf3pozncg2qundui6y4f5yspfzxv2g5q._file

Verdict:

unknown

30b39abec09a0975936b022b05e4a8b6e2fe34cb52c533a1fdfb2f9832152b74

4c3e6e0a44cec929b36ea43075ddb2d952c8fe7c19ee1b61de1e4f5b896a2147

5a07bc69ad4a2437e2a2ee9913a60fc6f147a895ea5d82bc2c1e3103a0b54454

937e73c80582b2c880a5af198e6520e76e22c3e1ef2fe4a8278d0b49ec61ef86

a3d391dac8cecf22acc946063a6c0afe18d3778cbdfc168b96b67fe5c15d9494

acb6ddc1461c0d9e81f482f4e5738f330d01f0365b6f95e44aa5792fbe8d7376

b71c27f07c3367ed0733d3bfc17eec9d101a955cf1f8af003ed8977584778d87

d1833d29e63b708289b27d78dbe7604f2a072f2fa853121e29ca13428d81e35e

ec5ab723a255e763e9c87a23d44794b70108b988c7053432177d5dadafd7e645

+ 3'833 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

pyinstaller upx

Link:

https://tria.ge/reports/221231-gr2jeshc62/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

UPX packed file

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/876dab63-5ece-4da3-984a-5a24448ed600

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/82b53444cb1607da0d82f371e6976f765a236a1468e88f6385ee24f2e6f5d1bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	shad0w_beacon_16June Create hunting rule
Author:	SBousseaden
Description:	Shad0w beacon compressed
Reference:	https://github.com/bats3c/shad0w

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 82b53444cb1607da0d82f371e6976f765a236a1468e88f6385ee24f2e6f5d1bb

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample