MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 844bc19d639b4c95b4829e9b1d3c16cef6d94aad8ef4f5b2d2879ac2ef1df37b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 10 File information Comments

SHA256 hash:	844bc19d639b4c95b4829e9b1d3c16cef6d94aad8ef4f5b2d2879ac2ef1df37b
SHA3-384 hash:	329c540c4cb4aebd2b4c2ce3cd3feeec2bd55e6459ec8e96deb5de8263b075b39453fac8b3363b0eb56653d4b006c0a2
SHA1 hash:	e3c8cf4cc13705eb4e52230549c1209ada1de74f
MD5 hash:	0cfc3d4431fea6fe268b4856a3d1ba03
humanhash:	potato-skylark-william-lemon
File name:	file
Download:	download sample
File size:	7'734'423 bytes
First seen:	2022-11-04 19:46:18 UTC
Last seen:	2022-11-05 05:43:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep	49152:UW9/NoNAsWKvPIuW1VHt7W/kduBgmaJ5EvYtGQnldjoTa01:jo0+a7U6EmG8l
Threatray	36 similar samples on MalwareBazaar
TLSH	T150761847F89584F4C1AED130CA669262BA713C895B3063D33B61F3B82B73BD46A79354
gimphash	960144559e780f846fc759a7ccebf93bb776fc9c1d0ad7e11401422c661462c4
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from https://vk.com/doc759438714_648957070?hash=38bdVVIn83wLJV3udaT5TuTnk15755nkHQ1Lole48KP&dl=G42TSNBTHA3TCNA:1667590947:uaj0DMpTP1DKY1kZwBczpH8BUYqIl1lhKNFGgO5rzUc&api=1&no_preview=1#build1

Intelligence

File Origin

# of uploads :

159

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-11-04 19:54:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f99612e3-ace6-4f20-ad48-06dcbf7dd0c8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/328794/

Detection(s):

Can't access file ERROR

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Forced system process termination

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/48669/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

golang overlay

Link:

https://www.filescan.io/uploads/63656c3815611f8d8bf8e164/reports/00ee9c40-9fa9-4d32-9cdf-8b15cea7bedf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Kraken

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/81f86048-481c-4f1b-a6c3-473b116612cc

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1105718

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Potentially malicious time measurement code found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/844bc19d639b4c95b4829e9b1d3c16cef6d94aad8ef4f5b2d2879ac2ef1df37b/

Threat name:

Win64.Infostealer.Coins

Status:

Malicious

First seen:

2022-11-04 19:47:10 UTC

File Type:

PE+ (Exe)

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qrf4dhldtngjlnect2nr2pawz33nssvnr32plmwsq6nmf3y56n5q._file

Verdict:

suspicious

16e6a84d1a906671106d1f02336675820c4b1d91fdf85bca031cb84eda80237d

398df90a42c7b3cc43ea5095630ef3d8cf059beeda54e6a5888c839f5d6f5055

3d9ebf871e9ada91551158af5078da769ca8bea4014afcd75472deb0d4beb538

3f654cc740b18a83fdb840f27cf46f7c8299f51a9a2a6b97b9583ca9e9d9ca5f

4883c8f935d8c8397ffb003f72e4e515501820ebd37ca079c478ba5b7ed7b3d4

4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0

5e98a67c09e5c975e6d6a86235294386b829ba1df7d1436a9abc9db35f224b5b

8fe888167e7096db5d6aa3d3bc64998cd8fd43bef3a83fc6d3c40ffa903891f6

acb1d8fdde1f261d7c8c625ae0aab48232bea861532bb66657dda02e1a209d0e

+ 26 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/221104-yhh46aadg8/

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c7b145d9-53f6-4792-916a-bb0f71cc9905

Unpacked files

SH256 hash:

844bc19d639b4c95b4829e9b1d3c16cef6d94aad8ef4f5b2d2879ac2ef1df37b

MD5 hash:

0cfc3d4431fea6fe268b4856a3d1ba03

SHA1 hash:

e3c8cf4cc13705eb4e52230549c1209ada1de74f

Link:

https://www.unpac.me/results/f17e2b1b-91fe-46a9-b03e-138b3a785cef/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.46

Link:

https://yomi.yoroi.company/submissions/844bc19d639b4c95b4829e9b1d3c16cef6d94aad8ef4f5b2d2879ac2ef1df37b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	methodology_golang_build_strings Create hunting rule
Author:	smiller
Description:	Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/328794/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample