MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a
SHA3-384 hash: 23b07ecaed4df8d9c95593a2fd57a0448afec9f3ef57eab00c26061746c6d055f5a60a14d3cff43704ae700878da0bc0
SHA1 hash: 43baaefa89366a2ab42e1ad30fdffcebeb81d00a
MD5 hash: 21f57e534a0adc7765d6eeb22ec5bd74
humanhash: dakota-pennsylvania-oxygen-early
File name:SecuriteInfo.com.Win64.Evo-gen.4079.4864
Download: download sample
File size:17'331'701 bytes
First seen:2024-01-31 12:50:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 393216:+Y2ayszf490yDfD608r6a0S6MpfaMPANgA5esmAl5VNR:+Y2dszfm0ybG08r6I6uf9PAPNmArR
TLSH T1800733E4C1B239F1D4A60036F864563CA7F334634B61C65F97AB924A1E43DE26C7AF12
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (16 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://bazaar.abuse.ch/download/97efe91fe5eff3dcdcb055f037f1df01c1409e6bd38a8f07170ea53a0ff265ef/
Verdict:
Malicious activity
Analysis date:
2024-01-31 14:47:32 UTC
Tags:
opendir stealer redline loader risepro evasion agenttesla amadey stealc phorpiex trojan pushdo cutwail backdoor sinkhole socks5systemz proxy kelihos
Link:
https://app.any.run/tasks/3262af13-c269-4ebf-a95a-c487d2f3515b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.4079.4864.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
expand lolbin masquerade overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/65ba424a814c2aeb148640d0/reports/0e0182c1-b4c1-42ea-bd45-0fa65e9373e3/overview
Verdict:
Malicious
Labled as:
Trojan.Disin.Script
Link:
https://www.hybrid-analysis.com/sample/8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a
Malware family:
TeamViewer GmbH
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d0e82c1f-3ab1-4616-88a6-c8681f53921d
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1384077
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384077 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 31/01/2024 Architecture: WINDOWS Score: 56 82 raw.githubusercontent.com 2->82 88 Multi AV Scanner detection for submitted file 2->88 90 Machine Learning detection for sample 2->90 15 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 73 2->15         started        signatures3 process4 file5 74 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 15->74 dropped 76 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 15->76 dropped 78 C:\Users\...\_wrappers.cp311-win_amd64.pyd, PE32+ 15->78 dropped 80 32 other files (none is malicious) 15->80 dropped 86 Potentially malicious time measurement code found 15->86 19 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 15->19         started        signatures6 process7 dnsIp8 84 raw.githubusercontent.com 185.199.109.133, 443, 49730, 49738 FASTLYUS Netherlands 19->84 22 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 73 19->22         started        process9 file10 58 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 22->58 dropped 60 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 22->60 dropped 62 C:\Users\...\_wrappers.cp311-win_amd64.pyd, PE32+ 22->62 dropped 64 32 other files (none is malicious) 22->64 dropped 25 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 22->25         started        process11 process12 27 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 73 25->27         started        file13 66 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 27->66 dropped 68 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 27->68 dropped 70 C:\Users\...\_wrappers.cp311-win_amd64.pyd, PE32+ 27->70 dropped 72 32 other files (none is malicious) 27->72 dropped 30 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 27->30         started        process14 process15 32 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 73 30->32         started        file16 42 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 32->42 dropped 44 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 32->44 dropped 46 C:\Users\...\_wrappers.cp311-win_amd64.pyd, PE32+ 32->46 dropped 48 32 other files (none is malicious) 32->48 dropped 35 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 32->35         started        process17 process18 37 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 73 35->37         started        file19 50 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 37->50 dropped 52 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 37->52 dropped 54 C:\Users\...\_wrappers.cp311-win_amd64.pyd, PE32+ 37->54 dropped 56 32 other files (none is malicious) 37->56 dropped 40 SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe 37->40         started        process20
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-31 12:51:11 UTC
File Type:
PE+ (Exe)
Extracted files:
1164
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsd3ps6mmmy44xnhupyzekmbhqiiaeuf5uykrwboqg7rtmpmhbna._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/240131-p3hvfseder/
Behaviour
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Unpacked files
SH256 hash:
8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a
MD5 hash:
21f57e534a0adc7765d6eeb22ec5bd74
SHA1 hash:
43baaefa89366a2ab42e1ad30fdffcebeb81d00a
Detections:
PyInstaller
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/0817cf0d-1d6d-48fa-9453-51d4b815dbed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:globalnet_files
Create hunting rule
Author:vmovupd
Description:Detect PE files compiled with PyInstaller with AntiDecompilation string. Observed in GlobalNet botnet campaign.
Reference:https://twitter.com/vmovupd/status/1722548036839072017
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2754083/
  
Delivery method
Distributed via web download

Comments