MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8
SHA3-384 hash: c3b875c0bf1049c7da167ba86838bc58460b1971727412c38233b681e44800058da406d7b2d072297ad2f4b476b98bb6
SHA1 hash: 7e4c0599f6c94762172431f522ced9873b2f01f6
MD5 hash: 8b00956371455a2cec3430013108263c
humanhash: asparagus-early-victor-michigan
File name:CTM ARRANGEMENT BREAKDOWN DENOMINATION - MV NEPTUNE_pdf.exe
Download: download sample
Signature VectorStealer
Create hunting rule
File size:1'729'024 bytes
First seen:2023-03-21 17:58:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Zr9N2v2XcyPon9gjLP2f1a5fRC7BmUITNKpM7F89ioA7sg1YtCb:Zh8WcVKjL6qfR9xKuB89VKpYC
Threatray 26 similar samples on MalwareBazaar
TLSH T1A585BDC24334480EFDA01E7E335564B3DE53DD99D8EBB2AF1A97BC2A64F844405CE962
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe VectorStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CTM ARRANGEMENT BREAKDOWN DENOMINATION - MV NEPTUNE_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-21 17:58:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fd202b14-7b5a-48c1-82ee-278a9d391238

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6419f0673b01ade53e70168a/reports/de1e82c9-ac0c-4cce-8429-8f9570ed0056/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cab41b8d-ef41-45d4-b8df-3c0d0e1afb60
Result
Threat name:
Vector Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198796
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected Vector Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 08:01:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3rdhs3vxcj4tzha2jrykfk4j5lv4qqx6lkszoszeza4tfv4ttea._file
Verdict:
malicious
Similar samples:
088c2f0914786aef4076d2c680c5d0c817696ada1f2f5a31b9e8250680f796bd
VectorStealer
11448a58a01b27a0f74213c3c46c751abf0847cdc6bd22e8c59ac880605eb057
VectorStealer
2f723e39cf2fcb28e858a0002e6945fe0e7266e16ec272fe9c9deb1b49309a57
VectorStealer
48ae64ee3a74c4d134f8c6542d9374325cfd89430d27dd810d3fe0f4961d105e
VectorStealer
6373b3649500fd9ad4910c8cb4c4e892026b6ca2a890ae2f9ad5800091132bd4
VectorStealer
7b15a87d7133f468e41f44cd5bdad2252f8d8098076c6eb8a25dcddb0d948fdc
VectorStealer
9659456fb12526439a9aa77f861032516aad72e8080f37fa6c8e91cd65c9a546
VectorStealer
ac6d957336c039f000748fa1491549e9416005c224eea1cf089aab0d91b10844
VectorStealer
ae9f0a09b1f95cb4ef05dc51e749a6b33e641a67cbf7cafc6fef41dbbd5b7671
VectorStealer
ee7abc1eb575922375830e8276d495bedb795f6cbd26d2f31a4d0cf401c17677
VectorStealer
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230321-wkqkxaec8v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/51d11fb5-2542-4497-8457-26776e9e4fcd/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
ebb3e967f7d693083921796a1499ae78d4bcd0906592f51bc720cedd5cafa434
MD5 hash:
a6022671b4bfbf8e7a1817c6b0ee5bac
SHA1 hash:
90ab406b3a238ad5a42d6f662a59fd8a4f70d4b8
Link:
https://www.unpac.me/results/51d11fb5-2542-4497-8457-26776e9e4fcd/
SH256 hash:
adce617de6cf0e3a755c4bfc5cb7ec629bdacc02e1933a19426745b47de322c6
MD5 hash:
d638a4cf72d8b9807135bfd0434b9f30
SHA1 hash:
5b8201c83c38bb136f977dd607b515fa8169f746
Link:
https://www.unpac.me/results/51d11fb5-2542-4497-8457-26776e9e4fcd/
SH256 hash:
0605dae3b82bab080aceb4e8a0ed850098aa93dba439b20b871c4c53a7d50c15
MD5 hash:
08d33215e41bf247a8f0d9ac6a24ad07
SHA1 hash:
5a51811205a37d4fbb9e5d452c35f48cc886dda0
Link:
https://www.unpac.me/results/51d11fb5-2542-4497-8457-26776e9e4fcd/
SH256 hash:
c3361bef6959689958800dd5eca88738433dd311da7d98331c6bbe8710b5c850
MD5 hash:
06a01ca9a22b33bf537074b15d94adae
SHA1 hash:
574c427572b18a54134b4de471792357f9d63d75
Link:
https://www.unpac.me/results/51d11fb5-2542-4497-8457-26776e9e4fcd/
SH256 hash:
86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8
MD5 hash:
8b00956371455a2cec3430013108263c
SHA1 hash:
7e4c0599f6c94762172431f522ced9873b2f01f6
Link:
https://www.unpac.me/results/51d11fb5-2542-4497-8457-26776e9e4fcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments