MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89d088ade85ce2f16ae94fb9813f72e6b9cc0fbc0af649673daa698dcfe3491a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash: 89d088ade85ce2f16ae94fb9813f72e6b9cc0fbc0af649673daa698dcfe3491a
SHA3-384 hash: a323ca43f0c3d57570880c71e50ec568e07246942579db0fc219a869538e3baa92cfca571d7019da1436b9c7adae8856
SHA1 hash: 33e703f2cd2c5952418ff2d50e4401ad69e923c2
MD5 hash: e1d3ff1a1760a1630376dbb5663b8918
humanhash: tennessee-hotel-berlin-aspen
File name:SecuriteInfo.com.Win64.MalwareX-gen.4768.13818
Download: download sample
File size:9'753'600 bytes
First seen:2023-11-27 11:01:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f2f006e2ecf7172ad368f8289dc96c1 (181 x SalatStealer, 40 x LummaStealer, 17 x CobaltStrike)
ssdeep 98304:kUQc8Y4ttH0KVy7yz9QJIJEGr3EM9v9PJnXfEHhr:os4/H9ymhQJfJMJXsHhr
TLSH T182A63B47ECE605A8C8B5D3B088624122B9307C5C0B6A73DB1B61BB642F377F49E76B45
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon d5926845d1549b97
Reporter SecuriteInfoCom
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
281
Origin country :
FR FR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Sending an HTTP POST request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm expand greyware lolbin redcap
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Generic
Status:
Malicious
First seen:
2023-11-27 10:45:52 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
8 of 37 (21.62%)
Threat level:
  2/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
Modifies system certificate store
Looks up external IP address via web service
Unpacked files
SH256 hash:
89d088ade85ce2f16ae94fb9813f72e6b9cc0fbc0af649673daa698dcfe3491a
MD5 hash:
e1d3ff1a1760a1630376dbb5663b8918
SHA1 hash:
33e703f2cd2c5952418ff2d50e4401ad69e923c2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Rule name:golang
Rule name:golang_binary_string
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Rule name:mal_jinxv2loader
Author:Nikos 'n0t' Totosis
Description:JinxLoader V2 Payload
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 89d088ade85ce2f16ae94fb9813f72e6b9cc0fbc0af649673daa698dcfe3491a

(this sample)

  
Delivery method
Distributed via web download

Comments