MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ded2a6e3b34dc384a6364c393b9610d947dca0d1a37a90541fc47f70f173e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EpsilonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ded2a6e3b34dc384a6364c393b9610d947dca0d1a37a90541fc47f70f173e35
SHA3-384 hash: f686d7f667fee732ab9ea25151ff2424afa50b99eeb2bd8c7717c5c2302a506fe25a62d9c1407afabd9e41ef9ad6d382
SHA1 hash: 56d33f5e139bf83d8bb88ee6ae14ddb9346856da
MD5 hash: 65ffc153e1c284f8a577e728296f6d81
humanhash: south-six-pip-california
File name:WhispyProject.exe
Download: download sample
Signature EpsilonStealer
Create hunting rule
File size:64'794'978 bytes
First seen:2023-11-18 19:45:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:9m6YxMrHPl+JUOV1ZN8ukAjqeEP7BRvaJBfzIyU1t7:Q6GqHPlulRN8zMq/DrvanfzI37
TLSH T128E733CAF815802BC0659AB3E419CBFBD7E167896B11C7831F38C7B9AD4256A0F019DD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon 100c3232b2b24c30 (38 x EpsilonStealer)
Reporter Xev
Tags:discordstealer EpsilonStealer exe


Avatar
NIXLovesCooper
C2: wdb.life

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
GR GR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Changing a file
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6559147de7421d316a442ebf/reports/de26a940-113d-460f-ae5f-cdabc586b3c5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8ded2a6e3b34dc384a6364c393b9610d947dca0d1a37a90541fc47f70f173e35
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1344593
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1344593 Sample: WhispyProject.exe Startdate: 18/11/2023 Architecture: WINDOWS Score: 80 45 ipinfo.io 2->45 47 chrome.cloudflare-dns.com 2->47 49 api.epsilon1337.com 2->49 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 9 WhispyProject.exe 182 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\WhispyProject.exe, PE32+ 9->33 dropped 35 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\...\System.dll, PE32 9->37 dropped 39 16 other files (none is malicious) 9->39 dropped 12 WhispyProject.exe 54 9->12         started        process6 dnsIp7 53 api.epsilon1337.com 20.124.93.151, 443, 49740, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->53 55 ipinfo.io 34.117.59.81, 443, 49737 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->55 41 b22962fa-b8b8-4c9e...7c54e7f852.tmp.node, PE32+ 12->41 dropped 43 34b3723a-b8e9-438e...6db292f165.tmp.node, PE32+ 12->43 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 12->67 17 reg.exe 1 12->17         started        20 cmd.exe 1 12->20         started        22 WhispyProject.exe 13 12->22         started        25 3 other processes 12->25 file8 signatures9 process10 dnsIp11 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->57 27 conhost.exe 17->27         started        29 tasklist.exe 1 20->29         started        31 conhost.exe 20->31         started        51 chrome.cloudflare-dns.com 172.64.41.3, 443, 49758, 49759 CLOUDFLARENETUS United States 22->51 signatures12 process13
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8ded2a6e3b34dc384a6364c393b9610d947dca0d1a37a90541fc47f70f173e35
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-07-23 22:04:32 UTC
File Type:
PE (Exe)
Extracted files:
138
AV detection:
5 of 38 (13.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxwsu3r3gtodqstdmtbzholbbwkh3sqndi32sbkb7rd7odyxhy2q._file
Verdict:
unknown
Result
Malware family:
epsilon
Create hunting rule
Score:
  10/10
Tags:
family:epsilon spyware stealer
Link:
https://tria.ge/reports/231118-ygy4zsfe22/
Behaviour
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects EpsilonStealer ASAR
Epsilon Stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments