MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94452bed46c58c0cdde37e960b24fdb12972d13da0339fc6ad9a2245b02c7f8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94452bed46c58c0cdde37e960b24fdb12972d13da0339fc6ad9a2245b02c7f8e
SHA3-384 hash: 1fb4613a32987948c5168f14604f48c57f08ee05b504f0b741098490dd7dd62935a9d05aa7c465f8bab32f64c9efe2c8
SHA1 hash: 42d09453e3e3891a5de982c91c08b30ab972ca2a
MD5 hash: 22ce9b3c78a06c2a76a617bc39bda1c0
humanhash: berlin-quebec-louisiana-eleven
File name:Quotation 10072017.pdf.exe
Download: download sample
Signature VectorStealer
Create hunting rule
File size:1'509'888 bytes
First seen:2023-03-15 07:42:42 UTC
Last seen:2023-03-15 09:30:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:vZsx7quwvwLhqT04WfBOiaLPy5QM/sx4LxiewohVCaG0DBihF7HHwDKRa+LUk:Kd1wIl1OxCsx41iUVCB0GAKRa+L
Threatray 62 similar samples on MalwareBazaar
TLSH T14D65F0437CC911DFBB82EE31C1F1ABFE24969A9105149F3DDE4846D91638B437D828EA
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe VectorStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
237
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation 10072017.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 07:44:09 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/9c557276-728e-42ed-a0b8-0363dd6e9f43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374479/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6411770b4be1693e4f5ddbc9/reports/789d3040-9397-47ed-bc47-f303ae94b2f0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/94452bed46c58c0cdde37e960b24fdb12972d13da0339fc6ad9a2245b02c7f8e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
VectorStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b5b026e-4706-44f9-adef-7c3415415600
Result
Threat name:
Vector Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193950
Signature
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected Vector Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94452bed46c58c0cdde37e960b24fdb12972d13da0339fc6ad9a2245b02c7f8e/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 22:39:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=srcsx3kgywgazxpdp2lawjh5weuxfuj5uazz7rvntirelmbmp6ha._file
Verdict:
malicious
Similar samples:
00b36130f2bb86e3a1c5716bd75266ce9341aafb8a0e06bdc1e009c113d6314b
VectorStealer
2f73d2d742925aa35f66672d832312b89cc9fa28672c5279c91689393c0f5e47
VectorStealer
3a84f34535dc71bd9e1110049d164a9153e2a08f4bc574223594c8c4e561ff51
VectorStealer
57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f
VectorStealer
85f0acef04342dd85144d4e1a450782907122513ad29af0f0b70559179d8e6af
VectorStealer
a0ef330540f4a9d53c9b6fd713570d8fc327f8af1b51e66918a528cf9f501cd3
VectorStealer
af28704c38179bcfb8bc5757baede2655bf3737d74f28ea28f27c4c7c40f44cc
VectorStealer
c8fd56ab9f03dfe2772bc953ca3fa6dee35d7854594e194dc00cbe24f7a07a45
VectorStealer
c9e5ff55c4c4b9ab78ca511be19a6e8b2274c1c18862953fec58f0b4cf6b8b2a
VectorStealer
e25dbaba819ed91b60ae64dfc062dd7dc64f1c154df8bee16d237480e0fccd36
VectorStealer
+ 52 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230315-jj9wyaea71/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
0bdf140e18687f7a57c10fe53a645422d3462857dcbafb139dae156b4a9cafcb
MD5 hash:
13195c2300225fd39af1295d928c6a8d
SHA1 hash:
d77cc8c3a0f6a67e220f14fab07c3c931df08e3d
Link:
https://www.unpac.me/results/91fda59c-12cb-432d-8e28-9e25288a0df1/
SH256 hash:
fff6a6c9ee13b021fa856b5b10ae5666583d55a58943d88e1ad51d0c2d427a41
MD5 hash:
9d0176518f7144eac3ae66555a26e2c1
SHA1 hash:
d1b95cce7a081bb9d78c5adb65e6c83d2a2a3c83
Link:
https://www.unpac.me/results/91fda59c-12cb-432d-8e28-9e25288a0df1/
SH256 hash:
a46d9db25a99c6ab48bf17eaae1357122d60405b3b84b34c07d59286981537fa
MD5 hash:
06a78c428c354127e4a8557e3095bd4f
SHA1 hash:
c4fcbc028d4d27f84069ef446d04af0fba170911
Link:
https://www.unpac.me/results/91fda59c-12cb-432d-8e28-9e25288a0df1/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/91fda59c-12cb-432d-8e28-9e25288a0df1/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
44a41198e59a17a2dc6de5402807aa3d8662dd57dc7c5ad817ad7de96676d7e6
MD5 hash:
9f7160493564c34a6a946e49698c4a32
SHA1 hash:
61e367efb9ff0de5c8e6b768274ecf80222a3544
Link:
https://www.unpac.me/results/91fda59c-12cb-432d-8e28-9e25288a0df1/
SH256 hash:
94452bed46c58c0cdde37e960b24fdb12972d13da0339fc6ad9a2245b02c7f8e
MD5 hash:
22ce9b3c78a06c2a76a617bc39bda1c0
SHA1 hash:
42d09453e3e3891a5de982c91c08b30ab972ca2a
Link:
https://www.unpac.me/results/91fda59c-12cb-432d-8e28-9e25288a0df1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94452bed46c58c0cdde37e960b24fdb12972d13da0339fc6ad9a2245b02c7f8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VectorStealer

Executable exe 94452bed46c58c0cdde37e960b24fdb12972d13da0339fc6ad9a2245b02c7f8e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/374479/

Comments