MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 965fb78c4ed7616cbe8d76e3f44f95a41c1da76adc1194368e2ccea3792a37d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 965fb78c4ed7616cbe8d76e3f44f95a41c1da76adc1194368e2ccea3792a37d4
SHA3-384 hash: 536c04b656a74a4d95e41067cab3bb7d62624f4b9659abec1c5466ba9ce59c9df3fd8e092619f2ba16ca9d44d3da079d
SHA1 hash: 8483042374ea066df251045c11c3099a11ae1a57
MD5 hash: c7175f875b79020acc88eda29100e6d7
humanhash: iowa-connecticut-oklahoma-magazine
File name:PsinkoStub.exe
Download: download sample
File size:707'993 bytes
First seen:2022-05-06 08:19:39 UTC
Last seen:2022-05-06 08:40:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'883 x AgentTesla, 19'801 x Formbook, 12'306 x SnakeKeylogger)
ssdeep 6144:+KA0FozkdGn/6OlqK5T83OwvjafrtU9YHGn/6OlqK5T83OwvjafrtU9YX:+CFozB/Km837cJm/Km837cJX
Threatray 978 similar samples on MalwareBazaar
TLSH T1F4E4AFC9F17E44D3CC042BE9981516C35B3406365AB4C0E83DABBDC94EE7BEA8059DA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter 3xp0rtblog
Tags:Burmilla exe Loader

Intelligence

File Origin
# of uploads :
3
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PsinkoStub.exe
Verdict:
Suspicious activity
Analysis date:
2022-05-06 08:22:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7707f13a-31bf-4a15-a420-2b96f335b1fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269028/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILMamut.499.12406.9746.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a custom TCP request
Creating a file
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6274da3da40dfc4df20b1f10/reports/d8120948-b257-478f-9ac3-4fb1ee2d6aa5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cc3dc24-8385-4f09-a106-e1b123221b58
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/988961
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/965fb78c4ed7616cbe8d76e3f44f95a41c1da76adc1194368e2ccea3792a37d4/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 10:30:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08ad65b9f5484e0ed939cc2de4f83749fc0eb3382c5a1bf7ddf74f29144d122d
3fae7c91e798f1331cc235713cf63f74043a7fb2ce146b6b41fb188d2950babe
43063f8319048a6b0aa762567dbff0cb3114c6a7b33d954c4cfa89ad17e5d07b
496f26beb33fff369de4e425a51670236f669a0db67be31760363407cb3494ba
50b298120d93f328fa5949eeb470a41ac0e846b28df37d46cb16c0beaa1b128e
5fd83f2a0ab55a807929ded55e138b988f873280876ae15fde0332732b38e2da
7df80cbc3b1a80c75e28295d06119ffef7c17cb39f73a8e31ae1e90fae54a6d1
ba18dbaa37dfcb07d8dc014a9801196e419dd2f6936a4fcd1826d4c55a938bea
cfedb16bb7f771abbecc56b51883dbb212e87d811ecba361084ff95e0b208b88
ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35
+ 968 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer
Link:
https://tria.ge/reports/220506-j8egbshfc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Maps connected drives based on registry
Checks BIOS information in registry
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
fe9361cba34be3a6f42b29bd843eb3d1ab86c42a0b0988f98cf293df2c5e7203
MD5 hash:
69aef5f237246dec6ef82dda0982e46b
SHA1 hash:
144f60dd5c9b7e0f4877a4b6018b9f44f247d3b2
Link:
https://www.unpac.me/results/85d205ce-5f4e-434a-a246-44ae5ae4fc57/
SH256 hash:
965fb78c4ed7616cbe8d76e3f44f95a41c1da76adc1194368e2ccea3792a37d4
MD5 hash:
c7175f875b79020acc88eda29100e6d7
SHA1 hash:
8483042374ea066df251045c11c3099a11ae1a57
Link:
https://www.unpac.me/results/85d205ce-5f4e-434a-a246-44ae5ae4fc57/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/965fb78c4ed7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/965fb78c4ed7616cbe8d76e3f44f95a41c1da76adc1194368e2ccea3792a37d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/3xp0rtblog/status/1522491178641510404
Cape
Cape
https://www.capesandbox.com/analysis/269028/

Comments