MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168
SHA3-384 hash: e6e9370d45e0588ec948fa087d750b2f86807d57e3fc89f0897b2dcfb9e800ad01c75112b6bf0646082f742a62ee6e86
SHA1 hash: 02fb12cb729d3821e28e57481c9579e49e340703
MD5 hash: 13a13ec836cfbe1063ca95a2f8c52813
humanhash: wyoming-yellow-magnesium-california
File name:file
Download: download sample
File size:1'562'080 bytes
First seen:2022-12-03 13:46:59 UTC
Last seen:2022-12-03 15:29:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2272bd1fadcc3c967b255c33596d9f56 (2 x LgoogLoader, 2 x RedLineStealer)
ssdeep 24576:DoBkrIm9azMBhmqMGjiv9j/LHeo+hWDvqXtG66idtWvKZEUeS:DRIu5giiv9zL+o+hWDvq9G66vSZEUeS
Threatray 212 similar samples on MalwareBazaar
TLSH T1437523082B928AB7F9124730156E6736477ABE30B735CA87A384B73E9E312F14139757
TrID 52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0ccececc8e8cccc (1 x RedLineStealer)
Reporter andretavare5
Tags:exe signed

Code Signing Certificate

Organisation:*.fandom.com
Issuer:GlobalSign Atlas R3 DV TLS CA 2022 Q2
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-29T16:20:14Z
Valid to:2023-06-30T16:20:13Z
Serial number: 0140594ccaad5348bfaf7de297272e29
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 99f3f23a61cce130adf7456c70eabb25f3af1ffbe258d5b6cf42cb0cd3cb0754
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.213.50.36/files/spacemen.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-03 13:47:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a5c2f2dd-d604-4b2e-a356-f81d0511ac2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342266/
Detection(s):
SecuriteInfo.com.Unwanted-Program.004d2a1d1.23725.16859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638b53569a505ad9423cf561/reports/ed719d7a-5ec7-4f36-a1d3-3ac2af2fb0af/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/716b75d6-1839-4831-9939-2230c7af5c13
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127087
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-03 13:47:10 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=txwou423adayqwythtt3onik4zpmgoq4szr6yiwtiiloijnrqfua._file
Verdict:
malicious
Similar samples:
12994830e14070b3af49df398138e277adfd261693b829032ed745873f334782
2c3310a45db53d2bc092521b417c9434c919dce00876b386e39a5b7cffa3c58f
2c989418ee6df1ae08f2332ca25edc3c7ace2aa9f8ef710b80857c500b4f4c01
3c645242b178e6248f189ace55b2c3c0af905b5f35a0cc7d03600dd148ae915a
44212fc0e7338e59097d84235ef677051327e3486960b2801099ab57f51de83a
44593f2948e2800c83e9d21abb9759e206ea94385ee5c0ddc9dc6a3e4d09273d
44cb5f67a1313320c87d07074faf1c5d98fb8e7731293558b03a834d4aac6511
616812fc478db8cb2f4be4aae6094fb9e93ca2449c9b0841beeb9f7960914437
94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900
e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6
+ 202 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/221203-q3hp5aeg97/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/264cea52-78b4-4eda-9d5d-82cc798035bb
Unpacked files
SH256 hash:
57bbc866be3e3e9805ed67d584f6f64cd4c4ac9e6a8245bd61986d10ddd9cb0c
MD5 hash:
3943ddcc090521de08b16f6a46e382ca
SHA1 hash:
4c5f36196789ecdc535a5e6713aa49eda8c8255b
Link:
https://www.unpac.me/results/6d8c43da-984f-479c-b371-26d1c962f4bd/
SH256 hash:
9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168
MD5 hash:
13a13ec836cfbe1063ca95a2f8c52813
SHA1 hash:
02fb12cb729d3821e28e57481c9579e49e340703
Link:
https://www.unpac.me/results/6d8c43da-984f-479c-b371-26d1c962f4bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/342266/

Comments