MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473
SHA3-384 hash: 7a1e395dacaeba0f0a366d93e373a8125360aea23037658462bbd767567edbe7867e957d63b88f8981b07911de106eec
SHA1 hash: 0822276c0b2069ec93b1c9cec479598d2df6032b
MD5 hash: 810404df029951f47c930245ed323daa
humanhash: comet-angel-solar-october
File name:SecuriteInfo.com.Win64.Evo-gen.10533.31255
Download: download sample
File size:13'602'620 bytes
First seen:2024-04-19 05:20:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4f2e2b03fe5666a721620fcea3aea9b (15 x BlankGrabber, 10 x PythonStealer, 6 x CrealStealer)
ssdeep 393216:8qZP8AxYD/1+TtIiFqY9Z8D8CcldlAjadCTGbrV1:8JXr1QtIZa8DZcLlAjadvr
Threatray 21 similar samples on MalwareBazaar
TLSH T124D6339A72E148E8DBBA153586D64B12EA72F8625731C6CF23F545711F033F38932B1A
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473.exe
Verdict:
Malicious activity
Analysis date:
2024-04-19 05:25:16 UTC
Tags:
evasion exela stealer generic python
Link:
https://app.any.run/tasks/c26199bd-2dc4-4dc0-b0a5-afe62fec48ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Connection attempt
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Changing a file
Reading critical registry keys
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the process to change network settings
Creating a window
Launching the process to interact with network services
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
82%
Tags:
anti-debug anti-vm anti-vm cmd expand findstr fingerprint hacktool lolbin netsh overlay packed packed powershell pyinstaller pyinstaller stealer windows wmic
Link:
https://www.filescan.io/uploads/6621ff4b47bfd8641eaf1d28/reports/318897dc-c036-4181-90bc-a02f160829b1/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473
Result
Verdict:
MALICIOUS
Malware family:
Splashtop
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/52f9abe1-0985-4d5b-8c75-42f4e17324e6
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.spre.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1428538
Signature
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: Add file from suspicious location to autostart registry
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Very long command line found
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428538 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 108 store1.gofile.io 2->108 110 ip-api.com 2->110 112 2 other IPs or domains 2->112 122 Antivirus / Scanner detection for submitted sample 2->122 124 Sigma detected: Capture Wi-Fi password 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 5 other signatures 2->128 11 SecuriteInfo.com.Win64.Evo-gen.10533.31255.exe 60 2->11         started        15 Waltuhium.exe 2->15         started        signatures3 process4 file5 82 C:\Users\...\_quoting_c.cp312-win_amd64.pyd, PE32+ 11->82 dropped 84 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->84 dropped 86 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 11->86 dropped 94 31 other files (none is malicious) 11->94 dropped 154 Very long command line found 11->154 156 Modifies the windows firewall 11->156 158 Tries to harvest and steal WLAN passwords 11->158 160 Gathers network related connection and port information 11->160 17 SecuriteInfo.com.Win64.Evo-gen.10533.31255.exe 132 11->17         started        88 C:\Users\...\_quoting_c.cp312-win_amd64.pyd, PE32+ 15->88 dropped 90 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->90 dropped 92 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 15->92 dropped 96 31 other files (none is malicious) 15->96 dropped 162 Multi AV Scanner detection for dropped file 15->162 22 Waltuhium.exe 15->22         started        signatures6 process7 dnsIp8 102 ip-api.com 208.95.112.1, 49738, 80 TUT-ASUS United States 17->102 104 api.gofile.io 51.38.43.18, 443, 49749 OVHFR France 17->104 106 4 other IPs or domains 17->106 74 C:\Users\user\AppData\Local\...\Waltuhium.exe, PE32+ 17->74 dropped 76 C:\Users\user\AppData\...\ZSSZYEFYMU.xlsx, ASCII 17->76 dropped 78 C:\Users\user\AppData\...\UMMBDNEQBN.pdf, ASCII 17->78 dropped 80 2 other malicious files 17->80 dropped 130 Very long command line found 17->130 132 Found many strings related to Crypto-Wallets (likely being stolen) 17->132 134 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->134 136 5 other signatures 17->136 24 cmd.exe 1 17->24         started        27 cmd.exe 17->27         started        29 cmd.exe 17->29         started        31 10 other processes 17->31 file9 signatures10 process11 signatures12 138 Very long command line found 24->138 140 Encrypted powershell cmdline option found 24->140 142 Bypasses PowerShell execution policy 24->142 152 3 other signatures 24->152 33 WMIC.exe 1 24->33         started        36 conhost.exe 24->36         started        144 Overwrites the password of the administrator account 27->144 146 Gathers network related connection and port information 27->146 148 Performs a network lookup / discovery via ARP 27->148 38 systeminfo.exe 27->38         started        40 net.exe 27->40         started        42 net.exe 27->42         started        49 16 other processes 27->49 44 powershell.exe 29->44         started        47 conhost.exe 29->47         started        150 Tries to harvest and steal WLAN passwords 31->150 51 20 other processes 31->51 process13 file14 114 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 33->114 116 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 33->116 118 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->118 53 WmiPrvSE.exe 38->53         started        120 Overwrites the password of the administrator account 40->120 55 net1.exe 40->55         started        57 net1.exe 42->57         started        100 C:\Users\user\AppData\...\rbnr1ktd.cmdline, Unicode 44->100 dropped 59 csc.exe 44->59         started        62 quser.exe 49->62         started        64 net1.exe 49->64         started        70 2 other processes 49->70 66 chcp.com 51->66         started        68 chcp.com 51->68         started        signatures15 process16 file17 98 C:\Users\user\AppData\Local\...\rbnr1ktd.dll, PE32 59->98 dropped 72 cvtres.exe 59->72         started        process18
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-04-19 05:21:10 UTC
File Type:
PE+ (Exe)
Extracted files:
734
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uk6f6zdxep226ah6wngr3v54ookceb2bn5nesqs3vtvlr4sr2rzq._file
Verdict:
malicious
Similar samples:
0c4539463f6945654ba7fcca0c703040ebadcf29e5d3c89a2765e1369a6fe15f
52f6e87fb26093278273b76242528123501209a796f152c12d45e92d85acbf12
5b7c918bf324ff3b49cd17854731788c49bbbc120cd1a7dab2050467930e1a2d
7430d4ff91880ad8296ea94fe9c43aab5a92f1901386ffdc0c7a829359d210db
7afbe4fa7aad8ab6a257bc76e1583079d7b6b1e1590b39d7fdcfc27963a9260a
893534d6ef00baca495f72ee980aa8b4de58afa9ebb9a4f05710db19c5454c33
c1a42a7466f95415577084f66e18e6817e533c8f353c70e033048e4db90efadc
c541b775dc9e6b07c43b2d9f92fb1981aaec2a56c9075d55689915286d98eec1
daa3d1fa7525afcbb16140d999b685d5fe487b19e108171b4408135f3e36be9f
f96f0402e5f6110bdb961a3750b1db0519bf810969f59e2d8d57ac51fc2cdd9e
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/240419-f1z7aahh39/
Behaviour
Collects information from the system
Enumerates processes with tasklist
Gathers network information
Gathers system information
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Launches sc.exe
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Windows Firewall
Grants admin privileges
Unpacked files
SH256 hash:
a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473
MD5 hash:
810404df029951f47c930245ed323daa
SHA1 hash:
0822276c0b2069ec93b1c9cec479598d2df6032b
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/36e82572-5051-4ce8-b1e1-22d26bb84e66/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments