MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3d391dac8cecf22acc946063a6c0afe18d3778cbdfc168b96b67fe5c15d9494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	a3d391dac8cecf22acc946063a6c0afe18d3778cbdfc168b96b67fe5c15d9494
SHA3-384 hash:	336094378238faea6b7e615a15a598e35f29cd487c0aa6e3a2f771c2e2629544d4be5265e64a2b4e7fffb9b407e291c1
SHA1 hash:	914dc1a1be45810bc6621b5be2df5f525582ded8
MD5 hash:	f29a5bd9756ad959bb11271e1a4984aa
humanhash:	spaghetti-may-vermont-chicken
File name:	stub1.exe
Download:	download sample
File size:	21'396'687 bytes
First seen:	2022-12-31 05:30:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep	393216:ZflgwHGyvAhWIzA9QsrloKn3e/m3pZeWG2QXBv8SxRDJNW8Z9tF9N+:Zflbmyv6WLqbdKZMv/HNW8ZLF9N
Threatray	3'842 similar samples on MalwareBazaar
TLSH	T143273397B3440AD8F495333BAC4B952655E67C0647A8C28B45D81A601EFF1D2BE3BF32
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter	r3dbU7z
Tags:	exe pyinstaller spyware

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

stub1.exe

Verdict:

Malicious activity

Analysis date:

2022-12-31 05:33:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/99ada834-3c45-4000-8837-18e1a08b7311

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.20600.23024.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/63afc9180fdf1633326cb0a3/reports/58f9bf3d-c2fb-405a-b198-f436e9c40490/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1143442

Signature

Connects to a pastebin service (likely for C&C)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-12-31 05:31:45 UTC

File Type:

PE+ (Exe)

Extracted files:

3250

AV detection:

5 of 26 (19.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=upjzdwwiz3hsflgjiyddu3ak7ymng54mxx6bnc4wwz76lqk5sska._file

Verdict:

unknown

30b39abec09a0975936b022b05e4a8b6e2fe34cb52c533a1fdfb2f9832152b74

4c3e6e0a44cec929b36ea43075ddb2d952c8fe7c19ee1b61de1e4f5b896a2147

5a07bc69ad4a2437e2a2ee9913a60fc6f147a895ea5d82bc2c1e3103a0b54454

61b16d71a76f83cef63d079b0735cd0a1cee24f1119063e28ef1f227f2bb27c4

937e73c80582b2c880a5af198e6520e76e22c3e1ef2fe4a8278d0b49ec61ef86

acb6ddc1461c0d9e81f482f4e5738f330d01f0365b6f95e44aa5792fbe8d7376

b71c27f07c3367ed0733d3bfc17eec9d101a955cf1f8af003ed8977584778d87

d1833d29e63b708289b27d78dbe7604f2a072f2fa853121e29ca13428d81e35e

ec5ab723a255e763e9c87a23d44794b70108b988c7053432177d5dadafd7e645

+ 3'832 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

pyinstaller upx

Link:

https://tria.ge/reports/221231-f7q7ysce2z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

UPX packed file

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c56ed611-ac20-4457-b663-7d9287a339c5

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a3d391dac8cecf22acc946063a6c0afe18d3778cbdfc168b96b67fe5c15d9494

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	shad0w_beacon_16June Create hunting rule
Author:	SBousseaden
Description:	Shad0w beacon compressed
Reference:	https://github.com/bats3c/shad0w

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe a3d391dac8cecf22acc946063a6c0afe18d3778cbdfc168b96b67fe5c15d9494

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample