MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638
SHA3-384 hash: 75a7f1bca68190d7b149f8a070c3d04b537141ec03169824e49ba5be6b6217d0b4ef3f21ecd8444852717caff472bc2a
SHA1 hash: eaf08e786af7ffcfcc38037999f2adf803bef1e4
MD5 hash: 90427a600ba896346dca58a43f4cc77f
humanhash: kitten-california-april-fix
File name:90427a600ba896346dca58a43f4cc77f
Download: download sample
File size:4'877'824 bytes
First seen:2023-11-08 01:10:39 UTC
Last seen:2023-11-08 02:23:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e9b3e1bda3c0f68dc16d377339cf3e1
ssdeep 98304:KEjAuvLZidHg42wcN3zhgDsZvIkZXiCIc42sLFhaRhZ:KzYWHg4FcN3zBZvbIc42Esh
Threatray 54 similar samples on MalwareBazaar
TLSH T1EC362371E3D04937F17316389C2B92687A39FF022B3869AA6FF45C0C6F396907915267
TrID 38.3% (.SCR) Windows screen saver (13097/50/3)
30.8% (.EXE) Win64 Executable (generic) (10523/12/4)
13.1% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) OS/2 Executable (generic) (2029/13)
5.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
352
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.62591.2026.22476.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process from a recently created file
DNS request
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/654ae027993fbf888b6952af/reports/cdf16f13-5aa0-4c9c-b7ea-c7570a4273dd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/46fea0c4-3299-4dfc-97b5-eb7b22fb11aa
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1338724
Signature
Antivirus detection for URL or domain
Deletes itself after installation
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Opens network shares
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338724 Sample: XS3sNotzzw.exe Startdate: 08/11/2023 Architecture: WINDOWS Score: 96 47 UGimJTaULZqJErlriNlsHPaO.UGimJTaULZqJErlriNlsHPaO 2->47 49 ipwho.is 2->49 51 api.telegram.org 2->51 63 Antivirus detection for URL or domain 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Uses the Telegram API (likely for C&C communication) 2->67 12 XS3sNotzzw.exe 23 2->12         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\Temp\...\Plants, PE32+ 12->45 dropped 83 Opens network shares 12->83 16 cmd.exe 1 12->16         started        19 conhost.exe 12->19         started        signatures6 process7 signatures8 57 Uses ping.exe to sleep 16->57 59 Drops PE files with a suspicious file extension 16->59 61 Uses ping.exe to check the status of other devices and networks 16->61 21 cmd.exe 1 16->21         started        process9 signatures10 73 Uses ping.exe to sleep 21->73 24 Publication.pif 21->24         started        27 cmd.exe 2 21->27         started        30 cmd.exe 2 21->30         started        32 6 other processes 21->32 process11 file12 77 Deletes itself after installation 24->77 79 Modifies the context of a thread in another process (thread injection) 24->79 81 Injects a PE file into a foreign processes 24->81 34 Publication.pif 27 24->34         started        43 C:\Users\user\AppData\...\Publication.pif, PE32+ 27->43 dropped signatures13 process14 dnsIp15 53 api.telegram.org 149.154.167.220, 443, 49736 TELEGRAMRU United Kingdom 34->53 55 ipwho.is 147.135.36.89, 49735, 80 OVHFR United States 34->55 69 Found many strings related to Crypto-Wallets (likely being stolen) 34->69 71 Tries to harvest and steal browser information (history, passwords, etc) 34->71 38 powershell.exe 15 34->38         started        signatures16 process17 signatures18 75 Found many strings related to Crypto-Wallets (likely being stolen) 38->75 41 conhost.exe 38->41         started        process19
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcqxfzpjtokaxbtsbx77usucfjegwsttgtccbtppv2apzjooey4a._file
Verdict:
malicious
Similar samples:
0796818dc3510e88a966f0aaacd201ba162c46e0bc0f7c670ffbd43df485f5a7
57bd1d7a3ce9a10797575f75af56a675b3739ab5901e383a7870b17fa328ecb4
5dcea548692418c3f47e0f0b2f05991720e870c2c65170c603f6e8dbcc11dd23
9f7b7f84298ff1ca0a0bdd87fc2d6ea25b89cea705ea37c61c95df03b7791348
a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638
ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
ade3cb4d8d6dc56650eb1b32afb7cf7797c52d262a686db30aca473754b7029d
c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f
f18e085889d9d7324c57ecb800563ba2e808c0ef8ad52b7b1f1f3afa169bf836
+ 44 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231108-bjx85scg48/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638
MD5 hash:
90427a600ba896346dca58a43f4cc77f
SHA1 hash:
eaf08e786af7ffcfcc38037999f2adf803bef1e4
Link:
https://www.unpac.me/results/dc049856-0136-440c-91e6-97827cae4130/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2023-11-08 01:10:40 UTC

url : hxxps://cutt.ly/wwRBoqIz/