MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8b139356c341d036363914fb0a0c1d3e82fc873bd9f9957a70bccbbef8b22e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8b139356c341d036363914fb0a0c1d3e82fc873bd9f9957a70bccbbef8b22e9
SHA3-384 hash: 2d9305094f26afcd8c26f07faf2c6ec516c3c5105d5544de74a7977999f034f602fffcd9fa4af6ebbf28b786fe5fe12d
SHA1 hash: 27ce37d526700b2664b3103b68d9cc47c4ea8909
MD5 hash: 35a955f116fc128622bcdc0e3ef52022
humanhash: georgia-tennis-mockingbird-lactose
File name:RemasterSouls Setup.exe
Download: download sample
File size:69'184'268 bytes
First seen:2024-02-06 15:12:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:prziNx5qoipQ8DJEd+3ozZp6qtfMQZ2YZtO7fDFqsfDa7:Ex5qrvJYRZxtj2YZAzD0e27
TLSH T1CCE733906AD1C019C81956FD9AD0FAFE56097B380366707EB49E304F3831BECDE6169B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65c24c8821d33607b88f8490/reports/b7a0b40b-f475-475f-b6b6-d828ffa8ff40/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a8b139356c341d036363914fb0a0c1d3e82fc873bd9f9957a70bccbbef8b22e9
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1387637
Signature
Antivirus detection for URL or domain
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1387637 Sample: RemasterSouls Setup.exe Startdate: 06/02/2024 Architecture: WINDOWS Score: 56 56 vendanetbr.com 2->56 60 Antivirus detection for URL or domain 2->60 62 Drops large PE files 2->62 9 RemasterSouls Setup.exe 179 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\RemasterSouls.exe, PE32+ 9->42 dropped 44 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->44 dropped 46 C:\Users\user\AppData\Local\...\System.dll, PE32 9->46 dropped 48 12 other files (none is malicious) 9->48 dropped 12 RemasterSouls.exe 6 9->12         started        process6 dnsIp7 58 vendanetbr.com 154.56.48.197, 443, 49717 COGENT-174US United States 12->58 50 cbfc58d8-be6a-457d...2612480ae2.tmp.node, PE32+ 12->50 dropped 52 07c87988-36b6-422d...11fd2c7d6a.tmp.node, PE32+ 12->52 dropped 64 Tries to harvest and steal browser information (history, passwords, etc) 12->64 17 RemasterSouls.exe 1 12->17         started        20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        24 4 other processes 12->24 file8 signatures9 process10 dnsIp11 54 chrome.cloudflare-dns.com 162.159.61.3, 443, 49711, 49712 CLOUDFLARENETUS United States 17->54 26 powershell.exe 15 20->26         started        28 conhost.exe 20->28         started        30 powershell.exe 14 22->30         started        32 conhost.exe 22->32         started        34 tasklist.exe 1 24->34         started        36 tasklist.exe 1 24->36         started        38 conhost.exe 24->38         started        40 conhost.exe 24->40         started        process12
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-02-04 02:03:41 UTC
File Type:
PE (Exe)
Extracted files:
138
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcytsnlmgqoqgy3dsfh3bigb2puc7sdtxwpzsv5hbpglx34leluq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240206-slrb2sbfdr/
Behaviour
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
An obfuscated cmd.exe command-line is typically used to evade detection.
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a8b139356c341d036363914fb0a0c1d3e82fc873bd9f9957a70bccbbef8b22e9

(this sample)

  
Delivery method
Distributed via web download

Comments