MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae312a92e427d2a4000a88b14a835a5343ab25aeb385bfd62d86c20c0c662b4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	ae312a92e427d2a4000a88b14a835a5343ab25aeb385bfd62d86c20c0c662b4b
SHA3-384 hash:	f12b5e81101a06dcba64e10b4f1e57e191ec7c6f373456ee9e5ace0bbc6d4f96bdb50ed397393b825e0277d140e51e0e
SHA1 hash:	c5f76d247bb03c614fb2916b9e1bff201e7a00b6
MD5 hash:	9f2d5d369949b5fe8f36078356b38543
humanhash:	montana-whiskey-eighteen-kansas
File name:	9f2d5d369949b5fe8f36078356b38543
Download:	download sample
File size:	875'008 bytes
First seen:	2023-07-05 04:31:05 UTC
Last seen:	2023-07-05 05:29:50 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:LvKCf9cYEUlrIA3ffj2baivTJPeaBhQcBvdkr8ujJZ:H9rlM8rsaiJeWSckzjJ
Threatray	256 similar samples on MalwareBazaar
TLSH	T18515234273820319E4145275C0E3212D03F8EB2A14B7FA9A7CEA5A9EE7057DC6DB5FC4
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	zbetcheckin
Tags:	64 exe

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

281

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

91EF1392BC3793B4C43E00A865A9C8D7DF59CB44

Verdict:

Malicious activity

Analysis date:

2023-06-30 14:01:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bec2931a-8188-4a5e-86bd-cbc404c8d43b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/407354/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67891022.12190.10556.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64a4f2439d2b91874b442498/reports/119ba2f3-b17f-46da-b2d7-c5137783fd65/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ae312a92e427d2a4000a88b14a835a5343ab25aeb385bfd62d86c20c0c662b4b

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Suspicious

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c9a6d9b5-588e-465e-9126-1c21a6297db4

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1266928

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae312a92e427d2a4000a88b14a835a5343ab25aeb385bfd62d86c20c0c662b4b/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Leonem

Threat name:

ByteCode-MSIL.Trojan.Leonem

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-01 00:03:07 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

4

AV detection:

30 of 38 (78.95%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vyysvexee7jkiaakrcyuva22knb2wjnowoc37vrnq3bayddgfnfq._file

Threatray malicious

Verdict:

malicious

Similar samples:

21778db8e0c534932dea7dd3408f95944d2688b9023b8d668349e830ab58927f

389a7b386cf1cb266462813f116b66c1e01fea86116a9c9c9630c890418fb2f1

4a8da72abff64bcf80a2500077504588b720180b7694203bdb2434fa075fa7fa

5732c82b705016d7bf79058f82f45b01d18d2986fbc8454deeb2894da020a519

6b0ef726a01c2f7b18ce4409dcce197cdbfeba8ac17948488a0a17c2c09c9aba

6e0a7c7256246dfec4aeeebbfe2e1bf9d1a677a8688017fcf08748aee3ed52b3

9142931e43055d6363ee826270edf47ada8acc56ebca1084ca9ee2fcca579536

a95f3ca79acd4178d465fc84f47532a29087f5b40c59b51af8f0454c9719a03d

bc2f9fb51d4da2cf6a3009c0540ad2031a544dad8d37a3c262728e2012d60f2c

cd4ce12ff6104595f16f7149c38a722ba77031a0ae10486ed325a75187803698

+ 246 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230705-e5yzcaae32/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

UnpacMe

Unpacked files

SH256 hash:

ae312a92e427d2a4000a88b14a835a5343ab25aeb385bfd62d86c20c0c662b4b

MD5 hash:

9f2d5d369949b5fe8f36078356b38543

SHA1 hash:

c5f76d247bb03c614fb2916b9e1bff201e7a00b6

Link:

https://www.unpac.me/results/3e89a46a-7bb2-49fa-9c24-a9ad0bee1ad2/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ae312a92e427/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae312a92e427d2a4000a88b14a835a5343ab25aeb385bfd62d86c20c0c662b4b

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ae312a92e427d2a4000a88b14a835a5343ab25aeb385bfd62d86c20c0c662b4b

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2676833/

Cape

https://www.capesandbox.com/analysis/407354/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-07-05 04:31:05 UTC

url : hxxp://195.178.120.24/KKjNn.exe