MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aeb8342fe519b84fedd23e5b963fa34039f826170c2ab341c23e18e9e6708fde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aeb8342fe519b84fedd23e5b963fa34039f826170c2ab341c23e18e9e6708fde
SHA3-384 hash: 7f39b0ffb9d6b3f6cc0677986226b674f8fd360c12c183b0b936ddeb86e2175d6d1abedf1c763c570d02df28ca7e7fbe
SHA1 hash: 35825cc5c8c65859d660b5b34e0502ad789d4838
MD5 hash: d1459762cf6dfecd7f62828a118893ea
humanhash: apart-bacon-ceiling-skylark
File name:file
Download: download sample
File size:9'987'116 bytes
First seen:2025-04-08 12:46:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f557cb5e3abb3bc5ede97f2a0da19e34 (2 x DeerStealer, 1 x AsyncRAT, 1 x Arechclient2)
ssdeep 196608:vi0HwcxW/r5ryyY/kPVyKvfX2vyTeIoTLd:nwcxMtFY/kPVrv/l0Ld
TLSH T188A6334973D51DF9E57BC03ECCB902AAD6B93C129730C64F0694A78A8F232A15C7CB59
TrID 87.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
5.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.4% (.EXE) Win64 Executable (generic) (10522/11/4)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter jstrosch
Tags:exe X64


Avatar
jstrosch
Found at hxxp://awcollectors[.]com/DKYNRMSZ.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-04-08 18:56:19 UTC
Tags:
xor-url deerstealer stealer generic
Link:
https://app.any.run/tasks/891cf84b-147c-4a31-95ea-93243fc39124

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f51c0de011fe619fad6d98
Tags:
shellcode autorun virus spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending a custom TCP request
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
action adaptive-context expired-cert fingerprint infostealer keylogger microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/67f51b2b2d430c849e0cffc2/reports/712d41f6-9e14-416d-b264-30e7ff21e9b2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/aeb8342fe519b84fedd23e5b963fa34039f826170c2ab341c23e18e9e6708fde
Result
Verdict:
MALICIOUS
Malware family:
WinRAR
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5ce7a694-33a1-40ef-b4c3-0c3e8a59e36e
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1659470
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1659470 Sample: file.exe Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 87 dynamic-summit-cfd.cfd 2->87 89 chrome.cloudflare-dns.com 2->89 91 2 other IPs or domains 2->91 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for URL or domain 2->109 111 Multi AV Scanner detection for dropped file 2->111 113 2 other signatures 2->113 11 file.exe 19 2->11         started        14 ABUsbTips.exe 3 2->14         started        17 msedge.exe 2->17         started        signatures3 process4 dnsIp5 73 C:\Users\user\AppData\Local\...\msvcr80.dll, PE32 11->73 dropped 75 C:\Users\user\AppData\Local\...\msvcp80.dll, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\...\QtGui4.dll, PE32 11->77 dropped 81 2 other files (1 malicious) 11->81 dropped 20 ABUsbTips.exe 8 11->20         started        79 C:\Users\user\AppData\Local\Temp\yslfij, PE32+ 14->79 dropped 137 Maps a DLL or memory area into another process 14->137 24 cmd.exe 14->24         started        26 UT_Task.exe 14->26         started        83 239.255.255.250 unknown Reserved 17->83 28 msedge.exe 17->28         started        31 msedge.exe 17->31         started        33 msedge.exe 17->33         started        35 msedge.exe 17->35         started        file6 signatures7 process8 dnsIp9 61 C:\Users\user\AppData\Roaming\...\msvcr80.dll, PE32 20->61 dropped 63 C:\Users\user\AppData\Roaming\...\msvcp80.dll, PE32 20->63 dropped 65 C:\Users\user\AppData\Roaming\...\QtGui4.dll, PE32 20->65 dropped 67 2 other malicious files 20->67 dropped 115 Switches to a custom stack to bypass stack traces 20->115 117 Found direct / indirect Syscall (likely to bypass EDR) 20->117 37 ABUsbTips.exe 4 20->37         started        41 conhost.exe 24->41         started        101 131.253.33.219, 443, 49951, 49952 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->101 103 ax-0003.ax-msedge.net 150.171.27.12, 443, 49895 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->103 105 34 other IPs or domains 28->105 file10 signatures11 process12 file13 69 C:\Users\user\AppData\Local\Temp\ujrylta, PE32+ 37->69 dropped 71 C:\Users\user\AppData\Local\...\UT_Task.exe, PE32+ 37->71 dropped 119 Found hidden mapped module (file has been removed from disk) 37->119 121 Maps a DLL or memory area into another process 37->121 123 Switches to a custom stack to bypass stack traces 37->123 125 Found direct / indirect Syscall (likely to bypass EDR) 37->125 43 UT_Task.exe 37->43         started        47 cmd.exe 3 37->47         started        signatures14 process15 dnsIp16 99 dynamic-summit-cfd.cfd 104.21.48.1, 443, 49697, 49698 CLOUDFLARENETUS United States 43->99 127 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 43->127 129 Tries to harvest and steal browser information (history, passwords, etc) 43->129 131 Writes to foreign memory regions 43->131 135 4 other signatures 43->135 49 chrome.exe 2 43->49         started        52 msedge.exe 43->52         started        133 Switches to a custom stack to bypass stack traces 47->133 54 conhost.exe 47->54         started        signatures17 process18 dnsIp19 85 192.168.2.8, 138, 443, 49244 unknown unknown 49->85 56 chrome.exe 49->56         started        59 msedge.exe 52->59         started        process20 dnsIp21 93 www.google.com 142.250.65.196, 443, 49797, 49800 GOOGLEUS United States 56->93 95 play.google.com 142.250.80.46, 443, 49833, 49848 GOOGLEUS United States 56->95 97 5 other IPs or domains 56->97
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aeb8342fe519b84fedd23e5b963fa34039f826170c2ab341c23e18e9e6708fde
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aeb8342fe519b84fedd23e5b963fa34039f826170c2ab341c23e18e9e6708fde/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-27 08:51:16 UTC
File Type:
PE+ (Exe)
Extracted files:
47
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v24dil7fdg4e73oshznzmp5dia47qjqxbqvlgqochymotztqr7pa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250408-p15lfatzfz/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
Win.Malware.Wingo-10036258-0
YARA:
n/a
Link:
https://app.threat.zone/submission/92eb494c-4984-41d4-b730-4ef09354432f
Unpacked files
SH256 hash:
aeb8342fe519b84fedd23e5b963fa34039f826170c2ab341c23e18e9e6708fde
MD5 hash:
d1459762cf6dfecd7f62828a118893ea
SHA1 hash:
35825cc5c8c65859d660b5b34e0502ad789d4838
Link:
https://www.unpac.me/results/d98d6c2d-f1b5-473f-b5fb-3308d4dfffd4/
SH256 hash:
2a60e8ec6263352b42e8a0229cb872c07d1ebaf76015a206a98c9cfc98e0fd2f
MD5 hash:
1ca8ed406d7a61b803bb7d81f3b76a0c
SHA1 hash:
5a44ef253ec3c1e384ebd414258ce24bcd5233e7
Link:
https://www.unpac.me/results/d98d6c2d-f1b5-473f-b5fb-3308d4dfffd4/
SH256 hash:
35b15b78c31111db4fa11d9c9cad3a6f22c92daa5e6f069dc455e72073266cc4
MD5 hash:
272a9e637adcaf30b34ea184f4852836
SHA1 hash:
6de8a52a565f813f8ac7362e0c8ba334b680f8f8
Link:
https://www.unpac.me/results/d98d6c2d-f1b5-473f-b5fb-3308d4dfffd4/
SH256 hash:
793153a9262e4c280a71ea595fe49208a89766d6d344766af0abf8c32648f3e0
MD5 hash:
03985b7b207e63b6bb894ea6ea78d92b
SHA1 hash:
0e6fc44b1f3c724e6050152d9e240a548314a6ff
Link:
https://www.unpac.me/results/d98d6c2d-f1b5-473f-b5fb-3308d4dfffd4/
SH256 hash:
be66c99fb03a0a9e1faf3672ec45c766dfdce4b5fa0509f213dfe528da487ae1
MD5 hash:
523612436b1cf6d060092c2bcff64843
SHA1 hash:
836658dea39fe61bddd4ca9b33cac4088a4121aa
Link:
https://www.unpac.me/results/d98d6c2d-f1b5-473f-b5fb-3308d4dfffd4/
SH256 hash:
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
MD5 hash:
43143abb001d4211fab627c136124a44
SHA1 hash:
edb99760ae04bfe68aaacf34eb0287a3c10ec885
Link:
https://www.unpac.me/results/d98d6c2d-f1b5-473f-b5fb-3308d4dfffd4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe aeb8342fe519b84fedd23e5b963fa34039f826170c2ab341c23e18e9e6708fde

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments