MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af11aae5cc9fef4b138f63b4d24a4842796c1815cb6555e99e4230a418ecb696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af11aae5cc9fef4b138f63b4d24a4842796c1815cb6555e99e4230a418ecb696
SHA3-384 hash: 94d3fec4d9977d77762cf1e510fc0381ce189062310409c411d81e00697087199bd8fc8582338fc36dfcd51accebb91e
SHA1 hash: 5788389eedf1d34366b50501ae14a17af86f80d8
MD5 hash: 5c2d21926d39cd4ac6189e5ff1e1ec6c
humanhash: apart-tango-artist-nineteen
File name:SecuriteInfo.com.Win32.Evo-gen.18781.13097
Download: download sample
File size:3'090'670 bytes
First seen:2022-12-01 08:28:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 36 x Vidar)
ssdeep 49152:X9vZPy4yqkKi8M/GAqhFd3uEaU4a+ld6k1jw:XJ9y4cKzwlW
Threatray 11 similar samples on MalwareBazaar
TLSH T1D2E5E6E1FADB04F1E50319310896627F27342E096F3ADBC7D9503F99E973AA20A33559
gimphash c269b976c3cd6ad690ccc00a28f256df3ecc35d2f19f50d4e20a41c648f83336
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.Evo-gen.18781.13097
Verdict:
No threats detected
Analysis date:
2022-12-01 08:31:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/277a6550-13ec-4f18-b2a2-547ca8f53f98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341025/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.18781.13097.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm golang greyware overlay
Link:
https://www.filescan.io/uploads/638865d0579915b6b303c431/reports/133a688f-7217-4a68-bda4-ddf7041fbc3a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb0502ce-4449-4f2e-a881-7330cb354da3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1125104
Signature
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af11aae5cc9fef4b138f63b4d24a4842796c1815cb6555e99e4230a418ecb696/
Threat name:
Win32.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 05:44:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4i2vzomt7xuwe4pmo2nessiij4wygavznsvl2m6iiykighmw2la._file
Verdict:
malicious
Similar samples:
30c1f93a3d798bb18ef3439db0ada4e0059e1f6ddd5d860ec993393b31a62842
5183c27d986a7a6682d0f57a40eff9c2e458ddfd8175f849fe9390e46b1a7cf5
7bb10303027c42b4893bc186be547fbd8f0d59a8a8171703c8ad88680831785f
a7dfb6bb7ca1c8271570ddcf81bb921cf4f222e6e190e5f420d4e1eda0a0c1f2
be607f4670ec8ae8808e6c46603344dcd3d0e58c7e2c7644cf6a360e60f92ce7
d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379
e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc
eb8faad12b1bc7657060878a8b672344c95a0a6cdedeedf7b2702c7add6a815d
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221201-kdlgtsed5s/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/227064fa-0247-43d0-9022-3315e226b040
Unpacked files
SH256 hash:
af11aae5cc9fef4b138f63b4d24a4842796c1815cb6555e99e4230a418ecb696
MD5 hash:
5c2d21926d39cd4ac6189e5ff1e1ec6c
SHA1 hash:
5788389eedf1d34366b50501ae14a17af86f80d8
Link:
https://www.unpac.me/results/53750ec3-eccc-4fb4-92c4-e85eab617405/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af11aae5cc9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/af11aae5cc9fef4b138f63b4d24a4842796c1815cb6555e99e4230a418ecb696

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe af11aae5cc9fef4b138f63b4d24a4842796c1815cb6555e99e4230a418ecb696

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2440449/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2440457/
Cape
Cape
https://www.capesandbox.com/analysis/341025/

Comments