MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae
SHA3-384 hash: ba6ff7bec4f500d8f0d244938e911bbebb4f8303eb2dca296af7777abfa846caf79e598225679932f6f6cfcdb7ffe615
SHA1 hash: 65558c19f0dcb1c8720a15888b15120fd0611132
MD5 hash: 4e0b73b8191c88685bd5d9b6eb9b8ba7
humanhash: six-timing-floor-indigo
File name:Setup.exe
Download: download sample
File size:29'251'343 bytes
First seen:2022-07-23 09:00:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e92fd54d65284238a0e3b74b2715062 (21 x Empyrean, 4 x Gh0stRAT, 4 x Telemiris)
ssdeep 393216:0CxdyJhoon1UGpEL2Vmd6m6MBktCwMJ2lxsJljt:0CzyJ+UuGpEyVmd4kVP2oJRt
Threatray 28 similar samples on MalwareBazaar
TLSH T1345733105FA52CEFC6BC873CB0FF5F1E56E41A659858F5DF83A0E487069BB814427A28
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon ccc3dbe5a39383ce
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-07-23 09:03:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/239a5dff-0bea-4081-b5c5-7ffd1e69060e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27158/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed warp
Link:
https://www.filescan.io/uploads/62dbb95bef2b0e63a834b5a4/reports/b2f8e26e-54ef-4b9e-80de-9dc08a05006a/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Discord Token Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1039681
Signature
Antivirus detection for URL or domain
Contains functionality to infect the boot sector
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Discord Token Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=waaoxxi6yoiqetbnnkktuvsiljkgbssetnazxmryb4qqmigxfwxa._file
Verdict:
unknown
Similar samples:
0c4053cd19c412ce31dcc933a512da0e5fb9433e6b7d69851d1289d4ce2e59b9
0df6eca30071051714c4d1b5bd16e11feb7a76ab208c907771d0dd470d91ab07
329d77b0ab5af0e568b9d56e3c3f7afc4266bf2cea0bd816ed4e67d4c9a09692
414d8e74cdb96fe1e8742018494be41cdebd5c11804a30a7876a5bcd7bf01764
476a05d5c8ef4444f96cbd02c3a315c56227b7510f75e82249a449bb79e977fc
4b56d8713523dea09695ec6beef98608c234e5f8a9be77be931a687c080fb0f1
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
63499ea2f5bb554931547eb8cda06ce7e862a0c81ab68ba42b71a722fa2fc853
a07afb3f48c05bc311adc6a9473310e6b35e14f14920e543ee8ca032a0af637f
af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/220723-kywhjadehq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments