MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b042b92b14066a70fb2c5be8de844b2d770589ee8910f40b3882f8d9c8be62ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b042b92b14066a70fb2c5be8de844b2d770589ee8910f40b3882f8d9c8be62ae
SHA3-384 hash: 47df6f9e5db97a7842016db1412f3bceb3a4321d2081d48f2226e236d9117db4e7a93f621e5cae71256db60dba595a26
SHA1 hash: 54de7688d20cffe53988fbb837dcfb6920b833b9
MD5 hash: e71892bf9632bc5732ec2d654d6b9c15
humanhash: item-hamper-kitten-carolina
File name:MsSgrmLpac.exe
Download: download sample
File size:11'810'304 bytes
First seen:2023-02-13 19:26:50 UTC
Last seen:2023-02-13 21:29:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 37 x Vidar)
ssdeep 98304:hI3OXp6oUgXINsQ6HVMu1heVvA7yIUEHnNZ9b323Jam:hwODUg6VvKbtHV3mIm
TLSH T11AC63B47F89191E8C0ADD175C6699292BA313C844F3063D36B60FBB62F36BE46E79314
gimphash 387ab92685f70745eee44000b16a8ece78853cc2118084c364a2bd9fddc6be83
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter iamdeadlyz
Tags:crashreportcdn-dot-com exe SpacePearl


Avatar
Iamdeadlyz
From spacepearl.io (fake P2E game - plagiarised contents from multiple sources - fake team)
Malicious traffic to C&C: crashreportcdn.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MsSgrmLpac.exe
Verdict:
Malicious activity
Analysis date:
2023-02-13 19:27:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87209a4f-9b41-4ee1-a11b-069bd65d7d4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/365239/
Detection(s):
SecuriteInfo.com.FileRepMalware.18277.3480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
DNS request
Sending a custom TCP request
Launching a process
Running batch commands
Reading critical registry keys
Changing a file
Setting a global event handler for the keyboard
Stealing user critical data
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b042b92b14066a70fb2c5be8de844b2d770589ee8910f40b3882f8d9c8be62ae
Result
Verdict:
MALICIOUS
Malware family:
Nerbian RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82a5441c-dcb3-45df-a9b8-fba18b049c46
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1173739
Signature
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 806530 Sample: MsSgrmLpac.exe Startdate: 13/02/2023 Architecture: WINDOWS Score: 56 24 crashreportcdn.com 2->24 7 MsSgrmLpac.exe 2 2->7         started        12 MsSgrmLpac.exe 2->12         started        process3 dnsIp4 26 crashreportcdn.com 188.114.96.3, 443, 49696, 49698 CLOUDFLARENETUS European Union 7->26 28 188.114.97.3, 443, 49697, 49699 CLOUDFLARENETUS European Union 7->28 30 192.168.2.1 unknown unknown 7->30 22 C:\Users\user\AppData\...\MsSgrmLpac.exe, PE32+ 7->22 dropped 32 Suspicious powershell command line found 7->32 34 Bypasses PowerShell execution policy 7->34 36 Drops PE files to the startup folder 7->36 38 Tries to harvest and steal browser information (history, passwords, etc) 7->38 14 powershell.exe 15 7->14         started        16 cmd.exe 1 7->16         started        file5 signatures6 process7 process8 18 conhost.exe 14->18         started        20 conhost.exe 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b042b92b14066a70fb2c5be8de844b2d770589ee8910f40b3882f8d9c8be62ae/
Threat name:
Win64.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-13 19:28:16 UTC
File Type:
PE+ (Exe)
Extracted files:
6
AV detection:
5 of 26 (19.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbblskyuazvhb6zmlpun5bclfv3qlcporeipiczyql4ntsf6mkxa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230213-x54hyaeh9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops startup file
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b042b92b14066a70fb2c5be8de844b2d770589ee8910f40b3882f8d9c8be62ae
MD5 hash:
e71892bf9632bc5732ec2d654d6b9c15
SHA1 hash:
54de7688d20cffe53988fbb837dcfb6920b833b9
Link:
https://www.unpac.me/results/54f655a2-79a7-496d-bf0d-7de51fd30581/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b042b92b1406/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b042b92b14066a70fb2c5be8de844b2d770589ee8910f40b3882f8d9c8be62ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AIX binary
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e3d8e24c2741cbdb8a0cd20da683c1df5d9589742bbc1589192a45fc661444ac

Executable exe b042b92b14066a70fb2c5be8de844b2d770589ee8910f40b3882f8d9c8be62ae

(this sample)

  
Dropped by
SHA256 e3d8e24c2741cbdb8a0cd20da683c1df5d9589742bbc1589192a45fc661444ac
  
Dropped by
SHA256 d645f87e9effc9b26c410ee9b7269ec4094c23a7b46d7cee5720be9d630b7029
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/365239/
  
Dropped by
SHA256 f015cf03b22191ac595069ce9195f85ddd24664c6b1f4454c849479b9da97a67
  
Dropped by
MD5 4ebf576ccd688e32e71122d7f8be2d8f

Comments