MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b591c598018c7460e5d968e525acca75b348513c82efb99087baad773bfdff81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b591c598018c7460e5d968e525acca75b348513c82efb99087baad773bfdff81
SHA3-384 hash: b60d1870fb68f30a46b6496850b0ae9061edf71513998ce458556e5998ca0dbaf0c056f103b8b6efa4b68ffab82edce4
SHA1 hash: a6dc29595217ccf86853a73caa32080c144b4c5a
MD5 hash: 49277fdae29b778f4c78f4c16f5e0724
humanhash: timing-may-spring-hotel
File name:TeaiGames.exe
Download: download sample
File size:85'447'003 bytes
First seen:2024-04-02 17:29:37 UTC
Last seen:2024-04-02 18:28:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:t/WHHr9tr6pMMu1b8ifFpzjz3u5T6XFzWgrOGr5B3AJguO8h7CL7:t/8L9F6pvu1Bpzv34SFzWg9PhuOM7CL7
TLSH T17C18331AFE2F8984FA6D57A7C00688BA9636328B970D45527C6F0F070A31D295DDCFC9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter e24111111111111
Tags:exe NovaSentinel

Intelligence

File Origin
# of uploads :
2
# of downloads :
417
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b591c598018c7460e5d968e525acca75b348513c82efb99087baad773bfdff81.exe
Verdict:
Malicious activity
Analysis date:
2024-04-02 17:31:21 UTC
Tags:
stealer waspstealer evasion generic
Link:
https://app.any.run/tasks/8d12e946-75de-44d5-8f51-50300c2601b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Launching many processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/660c40a5ec04992a87d87a15/reports/85955bb2-131b-4f36-9137-bedc61555335/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b591c598018c7460e5d968e525acca75b348513c82efb99087baad773bfdff81
Result
Verdict:
MALICIOUS
Result
Threat name:
NovaSentinel
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1418942
Signature
Antivirus detection for URL or domain
Drops large PE files
Found suspicious ZIP file
Yara detected NovaSentinel
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1418942 Sample: TeaiGames.exe Startdate: 02/04/2024 Architecture: WINDOWS Score: 64 55 www.google.com 2->55 57 www.facebook.com 2->57 59 10 other IPs or domains 2->59 67 Antivirus detection for URL or domain 2->67 69 Yara detected NovaSentinel 2->69 71 Found suspicious ZIP file 2->71 9 TeaiGames.exe 179 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\...\System.dll, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->47 dropped 49 12 other files (none is malicious) 9->49 dropped 73 Drops large PE files 9->73 13 TeaiGames.exe 5 9->13         started        signatures6 process7 dnsIp8 61 api.gofile.io 151.80.29.83, 443, 49719, 49734 OVHFR Italy 13->61 63 store9.gofile.io 206.168.190.239, 443, 49737 MASSIVE-NETWORKSUS United States 13->63 65 8 other IPs or domains 13->65 51 d9b74f30-59db-4172...be09fd763f.tmp.node, PE32+ 13->51 dropped 53 49b69e0d-b52d-44f7...b5d3e6ea4f.tmp.node, PE32+ 13->53 dropped 17 cmd.exe 1 13->17         started        19 cmd.exe 1 13->19         started        21 cmd.exe 13->21         started        23 91 other processes 13->23 file9 process10 process11 25 WMIC.exe 1 17->25         started        27 conhost.exe 17->27         started        29 tasklist.exe 1 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 tasklist.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        41 115 other processes 23->41
Score:
34%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b591c598018c7460e5d968e525acca75b348513c82efb99087baad773bfdff81
Gathering data
Threat name:
Win32.Trojan.Malicord
Create hunting rule
Status:
Malicious
First seen:
2024-03-13 23:21:56 UTC
File Type:
PE (Exe)
Extracted files:
216
AV detection:
5 of 38 (13.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwi4lgabrr2gbzozndssllgkowzuquj4qlx3teehxkwxoo7576aq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware stealer
Link:
https://tria.ge/reports/240402-v27p3sge3t/
Behaviour
Detects videocard installed
Enumerates processes with tasklist
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b591c598018c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b591c598018c7460e5d968e525acca75b348513c82efb99087baad773bfdff81

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments