MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e53366dbd7c6665db9bb826ba00d769c8e4cfd8e4f43081b77ff822a55d839. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6e53366dbd7c6665db9bb826ba00d769c8e4cfd8e4f43081b77ff822a55d839
SHA3-384 hash: 4f37729e5cf7752ab6729d483c74e6267d4593dee84084bad2794b83c84e8c6d85c4c626dfbee13415b2211089d9d9bc
SHA1 hash: 46a195444d8d58f0cdc590edf94f79e1893f19de
MD5 hash: 085586935ca88cc706588ddf1b5417b9
humanhash: oxygen-july-cold-mobile
File name:Virus.Danger.ATA_virussign.com_085586935ca88cc706588ddf1b5417b9.exe
Download: download sample
File size:8'517'654 bytes
First seen:2025-03-16 23:45:22 UTC
Last seen:2025-03-17 00:35:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 196608:IpakegBvURWbIghxh071DO3JQMF4yjjwCtBcficKiya:IpaknMRjWxmO5VFtr1
TLSH T10086235566F04AB3EC4650B2E60DC69D0E34AE7D5322C21F600B3D27397937BC96B7A2
TrID 25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
19.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.1% (.EXE) Win32 Executable (generic) (4504/4/1)
7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 4d55214949410727 (1 x RedLineStealer, 1 x AsyncRAT)
Reporter 2huMarisa
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Virus.Danger.ATA_virussign.com_085586935ca88cc706588ddf1b5417b9.exe
Verdict:
Malicious activity
Analysis date:
2025-03-16 23:49:11 UTC
Tags:
stealer themida
Link:
https://app.any.run/tasks/9a928b51-24ea-4d71-a71a-792f14c6a84c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d7706308116ce425719cde
Tags:
bhosta virus lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Creating a file
Stealing user critical data
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
boaxxe crypt obfuscated overlay packed packed packer_detected themidawinlicense threat
Link:
https://www.filescan.io/uploads/67d762c5d2c4beeae92655df/reports/47b0a390-2c46-4629-b31d-e439545f55b7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b6e53366dbd7c6665db9bb826ba00d769c8e4cfd8e4f43081b77ff822a55d839
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
UFR Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6852c41c-d10a-4c48-ab49-11279a4ee071
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1640119
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640119 Sample: 29Gp7vD6lA.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 52 idite-s-mirom.000webhostapp.com 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 3 other signatures 2->60 10 29Gp7vD6lA.exe 4 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\29Gp7vD6lA.exe, PE32 10->46 dropped 48 C:\Users\...\29Gp7vD6lA.exe:Zone.Identifier, ASCII 10->48 dropped 70 Detected unpacking (changes PE section rights) 10->70 72 Tries to evade debugger and weak emulator (self modifying code) 10->72 74 Tries to detect virtualization through RDTSC time measurements 10->74 76 3 other signatures 10->76 14 29Gp7vD6lA.exe 8 7 10->14         started        signatures6 process7 file8 50 C:\Users\user\AppData\Local\Temp\Test.exe, PE32 14->50 dropped 78 Antivirus detection for dropped file 14->78 80 Multi AV Scanner detection for dropped file 14->80 82 Detected unpacking (changes PE section rights) 14->82 84 12 other signatures 14->84 18 Test.exe 2 14->18         started        signatures9 process10 file11 44 C:\Users\user\AppData\Local\...\templogin, SQLite 18->44 dropped 62 Antivirus detection for dropped file 18->62 64 Multi AV Scanner detection for dropped file 18->64 66 Detected unpacking (changes PE section rights) 18->66 68 7 other signatures 18->68 22 taskkill.exe 1 18->22         started        24 taskkill.exe 1 18->24         started        26 taskkill.exe 1 18->26         started        28 5 other processes 18->28 signatures12 process13 process14 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started        42 2 other processes 28->42
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b6e53366dbd7c6665db9bb826ba00d769c8e4cfd8e4f43081b77ff822a55d839
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6e53366dbd7c6665db9bb826ba00d769c8e4cfd8e4f43081b77ff822a55d839/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2018-01-10 00:38:52 UTC
File Type:
PE (Exe)
Extracted files:
60
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3stgzw327dgmxnzxobgxiano2oi4th5rzhugca3o77yeksv3a4q._file
Verdict:
malicious
Label(s):
ufrstealer
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250316-3sbv2swpz6/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/02ae3da8-753b-4482-b2ef-413fdf757616
Unpacked files
SH256 hash:
b6e53366dbd7c6665db9bb826ba00d769c8e4cfd8e4f43081b77ff822a55d839
MD5 hash:
085586935ca88cc706588ddf1b5417b9
SHA1 hash:
46a195444d8d58f0cdc590edf94f79e1893f19de
Link:
https://www.unpac.me/results/5f677d95-6b3e-4d3c-95a7-8bb86490d736/
SH256 hash:
132d983c85706ba36f16a135707aa1d907921286a4072f4b2feee1099e603741
MD5 hash:
a21fc84fe3b0aaf731e8c7b7a78d4942
SHA1 hash:
5ec9a3531cc1f850e8b9512e12041eefd9d34023
Link:
https://www.unpac.me/results/5f677d95-6b3e-4d3c-95a7-8bb86490d736/
SH256 hash:
b4ce2cf4bb196a2fd6267a5c5684b1ff56e956f873f9bfc110575176009be992
MD5 hash:
092e7a819f15cd12fd5c679dbb37b535
SHA1 hash:
d9be6f8fde2b50aad3e3337a479555ee17c808fd
Link:
https://www.unpac.me/results/5f677d95-6b3e-4d3c-95a7-8bb86490d736/
SH256 hash:
a5c89b9cc9a8c3402619aca30ec330f8f7598aac64c730351f4c8314a7edaad1
MD5 hash:
5f2f7f6c4e18ec8f814d661f17ccee95
SHA1 hash:
ab109ecbfd8e09191e6cef1e05691dd6f7b1408b
Link:
https://www.unpac.me/results/5f677d95-6b3e-4d3c-95a7-8bb86490d736/
SH256 hash:
1c967fa1553f66b338bb8d1a2664b5a78d9016d84b22d4cab82784a2d1cdd7c7
MD5 hash:
2ec92fdf8c6070d3a323c5ca4591662c
SHA1 hash:
1a111a0a746904318b1bda0b8fd20bfe2ad23787
Link:
https://www.unpac.me/results/5f677d95-6b3e-4d3c-95a7-8bb86490d736/
SH256 hash:
956d64e6256435bec62c2304e59fd6f45cae6c721f57034c152270f309983ae3
MD5 hash:
b1e9654a0fa3b99aacd7c6300e8c6b19
SHA1 hash:
884b5126307e26de8d6299b242b8468bd4863868
Link:
https://www.unpac.me/results/5f677d95-6b3e-4d3c-95a7-8bb86490d736/
SH256 hash:
687e03386c5f35d95532524d223769e8acbe7caa717fa3cf114a7495df3dd905
MD5 hash:
571ac89aacea62ed746651331b4e88b7
SHA1 hash:
6349e2197e5c65c3bc667285100d1606f050cdff
Link:
https://www.unpac.me/results/5f677d95-6b3e-4d3c-95a7-8bb86490d736/
SH256 hash:
4de7500304e51b948f3bf875f2f66c562ca88281f81189df2e42a0460b23a3ff
MD5 hash:
a35c88d89597d6990a4245d33f59fdc3
SHA1 hash:
f59062a6f0b285924425d21aa0a7e3710db262db
Link:
https://www.unpac.me/results/5f677d95-6b3e-4d3c-95a7-8bb86490d736/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6e53366dbd7c6665db9bb826ba00d769c8e4cfd8e4f43081b77ff822a55d839

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high

Comments