MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd19a0675145a2931cbcfe58b72e0a0d4b82d47a8f4dd3bff683f212d0ada369. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	bd19a0675145a2931cbcfe58b72e0a0d4b82d47a8f4dd3bff683f212d0ada369
SHA3-384 hash:	0e9222c054adf00bdafff99d92e3923d258cf39e47d97b467fac1efcb5f77c5a344d58b98a11bd5acd895d76e9e6287f
SHA1 hash:	78e0eba6121d0850b743ce4127d960c088d43109
MD5 hash:	cdb08964f95490ea413b0202f9d4576f
humanhash:	fish-neptune-sixteen-carpet
File name:	cdb08964f95490ea413b0202f9d4576f.exe
Download:	download sample
File size:	5'841'247 bytes
First seen:	2024-09-22 05:11:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	456e8615ad4320c9f54e50319a19df9c (15 x SVCStealer, 10 x BlankGrabber, 5 x CoinMiner)
ssdeep	98304:5ww7lEWHioVQWJuhswoYv5eO0zo0Ahd6y0Naxxv8fqDDAxSSpXq0eo8+qoDj1wd:5ZHiouWJysVYvsOaoyMxxvjDDAxSSEdv
TLSH	T196463394A3E10EE6F9A7C03DD8B0D815D733B4260711E45786F447266F27BF0AA29FA1
TrID	70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.ICL) Windows Icons Library (generic) (2059/9) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

414

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

CryptoKeyBrute V1.0.exe

Verdict:

Malicious activity

Analysis date:

2024-09-17 12:26:42 UTC

Tags:

sniffthem loader clipper diamotrix stealer redline metastealer pyinstaller rat asyncrat remote python

Link:

https://app.any.run/tasks/493541c8-7bc1-42f6-8108-39bcf4c609fa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Python.Muldrop.16.25653.2991.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ef2f1c1db25d66857c86f3

Tags:

Encryption Generic Stealth Installer Dropped

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

clipbanker expand lolbin microsoft_visual_cc overlay packed

Link:

https://www.filescan.io/uploads/66efa7245e9303a294239946/reports/66a6e5d2-04db-4824-978b-ce79cf251d9d/overview

Verdict:

Malicious

Labled as:

Trojan.Win64.Genus

Link:

https://www.hybrid-analysis.com/sample/bd19a0675145a2931cbcfe58b72e0a0d4b82d47a8f4dd3bff683f212d0ada369

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1427a87b-5c3a-4e4e-a47e-18baa70edb04

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1515275

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bd19a0675145a2931cbcfe58b72e0a0d4b82d47a8f4dd3bff683f212d0ada369

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd19a0675145a2931cbcfe58b72e0a0d4b82d47a8f4dd3bff683f212d0ada369/

Threat name:

Win64.Infostealer.ClipBanker

Status:

Malicious

First seen:

2024-09-15 09:43:00 UTC

File Type:

PE+ (Exe)

Extracted files:

451

AV detection:

17 of 38 (44.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xum2az2riwrjghf47zmlolqkbvfyfvd2r5g5hp7wqpzbfufnunuq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/240922-fvvdvataqk/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2a60d121-2ee3-435c-9986-1c623007d7a7

Unpacked files

SH256 hash:

bd19a0675145a2931cbcfe58b72e0a0d4b82d47a8f4dd3bff683f212d0ada369

MD5 hash:

cdb08964f95490ea413b0202f9d4576f

SHA1 hash:

78e0eba6121d0850b743ce4127d960c088d43109

Detections:

PyInstaller

Link:

https://www.unpac.me/results/60c757da-485f-4490-854d-d8df82a4612b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd19a0675145a2931cbcfe58b72e0a0d4b82d47a8f4dd3bff683f212d0ada369

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_APT29_WINELOADER_Backdoor Create hunting rule
Author:	daniyyell
Description:	Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:	https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties

Rule name:	Detect_Malicious_VBScript_Base64 Create hunting rule
Author:	daniyyell
Description:	Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe bd19a0675145a2931cbcfe58b72e0a0d4b82d47a8f4dd3bff683f212d0ada369

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3185050/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::FindFirstFileW KERNEL32.dll::RemoveDirectoryW KERNEL32.dll::SetDllDirectoryW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample