MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2f357f6d88d014312346bcb9e534f8bafba1d572600168018af8ce3402d1799. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	c2f357f6d88d014312346bcb9e534f8bafba1d572600168018af8ce3402d1799
SHA3-384 hash:	ef6320a0413b68f4c1e3aa3d6cc908d84b12123d7c422018f7ee40ff151bf69643efba2f02350a83d6f8fddfac8fe78f
SHA1 hash:	3fbb2101bd842548e67870b7978ccede9eaca586
MD5 hash:	e200e1d71e8775f6a146fff0a587c495
humanhash:	may-mobile-violet-eight
File name:	file
Download:	download sample
File size:	5'934'316 bytes
First seen:	2022-11-09 13:35:35 UTC
Last seen:	2022-11-10 07:17:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a3017ccb2c25f455f959277b4c3674df (2 x RedLineStealer, 2 x Vidar, 1 x Blackcocaine)
ssdeep	98304:QaGEenrbDb4gP3z70QmA/7kS215DyQ8SsvLSagr0bEk8fVUZR0Kf18o32vthUgDe:jG3rMgfbmAoSaxGSsvLcYsfSr0K98o3v
Threatray	2'506 similar samples on MalwareBazaar
TLSH	T1125633E341E5FD95D11327F2495100B8C972B8BA4E869327F96FD627911138FCF32A8A
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from https://vk.com/doc760750097_655705006?hash=EUe2sZT1TH7jiAmIuvN0aVGLDN20fOKwBtAnULoy3w0&dl=G43DANZVGAYDSNY:1668000814:4aUovMEf0Rh03NzvelzcgT8CIielO0D9FvBjFDZoKMs&api=1&no_preview=1#52_1

Intelligence

File Origin

# of uploads :

457

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-11-09 13:38:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/60a0397c-fe18-4dc8-add0-c557193722f6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/331227/

Detection(s):

SecuriteInfo.com.Win64.Trojan-gen.15337.13034.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/636bacc47662ecf10839737f/reports/9f058aec-7d1d-4208-b1eb-6273b748bf78/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cb0273a2-46d6-453f-a16f-ab21d6c4621c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1109311

Signature

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected Go Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2f357f6d88d014312346bcb9e534f8bafba1d572600168018af8ce3402d1799/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-09 13:36:19 UTC

File Type:

PE+ (Exe)

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ylzvp5wyruaugerunpfz4u2prox3uhkxeyabnaayv6gogqbnc6mq._file

Verdict:

unknown

212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3

3174495d59b192ef7c99dd92f3da2a9661fbff2c189b3ad7c2e0abe3d35b8feb

354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412

4ee4a194ce1067583a2bc50dd562a8809e7deb41852454f999de5e3ce9a6dc80

ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458

c00a6a16560557073649393b2ef306dbc831c8bd6ca53882f6e3363a0ed82380

e2ec4687058c756a830d9371be5784bb81fe58cb6ad8ab34592800674e4c3633

+ 2'496 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/221109-qwaqyahcg5/

Behaviour

GoLang User-Agent

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

c2f357f6d88d014312346bcb9e534f8bafba1d572600168018af8ce3402d1799

MD5 hash:

e200e1d71e8775f6a146fff0a587c495

SHA1 hash:

3fbb2101bd842548e67870b7978ccede9eaca586

Link:

https://www.unpac.me/results/456f8cd6-056a-4e76-bc19-16c2d18bd958/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c2f357f6d88d014312346bcb9e534f8bafba1d572600168018af8ce3402d1799

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/331227/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample