MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Predator

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112
SHA3-384 hash:	05ec5416c3a3d0c2c32ac5830f12610af6e1753e2372f133eac10f924d4f98ec0df9afe488871ac93391e845b225f728
SHA1 hash:	5585f2a4429d4f56f81c67aecd5eaeac5bb8c0ee
MD5 hash:	bece8b42f8473c0dc498ad404a487c62
humanhash:	missouri-hamper-beryllium-october
File name:	bece8b42f8473c0dc498ad404a487c62.exe
Download:	download sample
Signature	Predator Create hunting rule
File size:	3'492'224 bytes
First seen:	2022-10-13 06:44:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	98304:VW2wcSdQCCXsD5E6H2iGzl7l8yb3WLFJntvpmQx:VWrpdQC4sD5bWNlpzb+7x
Threatray	15'558 similar samples on MalwareBazaar
TLSH	T18EF5334A2AA77F95DA3483792731C8EACF58DFE507D9C72C2CCA6902BF6560F3201645
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	414555c0d4d44503 (15 x njrat, 14 x BlackNET, 8 x Lucifer)
Reporter	abuse_ch
Tags:	exe Predator

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319708/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Creating a file

Reading critical registry keys

Creating a process from a recently created file

Searching for synchronization primitives

Moving of the original file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6347b3eff7728fc83824f0c6/reports/4bd979f3-42b9-4183-a6ee-07c9c4be82b8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/9734e1ca-d127-4eeb-8ee0-befc4e8336bd

Result

Threat name:

Predator

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1089530

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Moves itself to temp directory

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Generic Downloader

Yara detected Predator

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2022-10-13 06:24:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 41 (53.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yu7x5pmdi5ncs2wvftkotrcmp24t6dnxegbom3bic2ubk4kaaeja._file

Verdict:

malicious

Predator

37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402

Predator

486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669

Predator

53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9

Predator

a7e29a0a274f353c1472741fb4db1881989011ae3d76a9904c78ab42ffa2a82d

Predator

ad4c13e847384a5ed8640ea6bd4c42c97f55eef4ce21d11224b89d818e0cf74f

Predator

b72e48f5e44ac62ff8a6946d030f1d156d0ecd2c6f6a38e42df69b1290d7fd7e

Predator

eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6

Predator

+ 15'548 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

collection discovery evasion persistence spyware stealer themida trojan

Link:

https://tria.ge/reports/221013-hh2y9sbca5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Looks up external IP address via web service

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ac059fe8-2c16-4239-8f71-fae5df2a2798

Unpacked files

SH256 hash:

dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a

MD5 hash:

c02a029c978f13b753c6b578b1588c75

SHA1 hash:

e125d59451e7f467bfd329a00a506decbcd91d83

Link:

https://www.unpac.me/results/98220b45-262a-4872-81dc-eb4ca94eaeef/

SH256 hash:

39ec76a3330caf82efd2b18fc40f3efc3b0d76ca4af22ea325eab365434b369d

MD5 hash:

ec12c1b18aeca31b02b746415fc750b7

SHA1 hash:

d439757ebd7a9063ae29bd61a03617582c36ed09

Link:

https://www.unpac.me/results/98220b45-262a-4872-81dc-eb4ca94eaeef/

SH256 hash:

1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

MD5 hash:

af07e88ec22cc90cebfda29517f101b9

SHA1 hash:

a9e6f4ae24abf76966d7db03af9c802e83760143

Link:

https://www.unpac.me/results/98220b45-262a-4872-81dc-eb4ca94eaeef/

SH256 hash:

ac339deed84cafab79d2a4bc7b232849a0232b2664dbd56c12b5c90e90a91c32

MD5 hash:

f532e03f70df6dd099be185f501d9fe0

SHA1 hash:

a637e7559d9e4963b74ce29bdf30dc4632e574f2

Link:

https://www.unpac.me/results/98220b45-262a-4872-81dc-eb4ca94eaeef/

SH256 hash:

c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112

MD5 hash:

bece8b42f8473c0dc498ad404a487c62

SHA1 hash:

5585f2a4429d4f56f81c67aecd5eaeac5bb8c0ee

Link:

https://www.unpac.me/results/98220b45-262a-4872-81dc-eb4ca94eaeef/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c53f7ebd8347/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_VPN Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many VPN software clients. Observed in infosteslers

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Predator

exe c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112

(this sample)

Cape

https://www.capesandbox.com/analysis/319708/

URLhaus

https://urlhaus.abuse.ch/url/2366137/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample