MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca23870a45d3be35420a930a5eece560dbc792734fe32df17430a3f8820abd68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca23870a45d3be35420a930a5eece560dbc792734fe32df17430a3f8820abd68
SHA3-384 hash: 2a5f30a2880a05111b4c7853cf27a078ffdb5875f1aeae5b0bc4b42bb1eb2401ca00a7417038ad0fbdb616fb96646f88
SHA1 hash: b60d90561329e74da57df1f1e911032844d0097f
MD5 hash: 86cc1a9841b76519688a2df518e207f5
humanhash: lima-undress-mississippi-fanta
File name:file
Download: download sample
File size:1'666'768 bytes
First seen:2022-12-04 15:34:48 UTC
Last seen:2022-12-04 17:27:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ce034b939c6145516baadcd9b5d3871 (2 x RedLineStealer, 1 x SystemBC, 1 x ArkeiStealer)
ssdeep 24576:jDQdaR+hlTQd5nbB1J4cz2sIvP7F+mexLnWdSdG7WNN1cMx8hLqO3CB+zRv/1ZiW:0aLJ14OfI3p3dX7aSODB+ltZdrhD
Threatray 221 similar samples on MalwareBazaar
TLSH T116752331E3A19437D863103465A5BFB35A3D7E304AA5A9BB7E882F1E1E352C39871317
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 801c8e836eaea5a2
Reporter andretavare5
Tags:exe signed

Code Signing Certificate

Organisation:www.startech.com
Issuer:DigiCert SHA2 Extended Validation Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-06T00:00:00Z
Valid to:2023-08-18T23:59:59Z
Serial number: 05c171e14a1330e1892ba2a1d097b3e3
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: edb3c46f5e89e9836fff38adafea714cfee9550d9c9c1ae6a0dc01313a673866
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.213.50.36/files/spacemen.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-04 15:35:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/312f5f9e-6b4c-4d91-891f-4451ad2d57f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342572/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.22863.11725.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638cbe280c6473d167196e4f/reports/ec53c882-7ccf-45f6-ab77-ff5cea6331ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fb66a8d-361f-4779-9530-8799b086783a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1127516
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca23870a45d3be35420a930a5eece560dbc792734fe32df17430a3f8820abd68/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-04 15:35:12 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ziryocsf2o7dkqqksmff53hfmdn4pettj7rs34lugcr7raqkxvua._file
Verdict:
malicious
Similar samples:
1212ac208df0962b7d1347b0dadbbd54e83b9dd4d30c45f760544f27e9c0f7b5
13d19cf0f53c65faef0b0f569bfe7c0a740c9113a6c5a0441f9509b3db59bc54
2c3310a45db53d2bc092521b417c9434c919dce00876b386e39a5b7cffa3c58f
2c989418ee6df1ae08f2332ca25edc3c7ace2aa9f8ef710b80857c500b4f4c01
44212fc0e7338e59097d84235ef677051327e3486960b2801099ab57f51de83a
44593f2948e2800c83e9d21abb9759e206ea94385ee5c0ddc9dc6a3e4d09273d
616812fc478db8cb2f4be4aae6094fb9e93ca2449c9b0841beeb9f7960914437
9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168
cf944362d88ca9e50ddba1ac4661c6185e9d2be1727ec4c78bb003fa3f4a9309
e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6
+ 211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/221204-s1bvxafg2t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5ae15f4c-52e7-4c2e-a4f8-7490d16b2283
Unpacked files
SH256 hash:
3bb144fde38365f898a2badca032e4f02afd2a9e14d9ebb7ba6a94fefc5003ee
MD5 hash:
51d0c7b8d143497606a1cfdd2060a2cd
SHA1 hash:
74aeca1ff6dd4f97d2a38984b5558fa9b517eb47
Link:
https://www.unpac.me/results/9da63d04-7973-4295-8e06-051bc2d3190e/
SH256 hash:
ca23870a45d3be35420a930a5eece560dbc792734fe32df17430a3f8820abd68
MD5 hash:
86cc1a9841b76519688a2df518e207f5
SHA1 hash:
b60d90561329e74da57df1f1e911032844d0097f
Link:
https://www.unpac.me/results/9da63d04-7973-4295-8e06-051bc2d3190e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/ca23870a45d3be35420a930a5eece560dbc792734fe32df17430a3f8820abd68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/342572/
  
URLhaus
https://urlhaus.abuse.ch/url/2443775/

Comments