MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AdesStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132
SHA3-384 hash: c14e34821cf786b1f28e3b9360dfab8e37c4a5f7f3cdeeee8c4bd3e77a403ffc7d2fa590847db3d241156a73dbcb7fbd
SHA1 hash: 11c46dfce66a8ffc66ea8fdafeab3a34075bf5e2
MD5 hash: fccebee340a7006a339835a290922397
humanhash: oxygen-vegan-oregon-eight
File name:gremlin
Download: download sample
Signature AdesStealer
Create hunting rule
File size:130'560 bytes
First seen:2025-05-13 12:08:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:LQgRptO5cz8CDqITHKK4LQbj14umN0hgzmaP:/zPz8CWrUbjo
TLSH T1D7D32A8873EC8A52F3BF5DBCD47141624B76F2429D2EF78E188C44DA15333A09985B6B
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter kc5gg2
Tags:AdesStealer ClipBanker Clipper exe Gremlin stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
IN IN
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132
Verdict:
Malicious activity
Analysis date:
2025-05-04 01:03:48 UTC
Tags:
evasion stealer crypto-regex gremlin
Link:
https://app.any.run/tasks/b33b3b76-3beb-49a1-95e6-d67bfd0180a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilperseus-9956592-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682337374a59e5a2ce0431c3
Tags:
clipbanker virus sage msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Stealing user critical data
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm clipbanker evasive fingerprint hacktool obfuscated reconnaissance stealer telegram zero
Link:
https://www.filescan.io/uploads/6823366cc7418694c8a9b42c/reports/486de67c-a960-4df7-8417-e1fe6896a93a/overview
Verdict:
Malicious
Labled as:
Trojan[Banker]/MSIL.ClipBanker
Link:
https://www.hybrid-analysis.com/sample/d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132
Malware family:
Sharp Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44a9893e-65ec-4d9a-98e9-434323cceca2
Result
Threat name:
Ades Stealer, Gremlin Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1688891
Signature
Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected Ades Stealer
Yara detected Gremlin Stealer
Yara detected Telegram Bot
Yara detected Telegram RAT
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1688891 Sample: gremlin.exe Startdate: 13/05/2025 Architecture: WINDOWS Score: 100 37 ip-api.com 2->37 39 api.ipify.org 2->39 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 7 other signatures 2->67 8 gremlin.exe 14 81 2->8         started        13 msedge.exe 100 628 2->13         started        signatures3 process4 dnsIp5 47 ip-api.com 208.95.112.1, 49692, 80 TUT-ASUS United States 8->47 49 api.ipify.org 104.26.13.205, 443, 49690 CLOUDFLARENETUS United States 8->49 55 2 other IPs or domains 8->55 35 C:\Users\user\AppData\...\gremlin.exe.log, ASCII 8->35 dropped 69 Attempt to bypass Chrome Application-Bound Encryption 8->69 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->73 75 3 other signatures 8->75 15 chrome.exe 8->15         started        17 msedge.exe 9 8->17         started        51 192.168.2.5, 138, 443, 49307 unknown unknown 13->51 53 239.255.255.250 unknown Reserved 13->53 19 msedge.exe 13->19         started        22 msedge.exe 13->22         started        24 msedge.exe 13->24         started        26 msedge.exe 13->26         started        file6 signatures7 process8 dnsIp9 28 chrome.exe 15->28         started        31 chrome.exe 15->31         started        33 msedge.exe 17->33         started        41 13.107.246.69, 443, 49743, 49744 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->41 43 150.171.27.11, 443, 49738, 49750 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->43 45 27 other IPs or domains 19->45 process10 dnsIp11 57 tools.l.google.com 28->57 59 tools.google.com 28->59
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132/
Threat name:
ByteCode-MSIL.Spyware.Gremlinstealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-16 19:27:51 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
26 of 35 (74.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hvhk5tbcyr4njfndgip73kwf2eydi5keclrobs63xc34n5hmeza._file
Verdict:
malicious
Label(s):
hannibalstealer
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/250513-pbkvqstn14/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Drops file in Program Files directory
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses browser remote debugging
Verdict:
Malicious
Tags:
Win.Packed.Msilperseus-9956592-0 external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/f19a28c2-dc30-4c5e-9d61-ac013774c042
Unpacked files
SH256 hash:
d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132
MD5 hash:
fccebee340a7006a339835a290922397
SHA1 hash:
11c46dfce66a8ffc66ea8fdafeab3a34075bf5e2
Link:
https://www.unpac.me/results/54852619-fed3-4ebf-a036-3ad074ce4981/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Crypto_Wallet_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing cryptocurrency wallet regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/
  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments