MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6
SHA3-384 hash: bf21ce44e3c30f615c290efcfa99d559b97c41aa7926fca8febd74f2feb1167ce83d207ef56b4433f251f7fbc5705c3e
SHA1 hash: 07f8ce4b24858737bfa4c0b51f37f46066f2ca8a
MD5 hash: b87df1720cef681dfafd94d2f0d8e67e
humanhash: video-uranus-blue-kilo
File name:Gremlin.exe
Download: download sample
File size:287'232 bytes
First seen:2025-04-23 20:26:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:OYQdO8GAR3W/9k+ZUXH0Zz/7w2K4s7msUjaMxWAbab:ws87WS+ZUEZz/AutjaMx
TLSH T13A547B567319DA03EB6F877880FB195E227042DB4751EB7B1E8898E06B11385DB0AFC7
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.6% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter juroots
Tags:exe Gremlin stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
547
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Gremlin.exe
Verdict:
Malicious activity
Analysis date:
2025-04-23 06:10:29 UTC
Tags:
evasion stealer xor-url generic
Link:
https://app.any.run/tasks/69325fa1-b37e-41dc-a1f8-bb0038345a3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3775/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68094ed13d067f848398931b
Tags:
spawn sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a window
Searching for the window
Searching for synchronization primitives
Sending an HTTP POST request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint hacktool obfuscated obfuscated reconnaissance xor-url xor-url zero
Link:
https://www.filescan.io/uploads/68094ce1218c4a98adde5a8f/reports/13268df2-a2bf-4fd2-9947-d4bd241b4395/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54a9fd6c-e1f6-4ae6-83a9-99ceb6b82660
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1672490
Signature
Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1672490 Sample: Gremlin.exe Startdate: 23/04/2025 Architecture: WINDOWS Score: 96 38 tools.l.google.com 2->38 40 tools.google.com 2->40 42 3 other IPs or domains 2->42 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Joe Sandbox ML detected suspicious sample 2->70 8 Gremlin.exe 14 66 2->8         started        13 msedge.exe 151 763 2->13         started        signatures3 process4 dnsIp5 50 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 8->50 52 api.ipify.org 104.26.12.205, 443, 49715 CLOUDFLARENETUS United States 8->52 58 2 other IPs or domains 8->58 34 C:\Users\user\AppData\...behaviorgraphremlin.exe.log, ASCII 8->34 dropped 72 Attempt to bypass Chrome Application-Bound Encryption 8->72 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->74 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->76 80 4 other signatures 8->80 15 chrome.exe 8->15         started        18 msedge.exe 16 8->18         started        54 192.168.2.4, 138, 443, 49424 unknown unknown 13->54 56 239.255.255.250 unknown Reserved 13->56 36 C:\Users\user\AppData\Local\...\Login Data, SQLite 13->36 dropped 78 Maps a DLL or memory area into another process 13->78 20 msedge.exe 13->20         started        23 msedge.exe 13->23         started        25 msedge.exe 13->25         started        27 3 other processes 13->27 file6 signatures7 process8 dnsIp9 82 Found many strings related to Crypto-Wallets (likely being stolen) 15->82 29 chrome.exe 15->29         started        32 msedge.exe 18->32         started        44 c-msn-pme.trafficmanager.net 20.125.62.241, 443, 49759, 49807 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->44 46 20.42.73.30, 443, 49793, 49815 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->46 48 25 other IPs or domains 20->48 signatures10 process11 dnsIp12 60 tools.l.google.com 29->60 62 tools.google.com 29->62 64 chrome.cloudflare-dns.com 29->64
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-23 20:26:11 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ioiuacrewrhysjuhz5vwyjpyuiwbnvot3x2bidcb5t7utikgd3a._file
Verdict:
suspicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/250423-y7xzlsy1ez/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses browser remote debugging
Verdict:
Suspicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/a650fc5d-bb73-4e65-97ba-077405da150c
Unpacked files
SH256 hash:
d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6
MD5 hash:
b87df1720cef681dfafd94d2f0d8e67e
SHA1 hash:
07f8ce4b24858737bfa4c0b51f37f46066f2ca8a
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/1e0862ad-6284-4b44-bc8c-bda1c77c77e0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d21c8a005125/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/3775/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments