MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d52551d087bebeee95a642d2b03f34dbbc03b34aa58f0121d8aec8885ddac4af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d52551d087bebeee95a642d2b03f34dbbc03b34aa58f0121d8aec8885ddac4af
SHA3-384 hash: 3813203ae45bf270f8ba966ff1583f886be877957779c8b798dd9289f98694000d16291833455f9d8b12f14dc5dc6a7d
SHA1 hash: f1bd4e535216ede0fc98828b7732658406bac6f8
MD5 hash: 2af219d1a2f889446bb58b3a36707e47
humanhash: blue-seventeen-four-ten
File name:SecuriteInfo.com.Win32.PWSX-gen.14796.18117
Download: download sample
Signature Expiro
Create hunting rule
File size:1'560'064 bytes
First seen:2023-05-15 05:27:54 UTC
Last seen:2023-05-16 14:32:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:PZolyb9fJpnAEb/NQCpy8d3GIH/ZWenLdOa7jtOMHnet6q8JplGkwq:B9ZRpxWD8d2IBWen4a7jdHW+pokwq
Threatray 31 similar samples on MalwareBazaar
TLSH T1F9751224B1FE48B7C76C43F6455426440BB850ABBD27C6FC4C9F70C9EAD6B011A92EA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0c6c4c5ac4c9c0a4 (6 x Loki, 6 x AgentTesla, 5 x Formbook)
Reporter SecuriteInfoCom
Tags:exe Expiro

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.14796.18117
Verdict:
Malicious activity
Analysis date:
2023-05-15 05:30:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/32c4f955-2b38-4b03-aeae-ec4a2f37218b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/389924/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.14796.18117.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying an executable file
Launching a service
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system executable file
Launching a process
Loading a system driver
Enabling autorun for a service
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6461c71ce18b58ecd89b6f4a/reports/8cbb8d57-d220-4607-a6e6-7ad6fcfefa25/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d52551d087bebeee95a642d2b03f34dbbc03b34aa58f0121d8aec8885ddac4af
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4a54cd9f-fff4-4518-8d9c-cce201ff0807
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1233373
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found malware configuration
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 866353 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 15/05/2023 Architecture: WINDOWS Score: 100 46 Tries to download HTTP data from a sinkholed server 2->46 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 8 other signatures 2->52 6 SecuriteInfo.com.Win32.PWSX-gen.14796.18117.exe 3 2->6         started        10 FXSSVC.exe 14 5 2->10         started        12 perfhost.exe 2->12         started        14 16 other processes 2->14 process3 dnsIp4 32 SecuriteInfo.com.W...14796.18117.exe.log, ASCII 6->32 dropped 60 Writes or reads registry keys via WMI 6->60 62 Injects a PE file into a foreign processes 6->62 17 SecuriteInfo.com.Win32.PWSX-gen.14796.18117.exe 4 6->17         started        22 SecuriteInfo.com.Win32.PWSX-gen.14796.18117.exe 6->22         started        64 Antivirus detection for dropped file 10->64 66 Machine Learning detection for dropped file 10->66 40 saytjshyf.biz 173.231.184.124, 49731, 80 VOXEL-DOT-NETUS United States 14->40 42 xlfhhhm.biz 173.231.189.15, 49729, 49734, 80 VOXEL-DOT-NETUS United States 14->42 44 20 other IPs or domains 14->44 68 Creates files inside the volume driver (system volume information) 14->68 file5 signatures6 process7 dnsIp8 34 pywolwnvd.biz 173.231.184.122, 49691, 49692, 80 VOXEL-DOT-NETUS United States 17->34 36 xlfhhhm.biz 17->36 38 14 other IPs or domains 17->38 24 C:\Windows\System32\xbgmsvc.exe, PE32+ 17->24 dropped 26 C:\Windows\System32\wbengine.exe, PE32+ 17->26 dropped 28 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 17->28 dropped 30 38 other malicious files 17->30 dropped 54 Tries to harvest and steal browser information (history, passwords, etc) 17->54 56 Drops executable to a common third party application directory 17->56 58 Infects executable files (exe, dll, sys, html) 17->58 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d52551d087bebeee95a642d2b03f34dbbc03b34aa58f0121d8aec8885ddac4af/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 02:39:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2usvduehx27o5fngiljlapzu3o6ahm2kuwhqcioyv3eiqxo2ysxq._file
Verdict:
malicious
Similar samples:
09b33b95097f1fb29949b64664379e838731085c8630f1af9ea1a6f823c5241e
Expiro
155d065b82fb78cf855daecece7b9c5c83cc69a5372beec9bfa22a12c92d8fe1
Expiro
1d4eb9077c97b5ad001206eff72789b01386a2c253d34875fa1c1acb716e2e56
Expiro
59171f457fb4915d408fa293f0ca3cdfeb613a20d6fadc50ae88b1cf58f0b004
Expiro
847e04095e646bc56458e498de0e8741d873b777567a0372b59d27d4f1d3b625
Expiro
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
Expiro
b79720c1133b12a4ed824d20602fb14b0b736a1c0e60fe23c1b96d57ee031ba0
Expiro
c495bd45af034ec70254209b2bd4d122110382921601efa2c1a9c9dcc83d8343
Expiro
e65641bdd1d31a37d1caa1cbf41d05fa9e7b0caf3c5b531ba66d32c0a3a94406
Expiro
fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b
Expiro
+ 21 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud spyware stealer
Link:
https://tria.ge/reports/230515-f5z23shb7w/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Reads user/profile data of web browsers
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Unpacked files
SH256 hash:
bd0e8911259f63ea93a1a1f0d144fbd188c8adbdab8a8002f95167df55ea1290
MD5 hash:
97356cc1f7a4e5f0a64f1f2cc8e44429
SHA1 hash:
51b642896c552d5c3f9306ea021ae44faa78cba7
Link:
https://www.unpac.me/results/1ffef2dd-e63a-400a-a375-52daf40cb94d/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/1ffef2dd-e63a-400a-a375-52daf40cb94d/
SH256 hash:
408be30b143d9577cb7fb2284ff49a1e015cd6bb4d0985114efc3af4ea81ba90
MD5 hash:
8ea7167749d69a6f7d49dabf397c7dd9
SHA1 hash:
b0a7f921a769b65864c42791e8301e3798142043
Link:
https://www.unpac.me/results/1ffef2dd-e63a-400a-a375-52daf40cb94d/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/1ffef2dd-e63a-400a-a375-52daf40cb94d/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
e1fe043caa74c793a3a4484be5936273b4696d4722add0c64208cfe0b9efcd1e
MD5 hash:
fe16d8ab7de378b34809fc4b348c49a1
SHA1 hash:
3d4e417ec7b61bfc83c8d5274ae5b116d9263133
Link:
https://www.unpac.me/results/1ffef2dd-e63a-400a-a375-52daf40cb94d/
SH256 hash:
51e9b813382cd853599dab2833b2f70a358b5f2a72e91a8b5395ad6c45b63135
MD5 hash:
e7fb72dcd0dd9b9aa2421168f6278f91
SHA1 hash:
30c95a8ea72ecfbd6be438659474074e6934912c
Link:
https://www.unpac.me/results/1ffef2dd-e63a-400a-a375-52daf40cb94d/
SH256 hash:
6722a58c81f6d11004e880bd8481acc423bf96afd46bf692f1562cfa4c5852bd
MD5 hash:
d92d2ba953be4be2d6f2bc859ec5c607
SHA1 hash:
05da51752277bd907ebcfb799524ec7655abbc3a
Link:
https://www.unpac.me/results/1ffef2dd-e63a-400a-a375-52daf40cb94d/
SH256 hash:
d52551d087bebeee95a642d2b03f34dbbc03b34aa58f0121d8aec8885ddac4af
MD5 hash:
2af219d1a2f889446bb58b3a36707e47
SHA1 hash:
f1bd4e535216ede0fc98828b7732658406bac6f8
Link:
https://www.unpac.me/results/1ffef2dd-e63a-400a-a375-52daf40cb94d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Expiro
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d52551d087bebeee95a642d2b03f34dbbc03b34aa58f0121d8aec8885ddac4af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389924/

Comments