MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d576e059f376adc56b3ad3e62b5a808c26b6f70dfc50e10e4cd3b6eacfc5a2ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d576e059f376adc56b3ad3e62b5a808c26b6f70dfc50e10e4cd3b6eacfc5a2ea
SHA3-384 hash: 64956ee72fdd1426950e2b97fbfa257a8d53d8db226562b6220e1158fb8c6aba380cb62ec729c9de8d41da24a56385c9
SHA1 hash: ec9f4fb39f8339f82a576febfb2ffe81ae9af9e0
MD5 hash: c267fbf8cc1fc5a1ce25de072e2b0bc0
humanhash: winter-bluebird-cold-maine
File name:c267fbf8cc1fc5a1ce25de072e2b0bc0
Download: download sample
File size:14'376'960 bytes
First seen:2022-09-06 11:47:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e6efb84c997b145566619aa9dc9a7eef (6 x Hive, 1 x AsyncRAT, 1 x RedLineStealer)
ssdeep 49152:oz0sGwiZTrrb/T/vO90d7HjmAFd4A64nsfJ9445itmh2WEV1Mgqb9JF0TmnXgAWJ:LGBQ2t4wWObN3meR1j60szEissfm3cP
Threatray 38 similar samples on MalwareBazaar
TLSH T170E64A47F89551E5C5AED130CA229156BA303C885F2023E73A20FAB92F76BD46FBD354
gimphash 59997857ac367777ae7721fa558eb68044197fd0d12171a260438d6a89964c0b
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c267fbf8cc1fc5a1ce25de072e2b0bc0
Verdict:
No threats detected
Analysis date:
2022-09-06 11:48:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55002e2c-081e-4c1a-918c-867e168d3867

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.17692.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Reading critical registry keys
Changing a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/631733b818c697f6f22aa827/reports/8017df7e-fd9a-42f1-9209-8836e4231fc5/overview
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e7f8482d-4d1c-46d4-b6fa-2c1d94f9f93a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1065611
Signature
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 698137 Sample: O12VLaRfEf.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 56 49 Multi AV Scanner detection for submitted file 2->49 9 O12VLaRfEf.exe 93 2->9         started        process3 dnsIp4 41 163.181.56.173 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 9->41 43 163.181.92.229 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 9->43 45 5 other IPs or domains 9->45 31 C:\Users\user\...\notification_helper.exe, PE32+ 9->31 dropped 33 C:\Users\user\AppData\...\mojo_core.dll, PE32+ 9->33 dropped 35 C:\Users\user\AppData\Roaming\...\libEGL.dll, PE32+ 9->35 dropped 37 9 other files (none is malicious) 9->37 dropped 51 Tries to harvest and steal browser information (history, passwords, etc) 9->51 53 Potentially malicious time measurement code found 9->53 14 leakless.exe 9->14         started        file5 signatures6 process7 dnsIp8 47 127.0.0.1 unknown unknown 14->47 55 Potentially malicious time measurement code found 14->55 18 chrome.exe 36 14->18         started        21 taskkill.exe 1 14->21         started        signatures9 process10 dnsIp11 39 192.168.2.1 unknown unknown 18->39 23 chrome.exe 3 18->23         started        25 chrome.exe 18->25         started        27 conhost.exe 21->27         started        process12 process13 29 chrome.exe 3 23->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d576e059f376adc56b3ad3e62b5a808c26b6f70dfc50e10e4cd3b6eacfc5a2ea/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-06 03:30:45 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
9 of 40 (22.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2v3oawpto2w4k2z22ptcwwuarqtln5yn7riocdsm2o3ovt6fulva._file
Verdict:
unknown
Similar samples:
0b251371b4891fe08157e6b9c84e0267a8c6d33cad2b2a06702c8f2f62381bda
1d954347b4549a195aebc8a176ea7f1140c902bd3f8fddaba2099d8a6f86a216
1e061432a06c9e4935cd837118e5d68d79ec6c6bbdddcc40d8682e50db7344fa
2dde8c2841248eedeec0a51cde97d147760c02e2d60d6f4d4f48758c0f3b6ea7
41b141e122bd86a5c4279094916564759cc342ae3b95fffd80af4b9676aa61b7
4cbe62ea4c09d6e5ff8141917c8caa78029e64b27475332b8dd372f0a989d981
53d1708d666d49dcdd2834d91de3f2bfb61f7263a5e3213635d6e893d28e5bca
973549247e54570bae7013e0346274e5afefef1d7bf2dae489c7c32e210df67c
f44e2bfd257642476ebf429b346286b34178bb0de9118e24c3503b4235b2af50
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220906-nyfnvsheer/
Behaviour
GoLang User-Agent
Kills process with taskkill
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
d576e059f376adc56b3ad3e62b5a808c26b6f70dfc50e10e4cd3b6eacfc5a2ea
MD5 hash:
c267fbf8cc1fc5a1ce25de072e2b0bc0
SHA1 hash:
ec9f4fb39f8339f82a576febfb2ffe81ae9af9e0
Link:
https://www.unpac.me/results/f3b1cd01-713f-490f-87ae-f9b6f92bf6ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d576e059f376/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d576e059f376adc56b3ad3e62b5a808c26b6f70dfc50e10e4cd3b6eacfc5a2ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d576e059f376adc56b3ad3e62b5a808c26b6f70dfc50e10e4cd3b6eacfc5a2ea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2295127/

Comments


Avatar
zbet commented on 2022-09-06 11:48:15 UTC

url : hxxp://85.209.88.29/nbmn.exe