MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b
SHA3-384 hash: 0cbeda446dbb57af00d63b26049939f8f06d22e7633283111222c9b6c62df22bff1a0f3bf2f0f7e001f4b5a059cff50b
SHA1 hash: 3e9bbe57db9632851827fab43740e8eb7c73cfde
MD5 hash: f14643e6c08444aefb46ebeaa0a1785d
humanhash: oregon-steak-virginia-massachusetts
File name:sample.exe
Download: download sample
File size:431'104 bytes
First seen:2025-02-03 19:14:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:2rAYsNTK5GrA7tclXaCe9N9IcOH3YsN64BHkyblSYlQj0tzta8OHtCmzUNdjTtSi:ENabU4Fl48OHtCQJ
Threatray 13 similar samples on MalwareBazaar
TLSH T1CE9439E917840952C2BF0F37E0F133594774EA03978BE36B25845DBD0D217AAABE3691
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Anonymous
Tags:exe stealer


Avatar
Anonymous
Distributed by ClearFake EtherHiding campaign

Intelligence

File Origin
# of uploads :
1
# of downloads :
646
Origin country :
NO NO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lumma_sample.exe
Verdict:
Malicious activity
Analysis date:
2025-02-03 18:58:28 UTC
Tags:
stealer purecrypter netreactor arch-exec antivm hijackloader loader golang
Link:
https://app.any.run/tasks/7693e967-23f5-44ca-9f6e-3637424813d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a1166e51193558eb194761
Tags:
smartassembly packed virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/67a115844187f8863b20344e/reports/f22c79ac-cfde-4d75-b152-7326285c4531/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/27750c22-453c-4bc8-adda-69f925023110
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1605860
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1605860 Sample: sample.exe Startdate: 03/02/2025 Architecture: WINDOWS Score: 100 29 connect-cdn-api.tastinessrebaterunny.shop 2->29 31 www.mediafire.com 2->31 33 2 other IPs or domains 2->33 47 Suricata IDS alerts for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 9 other signatures 2->53 9 sample.exe 15 2 2->9         started        signatures3 process4 dnsIp5 37 download2442.mediafire.com 199.91.155.183, 443, 49710 MEDIAFIREUS United States 9->37 39 www.mediafire.com 104.17.151.117, 443, 49709 CLOUDFLARENETUS United States 9->39 55 Attempt to bypass Chrome Application-Bound Encryption 9->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 9->57 59 Contain functionality to detect virtual machines 9->59 61 2 other signatures 9->61 13 sample.exe 13 9->13         started        signatures6 process7 dnsIp8 41 connect-cdn-api.tastinessrebaterunny.shop 188.114.97.3, 443, 49753, 49761 CLOUDFLARENETUS European Union 13->41 43 telegra.ph 149.154.164.13, 443, 49744 TELEGRAMRU United Kingdom 13->43 45 127.0.0.1 unknown unknown 13->45 63 Found many strings related to Crypto-Wallets (likely being stolen) 13->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->65 17 chrome.exe 13->17         started        20 WerFault.exe 4 13->20         started        22 WerFault.exe 4 13->22         started        signatures9 process10 dnsIp11 27 239.255.255.250 unknown Reserved 17->27 24 chrome.exe 17->24         started        process12 dnsIp13 35 www.google.com 142.250.181.228, 443, 49801 GOOGLEUS United States 24->35
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b/
Threat name:
ByteCode-MSIL.Trojan.CryptBot
Create hunting rule
Status:
Malicious
First seen:
2025-02-03 19:14:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xumontshmjtdzi2w7244pjzumjmfwbhjqjyydbgygryemcbxkfq._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
2d8e86b6f8aa26d52f7aa5b4e269b43b4357b3414b46158dd8f5e9c084d6ceb8
34a4212ab10d2edc6a8894cc368807279fc7c200aec606c18eb6a0bf21350cb5
64addaaf98a7661110412b386b41251e01b5baabb8b693c25e5d8e8a8adcdf88
691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44
69379eb25e5632a3e1b4361985a6e894e0c73e297201d2f4d2519c1491a3970b
d3b9f248d2fd95d778c2680cbf9f113d700341cf450334c174403a7fbd48f015
d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b
e63d9d50fca4b99b2a08f745b23e0dec021bc46b3dcd33ec081dcdea3f7365a9
error
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250203-xxql4ssjdk/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e674e97-b6e9-461c-bdae-39de5edb1003
Unpacked files
SH256 hash:
d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b
MD5 hash:
f14643e6c08444aefb46ebeaa0a1785d
SHA1 hash:
3e9bbe57db9632851827fab43740e8eb7c73cfde
Link:
https://www.unpac.me/results/1fda213f-8fc4-4647-baae-fb4c7b2a2884/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5e8c736723b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/b748f8ae-9daf-44ca-a168-d193303cea95
  
Dropped by
clearfake
  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments