MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db05c047c58c62dff4141f833cd207ca50a07bf6420020f944e5d7c175b20b20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db05c047c58c62dff4141f833cd207ca50a07bf6420020f944e5d7c175b20b20
SHA3-384 hash: 1a2a88c71d58681066fe380d57ebee1f46834d0762c9ee9d651e68861d1a6dbbc8e7a4a7b07901679494c56e8b68f090
SHA1 hash: 9b6129043beadd6a7163262f3aa5dc0942705414
MD5 hash: 7c534851fccfb84d2614aee8675a5751
humanhash: pasta-hotel-undress-hawaii
File name:main.exe
Download: download sample
File size:86'896'034 bytes
First seen:2025-01-29 08:55:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep 1572864:QbN5FHhn+sim6neWkdGLqfFt/n+rdzBOQflJsb/m+e0I0yZH4a9d4:WDl1dim6C0qfT+dzg1b/Xx584
TLSH T1A31833F496C02EE4E09EA73D57426F1A90847596CFCEE44BDA200F2F1E575C1B5B8B0A
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter smica83
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
581
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6799ef3c39cd5095f12b1f5a
Tags:
shellcode extens virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
compiled-script expand fingerprint lolbin microsoft_visual_cc overlay packed packer_detected pyinstaller pyinstaller warp
Link:
https://www.filescan.io/uploads/6799eced10cf6ef7c3834a87/reports/e2238c17-692c-42c9-b312-243ebefe1bfc/overview
Verdict:
Malicious
Labled as:
Trojan.Shelm
Link:
https://www.hybrid-analysis.com/sample/db05c047c58c62dff4141f833cd207ca50a07bf6420020f944e5d7c175b20b20
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1602057
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Queries Google from non browser process on port 80
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1602057 Sample: main.exe Startdate: 29/01/2025 Architecture: WINDOWS Score: 96 93 api.telegram.org 2->93 95 www.google.com 2->95 97 2 other IPs or domains 2->97 113 Antivirus / Scanner detection for submitted sample 2->113 115 Sigma detected: System File Execution Location Anomaly 2->115 117 Sigma detected: Windows Binaries Write Suspicious Extensions 2->117 119 Sigma detected: Files With System Process Name In Unsuspected Locations 2->119 12 main.exe 15 2->12         started        15 smss.exe 2->15         started        17 smss.exe 2->17         started        signatures3 121 Uses the Telegram API (likely for C&C communication) 93->121 process4 file5 77 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 12->77 dropped 79 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 12->79 dropped 81 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 12->81 dropped 89 10 other files (9 malicious) 12->89 dropped 19 main.exe 12->19         started        83 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 15->83 dropped 85 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 15->85 dropped 87 C:\Users\user\AppData\Local\...\win32pdh.pyd, PE32+ 15->87 dropped 91 96 other files (90 malicious) 15->91 dropped 21 smss.exe 15->21         started        23 smss.exe 17->23         started        process6 process7 25 install.exe 6 19->25         started        29 cmd.exe 21->29         started        31 cmd.exe 23->31         started        file8 73 C:\ProgramData\Microsoft\smss.exe, PE32+ 25->73 dropped 75 C:\ProgramData\Microsoft\compiler.exe, PE32+ 25->75 dropped 123 Drops PE files with benign system names 25->123 33 smss.exe 1001 25->33         started        37 compiler.exe 67 25->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        signatures9 process10 file11 57 C:\Users\user\AppData\...\win32event.pyd, PE32+ 33->57 dropped 59 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 33->59 dropped 61 C:\Users\user\AppData\Local\...\shell.pyd, PE32+ 33->61 dropped 69 99 other files (95 malicious) 33->69 dropped 107 Multi AV Scanner detection for dropped file 33->107 43 smss.exe 33->43         started        63 C:\Users\...\backend_c.cp310-win_amd64.pyd, PE32+ 37->63 dropped 65 C:\Users\user\...\_cffi.cp310-win_amd64.pyd, PE32+ 37->65 dropped 67 C:\Users\user\AppData\...\win32event.pyd, PE32+ 37->67 dropped 71 36 other files (33 malicious) 37->71 dropped 109 Contains functionality to infect the boot sector 37->109 111 Queries Google from non browser process on port 80 37->111 47 compiler.exe 37->47         started        signatures12 process13 dnsIp14 99 api.telegram.org 149.154.167.220, 443, 49909, 49989 TELEGRAMRU United Kingdom 43->99 125 Found many strings related to Crypto-Wallets (likely being stolen) 43->125 49 cmd.exe 43->49         started        101 www.google.com 172.217.16.132, 49823, 80 GOOGLEUS United States 47->101 103 github.com 140.82.121.4, 443, 49832 GITHUBUS United States 47->103 105 raw.githubusercontent.com 185.199.108.133, 443, 49826 FASTLYUS Netherlands 47->105 127 Modifies the context of a thread in another process (thread injection) 47->127 129 Hides threads from debuggers 47->129 51 cmd.exe 1 47->51         started        signatures15 process16 process17 53 conhost.exe 49->53         started        55 conhost.exe 51->55         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/db05c047c58c62dff4141f833cd207ca50a07bf6420020f944e5d7c175b20b20
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mc4ar6frrrn75aud6btzuqhzjika67wiiacb6ke4xl4c5nsbmqa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access defense_evasion discovery execution persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/250129-kvg6qstkbz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Contacts a large (1124) amount of remote hosts
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6082013a-9861-4ef7-aa91-886b8f2138c4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db05c047c58c62dff4141f833cd207ca50a07bf6420020f944e5d7c175b20b20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments