MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639
SHA3-384 hash: 1357e09ab9a33785ef75d5ad856cd707bea56471762aa8abf9162de0e72ac82398000ec43053af637fc28c413d80d5b0
SHA1 hash: b0f814326fa736e8ad47d92a5a5d8d42eec2e037
MD5 hash: bc134ee57553cda5893b69950d8616f4
humanhash: glucose-colorado-texas-oxygen
File name:bc134ee57553cda5893b69950d8616f4.exe
Download: download sample
File size:1'810'390 bytes
First seen:2021-07-24 07:25:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:NunK8G2JQVT46bJQ+bfDTsrA0hleklFNARfYblgmZ:NKK8pu1hJQ+bfDTRRcFNpl5
Threatray 1'153 similar samples on MalwareBazaar
TLSH T1B3852221B9D48072C276797469F9A7704D387C221B648ECFA7D48E2D9E300C1EB76B97
dhash icon 0c34cc0f16178e4c
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc134ee57553cda5893b69950d8616f4.exe
Verdict:
Malicious activity
Analysis date:
2021-07-24 07:27:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76676beb-c0d4-43a4-ab02-3addd03b3cc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173871/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed1843c9-b11f-4d5f-a112-c65d0dca3d7f
Result
Threat name:
Cookie Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821187
Signature
Antivirus detection for dropped file
Creates files with lurking names (e.g. Crack.exe)
Creates processes via WMI
Detected VMProtect packer
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample is protected by VMProtect
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453595 Sample: 4gFFDTucdO.exe Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 41 google.vrthcobj.com 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 8 other signatures 2->55 9 4gFFDTucdO.exe 12 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\note866.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...behaviorgraphloryWSetp.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\...\Crack.exe, PE32 9->37 dropped 57 Creates files with lurking names (e.g. Crack.exe) 9->57 13 note866.exe 13 9->13         started        18 Crack.exe 2 9->18         started        signatures6 process7 dnsIp8 43 128.1.32.84, 49712, 80 HINETDataCommunicationBusinessGroupTW United States 13->43 45 iplogger.org 88.99.66.31, 443, 49713 HETZNER-ASDE Germany 13->45 47 192.168.2.1 unknown unknown 13->47 39 C:\Users\user\Documents\...\note866.exe, PE32 13->39 dropped 59 Antivirus detection for dropped file 13->59 61 Multi AV Scanner detection for dropped file 13->61 63 Drops PE files to the document folder of the user 13->63 67 3 other signatures 13->67 65 Creates processes via WMI 18->65 20 Crack.exe 5 18->20         started        23 conhost.exe 18->23         started        file9 signatures10 process11 file12 27 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 20->27 dropped 29 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 20->29 dropped 31 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 20->31 dropped 25 conhost.exe 20->25         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 11:10:38 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
244e43b042445635b9311f0a575a30bf27644ec34e5fc7085447f09859c7d968
245df5e6eb13e960dc2cd57d5ee69c8cee7bd93edc1733cfec479711dac7c777
384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc
673453fec6e11175bf0a749c94594c22a886d2f287e9648b51aa305b17109ffd
6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0
7010d5ddded81107f17f04b164bdcf1d3f9cd3e84745f711ad5178356c13bff7
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
b5836dfd74e9e193cb8b3ee99d34f6b93ff5b88fecdc8f0b55928407bd0af376
+ 1'143 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/210724-vgm5xe7hye/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
VMProtect packed file
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
7d157e1c2618c7c777736b10bd4ee9e5fb034eee5d30616a4f138c3b6da72be0
MD5 hash:
6c57fcb0aa7498793c1feb1b98a782f6
SHA1 hash:
93df2e613ac9927b5ae0b6a9c8c86100ed5d4d90
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
SH256 hash:
f33f3738c99d581d5327c00e708328a97658a05a1497008b2e8d29f40cab9618
MD5 hash:
c06b6519b7e3454a8ddf15553bfeaea1
SHA1 hash:
29cb43f72864df21dd49d54b7c4acdbf72c63e8e
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
SH256 hash:
da89cefa3bfac46244421af7aead9729b6d261a38f0fd20b1a996e970c082fcc
MD5 hash:
5944ac77093180cd564ecd5b593bccf5
SHA1 hash:
0e812a390b60f8a6076b1ce48bc002168388b01a
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
SH256 hash:
a5e3528d9b35785b7e2547237f3441154a54c9390575ed450dd01211bd8b5e57
MD5 hash:
98569eecc0070bfa4633fd6a04ba6e2c
SHA1 hash:
00fb8cb0737fc6b063465dd65d2727bca01a3101
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
SH256 hash:
af4c4de1bd10d3677ce5d0d12fdfacc3313c900c70cf1b54d70bcc3c466425e6
MD5 hash:
c882a471bffa999851d08a4325acc738
SHA1 hash:
1567e08a8c95f3cf87b733ae78d94fa6bd368412
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
SH256 hash:
dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639
MD5 hash:
bc134ee57553cda5893b69950d8616f4
SHA1 hash:
b0f814326fa736e8ad47d92a5a5d8d42eec2e037
Link:
https://www.unpac.me/results/9b795f0e-35e6-4198-b6e4-5fab6e5830dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173871/

Comments