MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddcfd6bd425a2ab84afef1a8443c3a9c858502d6eaa882c6f4cb830784d779b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddcfd6bd425a2ab84afef1a8443c3a9c858502d6eaa882c6f4cb830784d779b6
SHA3-384 hash: d5f856427e294bac670a15294800afecc5a09511b24405e3528468baa9fc706533bd4a2f6b9faac342321d551a673ee0
SHA1 hash: 4b38a1ee0619f53d3d33d40a689439a82012ca91
MD5 hash: 5c6c56d0bca231aac4d440dcb6b59e62
humanhash: whiskey-diet-spring-coffee
File name:ORIGINAL_BL_INVOICE_PL_.exe
Download: download sample
Signature VectorStealer
Create hunting rule
File size:1'266'576 bytes
First seen:2023-01-30 08:14:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:HqB3aLuX4BZDZyBKqaBsBCt9BZtr8BQ8mYEAB1:KUKKZZyKqBgBZGWTAB
Threatray 5'057 similar samples on MalwareBazaar
TLSH T13645C3D132A8484EF0BE0B75D2B31DE10B717E1799ADD60E0C9674CE20F3B519926B6B
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter 0xToxin
Tags:exe signed VectorStealer

Code Signing Certificate

Organisation:Microsoft Corporation
Issuer:Microsoft Corporation
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-30T03:35:37Z
Valid to:2024-01-30T03:35:37Z
Serial number: b91c82ee6eb04bedfabddf13cd17d9d0
Thumbprint Algorithm:SHA256
Thumbprint: b1b6ce7a9810232b0e3a1a24f719258ab189ffb2a1bfc8312e9989a57ac7ca4d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORIGINAL_BL_INVOICE_PL_.exe
Verdict:
Suspicious activity
Analysis date:
2023-01-30 08:16:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b537123a-ee73-4bdc-b313-1cb2b1256e36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358149/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Creating a service
Loading a system driver
Changing a file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun for a service
Blocking the User Account Control
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/63d77c8b2d4f6d560e23a6cd/reports/29c548a9-44f4-49a2-b5fa-0f5e14b365b1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c33cccb5-52f6-452e-95d1-3b927d7c7a98
Result
Threat name:
Vector Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161357
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Disables UAC (registry)
Drops PE files with benign system names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected UAC Bypass using CMSTP
Yara detected Vector Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 794108 Sample: ORIGINAL_BL_INVOICE_PL_.exe Startdate: 30/01/2023 Architecture: WINDOWS Score: 100 79 mail.privateemail.com 2->79 81 ipinfo.io 2->81 83 discord.com 2->83 97 Snort IDS alert for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 11 other signatures 2->103 10 ORIGINAL_BL_INVOICE_PL_.exe 1 7 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 3 2->17         started        19 11 other processes 2->19 signatures3 process4 dnsIp5 85 185.17.0.79, 49700, 49702, 49703 SUPERSERVERSDATACENTERRU Russian Federation 10->85 65 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 10->65 dropped 67 C:\Users\...\ORIGINAL_BL_INVOICE_PL_.exe.log, CSV 10->67 dropped 121 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->121 123 Drops PE files with benign system names 10->123 21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        69 C:\Windows\Temp\gx4sujhw.inf, Windows 15->69 dropped 125 Writes to foreign memory regions 15->125 127 Adds a directory exclusion to Windows Defender 15->127 129 Injects a PE file into a foreign processes 15->129 26 jsc.exe 15->26         started        29 powershell.exe 15->29         started        31 cmstp.exe 15->31         started        131 Multi AV Scanner detection for dropped file 17->131 71 C:\Windows\Temp\ccliy2rq.inf, Windows 19->71 dropped 133 System process connects to network (likely due to code injection or exploit) 19->133 135 Query firmware table information (likely to detect VMs) 19->135 137 Changes security center settings (notifications, updates, antivirus, firewall) 19->137 33 consent.exe 19->33         started        file6 signatures7 process8 dnsIp9 35 svchost.exe 5 5 21->35         started        39 conhost.exe 21->39         started        41 timeout.exe 1 21->41         started        113 Uses schtasks.exe or at.exe to add and modify task schedules 23->113 43 conhost.exe 23->43         started        45 schtasks.exe 1 23->45         started        87 162.159.135.232 CLOUDFLARENETUS United States 26->87 89 mail.privateemail.com 26->89 91 2 other IPs or domains 26->91 115 May check the online IP address of the machine 26->115 117 Tries to steal Mail credentials (via file / registry access) 26->117 119 Tries to harvest and steal browser information (history, passwords, etc) 26->119 47 conhost.exe 29->47         started        signatures10 process11 file12 61 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 35->61 dropped 63 C:\Users\user\AppData\...\svchost.exe.log, CSV 35->63 dropped 105 Writes to foreign memory regions 35->105 107 Adds a directory exclusion to Windows Defender 35->107 109 Disables UAC (registry) 35->109 111 2 other signatures 35->111 49 AddInProcess32.exe 35->49         started        53 powershell.exe 35->53         started        55 WsatConfig.exe 35->55         started        57 13 other processes 35->57 signatures13 process14 dnsIp15 73 mail.privateemail.com 198.54.122.135 NAMECHEAP-NETUS United States 49->73 75 ipinfo.io 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 49->75 77 discord.com 162.159.138.232 CLOUDFLARENETUS United States 49->77 93 May check the online IP address of the machine 49->93 95 Tries to steal Mail credentials (via file / registry access) 49->95 59 conhost.exe 53->59         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddcfd6bd425a2ab84afef1a8443c3a9c858502d6eaa882c6f4cb830784d779b6/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xh5npkclivlqsx66gueipb2tscykaww5kuifrxuzobqpbgxpg3a._file
Verdict:
malicious
Similar samples:
59494a51618f234021c0dae2d87667ce9e431b8a75a1b4952d3e48bf71492fbb
VectorStealer
90ac709312ca3f366e138a84bb93d453544fc227d525fbef47b4d7a90ac6f820
VectorStealer
911c9969dfd1e3f89fc0078e539f8fd12f751a84efef74f506a301cba2b9010b
VectorStealer
9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae
VectorStealer
a39bbe78bdd2ac28efecb3cc910ee11cb33fbb2c9c08859820b1ff6d998db54c
VectorStealer
a7555fbbb59c9e063dfa6b392af01c02f1d23679e53882fc1cb6d3a432330c50
VectorStealer
c6135818ddc5d31afa68f42f21e1da3e19f879096298ccb84f68803847235004
VectorStealer
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
VectorStealer
fb8fdb08cf7984a3bac0cc7daeea3790a92306467543cf556945fc479a165dd8
VectorStealer
+ 5'047 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection evasion persistence trojan
Link:
https://tria.ge/reports/230130-j5kh6sbc71/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Sets service image path in registry
Looks for VirtualBox Guest Additions in registry
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
ddcfd6bd425a2ab84afef1a8443c3a9c858502d6eaa882c6f4cb830784d779b6
MD5 hash:
5c6c56d0bca231aac4d440dcb6b59e62
SHA1 hash:
4b38a1ee0619f53d3d33d40a689439a82012ca91
Link:
https://www.unpac.me/results/95512944-4530-4800-8a8b-0c4ff806dbe5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ddcfd6bd425a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ddcfd6bd425a2ab84afef1a8443c3a9c858502d6eaa882c6f4cb830784d779b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/358149/

Comments