MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deb073e0199c835d2fa53d56efd3ad4a035f89f2bd3a7778831d9b50895ff24f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deb073e0199c835d2fa53d56efd3ad4a035f89f2bd3a7778831d9b50895ff24f
SHA3-384 hash: 0f29c45bcc900b5f02933ebb622eeca8d21a0af1bb92380961004671ff0298f86ede8762bbcdf2d6153a87d5ba5a4908
SHA1 hash: 8e391bf885ffe49a4fa6f815ac5e6fb7c676ffd8
MD5 hash: 13aa8571246558ec560e4fc30aaba26e
humanhash: oranges-edward-pip-emma
File name:13aa8571246558ec560e4fc30aaba26e
Download: download sample
File size:7'475'392 bytes
First seen:2024-10-18 07:36:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1af6c885af093afc55142c2f1761dbe8 (49 x PythonStealer, 40 x BlankGrabber, 14 x LunaLogger)
ssdeep 196608:SVPcHZoFdQmRJ8dA6lmCy1ArqkVpKCX+PrF4ZIeghe3Hqb7:8PcHZedQuslmrAZYCuPJOIegyE
TLSH T17B76335423905CEDF86E4236C8A61A0FE6E0F451A760C2FF136C966A0F97BE06C3B754
TrID 60.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.9% (.EXE) Win64 Executable (generic) (10522/11/4)
5.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter zbetcheckin
Tags:64 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13aa8571246558ec560e4fc30aaba26e
Verdict:
Malicious activity
Analysis date:
2024-10-18 08:06:55 UTC
Tags:
discord evasion pyinstaller ims-api generic crypto-regex
Link:
https://app.any.run/tasks/c85c6197-b6a6-4cce-86da-3113522dbac0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Keylogger.Python-9978779-0
Create hunting rule

SecuriteInfo.com.FileRepMalware.20232.10778.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67121024e706a56b5a02accb
Tags:
Powershell Vmdetect
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay packed packed pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/671210243a92cf04fca07b1b/reports/bbc0c377-e11f-4e58-ad06-de80d3556a30/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/deb073e0199c835d2fa53d56efd3ad4a035f89f2bd3a7778831d9b50895ff24f
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a462e85c-6127-4e84-8b15-239f0031c912
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1536845
Signature
AI detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1536845 Sample: Y41oVdYohe.exe Startdate: 18/10/2024 Architecture: WINDOWS Score: 68 100 discord.com 2->100 102 api.ipify.org 2->102 108 Multi AV Scanner detection for submitted file 2->108 110 Machine Learning detection for sample 2->110 112 AI detected suspicious sample 2->112 12 Y41oVdYohe.exe 26 2->12         started        16 Y41oVdYohe.exe 26 2->16         started        18 Y41oVdYohe.exe 26 2->18         started        signatures3 process4 file5 82 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 12->82 dropped 84 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 12->84 dropped 86 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 12->86 dropped 94 16 other files (none is malicious) 12->94 dropped 118 Potentially malicious time measurement code found 12->118 20 Y41oVdYohe.exe 2 12->20         started        96 19 other files (none is malicious) 16->96 dropped 24 Y41oVdYohe.exe 16->24         started        88 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 18->88 dropped 90 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 18->90 dropped 92 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 18->92 dropped 98 16 other files (none is malicious) 18->98 dropped 26 Y41oVdYohe.exe 18->26         started        signatures6 process7 dnsIp8 104 discord.com 162.159.135.232, 443, 49716, 49720 CLOUDFLARENETUS United States 20->104 106 api.ipify.org 172.67.74.152, 443, 49715, 49719 CLOUDFLARENETUS United States 20->106 72 C:\Users\user\AppData\...\Y41oVdYohe.exe, PE32+ 20->72 dropped 28 cmd.exe 1 20->28         started        30 cmd.exe 1 20->30         started        32 cmd.exe 20->32         started        34 cmd.exe 24->34         started        36 cmd.exe 24->36         started        38 cmd.exe 1 26->38         started        40 cmd.exe 1 26->40         started        file9 process10 process11 42 Y41oVdYohe.exe 26 28->42         started        46 taskkill.exe 1 28->46         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 conhost.exe 32->52         started        54 conhost.exe 34->54         started        56 conhost.exe 36->56         started        58 conhost.exe 38->58         started        60 conhost.exe 40->60         started        file12 74 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 42->74 dropped 76 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 42->76 dropped 78 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 42->78 dropped 80 16 other files (none is malicious) 42->80 dropped 114 Multi AV Scanner detection for dropped file 42->114 116 Potentially malicious time measurement code found 42->116 62 Y41oVdYohe.exe 1 42->62         started        signatures13 process14 process15 64 cmd.exe 1 62->64         started        66 cmd.exe 1 62->66         started        process16 68 conhost.exe 64->68         started        70 conhost.exe 66->70         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/deb073e0199c835d2fa53d56efd3ad4a035f89f2bd3a7778831d9b50895ff24f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deb073e0199c835d2fa53d56efd3ad4a035f89f2bd3a7778831d9b50895ff24f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-18 07:37:07 UTC
File Type:
PE+ (Exe)
Extracted files:
732
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32yhhyaztsbv2l5fhvlo7u5njibv7cpsxu5ho6eddwnvbck76jhq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence pyinstaller
Link:
https://tria.ge/reports/241018-jftesaxfkl/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/75089dbb-cd3d-4bc3-85da-e7b1ff5e6f8b
Unpacked files
SH256 hash:
11d25a48dd5e0492a8098df750dcc7aef377b069bff244f380039601be179667
MD5 hash:
237153a259c337a5793083a9dde51da8
SHA1 hash:
f14dfa44ebfda6f5d26b7396e64c1625a32464e3
Link:
https://www.unpac.me/results/23ab1ae0-98c1-486c-b0a4-06e9a052a490/
SH256 hash:
deb073e0199c835d2fa53d56efd3ad4a035f89f2bd3a7778831d9b50895ff24f
MD5 hash:
13aa8571246558ec560e4fc30aaba26e
SHA1 hash:
8e391bf885ffe49a4fa6f815ac5e6fb7c676ffd8
Link:
https://www.unpac.me/results/23ab1ae0-98c1-486c-b0a4-06e9a052a490/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/deb073e0199c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/deb073e0199c835d2fa53d56efd3ad4a035f89f2bd3a7778831d9b50895ff24f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CHM_File_Executes_JS_Via_PowerShell
Create hunting rule
Author:daniyyell
Description:Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe deb073e0199c835d2fa53d56efd3ad4a035f89f2bd3a7778831d9b50895ff24f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3240622/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments


Avatar
zbet commented on 2024-10-18 07:36:52 UTC

url : hxxp://n.ddnsgratis.com.br/sitef/security/svchost.exe