MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e038cd85c9da66e9517bba1e3af819a7cb1cf068fe955b8e125273d1e0533c2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e038cd85c9da66e9517bba1e3af819a7cb1cf068fe955b8e125273d1e0533c2b
SHA3-384 hash: ac004fb5d6d20969a69564297838eeedf5942161c1531b8d6b8dd1a06fac2dcc39b8678ba4eba9c8e87a9006b49014f7
SHA1 hash: 88648132d7f0b1fe59da88c696016e3b1e496fa5
MD5 hash: dab3afd4e25abdc582e6325f31257ee8
humanhash: aspen-west-washington-fish
File name:dab3afd4e25abdc582e6325f31257ee8
Download: download sample
File size:499'071 bytes
First seen:2021-12-04 03:35:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 6144:5sxanyfX5k7JlJDlABKUtfU/WQcb5yXxTutawc98bwSz2FBmvO6Z:a0nyfXuIBDtfuOta7KbyBJ6Z
Threatray 37 similar samples on MalwareBazaar
TLSH T1AAB41756EDC2C86FD1EEC13F849F5EA4542FA4B4132015C7EE63E53827A53B1B627A02
File icon (PE):PE icon
dhash icon 70d4ccaab2e8d470
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dab3afd4e25abdc582e6325f31257ee8
Verdict:
Malicious activity
Analysis date:
2021-12-04 03:36:50 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/5d77d1fb-f88f-4890-854c-4f74483cd8a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211185/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Reading critical registry keys
Running batch commands
Launching a process
Launching the process to change network settings
Sending a custom TCP request
Creating a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Delayed writing of the file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Stealing user critical data
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/732/overview
Behaviour
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61aae2264d8e6f3a5e0ea857/reports/3ae7f50b-f86b-46ec-81bc-73d837b6b4d1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6e430b1-2425-4470-b501-da6bcd0a499a
Result
Threat name:
Jester Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901278
Signature
Found Tor onion address
Machine Learning detection for dropped file
May check the online IP address of the machine
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Jester Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533756 Sample: 6LDyLeZluV Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 59 Sigma detected: Capture Wi-Fi password 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected Jester Stealer 2->63 65 3 other signatures 2->65 8 6LDyLeZluV.exe 8 2->8         started        process3 file4 39 C:\Users\user\AppData\Local\Temp\Jester.exe, PE32 8->39 dropped 11 Jester.exe 15 14 8->11         started        process5 dnsIp6 49 ip-api.com 208.95.112.1, 49742, 80 TUT-ASUS United States 11->49 51 github.com 140.82.121.4, 443, 49743, 49744 GITHUBUS United States 11->51 53 3 other IPs or domains 11->53 41 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 11->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\tor.exe, PE32 11->43 dropped 45 C:\Users\user\AppData\...\tor-gencert.exe, PE32 11->45 dropped 47 8 other files (none is malicious) 11->47 dropped 67 Multi AV Scanner detection for dropped file 11->67 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->69 71 May check the online IP address of the machine 11->71 73 6 other signatures 11->73 16 cmd.exe 1 11->16         started        19 cmd.exe 1 11->19         started        21 tor.exe 11->21         started        file7 signatures8 process9 signatures10 55 Uses netsh to modify the Windows network and firewall settings 16->55 57 Tries to harvest and steal WLAN passwords 16->57 23 netsh.exe 3 16->23         started        25 conhost.exe 16->25         started        27 findstr.exe 1 16->27         started        29 chcp.com 1 16->29         started        31 netsh.exe 3 19->31         started        33 conhost.exe 19->33         started        35 findstr.exe 1 19->35         started        37 chcp.com 1 19->37         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e038cd85c9da66e9517bba1e3af819a7cb1cf068fe955b8e125273d1e0533c2b/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 23:34:12 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31
1306e24bda80da1dacddc7c7d808502407cc8b29960d807aed0327050ba32be6
23cfbb0bf1e110a79678f45c29897e6090b660d3df420bbb916fc3f1bc12eead
268953af63bad4895dd06c024fd1ec2af2c134623a0e100e26894e4d6bab741e
464fe77f576d8273564bb5b7976b381855d962017f4da6b5a363af78bf788799
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
af3b8311c191d529461c48cdc5af00df25735fab439aa7570685b6c09635bc9c
cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1
df00279749a73b854f3d6415a49e7cd0ea507b69b510d7505f2ca7c908d25a4a
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/211204-d5xwlsabdq/
Behaviour
Checks processor information in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
d863c367f29642f1b468ee0ad0e3d6f085f9a52285e3fc4d0d40527a2433135c
MD5 hash:
8874aa6c63dfc8dc78eb2b35977ff2aa
SHA1 hash:
9b19a99f3580eebb4f5f4ad378e3aaea43560079
Link:
https://www.unpac.me/results/90cf7702-6ee3-4d04-888c-823bcf7964b7/
SH256 hash:
19d0c2ddf2076efe37fe26631a7532fdb7e8d891fb638a19b89dc53bef1d880a
MD5 hash:
303407d420cfb6726ea1c73ec9797613
SHA1 hash:
18bbe3107ac8f5b0f9983fef4b5cf3cdc93cc7cf
Link:
https://www.unpac.me/results/90cf7702-6ee3-4d04-888c-823bcf7964b7/
SH256 hash:
e038cd85c9da66e9517bba1e3af819a7cb1cf068fe955b8e125273d1e0533c2b
MD5 hash:
dab3afd4e25abdc582e6325f31257ee8
SHA1 hash:
88648132d7f0b1fe59da88c696016e3b1e496fa5
Link:
https://www.unpac.me/results/90cf7702-6ee3-4d04-888c-823bcf7964b7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e038cd85c9da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e038cd85c9da66e9517bba1e3af819a7cb1cf068fe955b8e125273d1e0533c2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e038cd85c9da66e9517bba1e3af819a7cb1cf068fe955b8e125273d1e0533c2b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1850553/
Cape
Cape
https://www.capesandbox.com/analysis/211185/

Comments


Avatar
zbet commented on 2021-12-04 03:35:41 UTC

url : hxxp://host-file-host-3.com/files/5976_1638523846_7576.exe