MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0d537f8669e6764bf4a4b8f4013ec219958749a5fde8b11fb52faaedde3cada. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0d537f8669e6764bf4a4b8f4013ec219958749a5fde8b11fb52faaedde3cada
SHA3-384 hash: e65e228ea36246a2c8bb7d18c21e92f6a99859b715c3b4b2dbb35f7358783774554d055e00ddce377e57d1758e88e476
SHA1 hash: feb10e43a661ecaeb4da1c8b37f54ae93d90e315
MD5 hash: 15564517054045e4735b8c627d7f5c0d
humanhash: alabama-pip-don-stairway
File name:15564517054045e4735b8c627d7f5c0d.exe
Download: download sample
Signature Stop
Create hunting rule
File size:4'411'904 bytes
First seen:2024-08-30 04:15:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3467cb5eaf453087bf8f9b28a57ca3b (2 x Stop)
ssdeep 98304:4VLZqQiIPvfHJuETAwNdMHUDYvYV8tx0ddVxTe0Aq50QaR:4dZmIPXHwE/fYAVWyLxTehq3a
TLSH T1F61612D6B686C6F9C026CBB4D992B4FD31693FA5CC744DC63A887E0B3C735109E6A901
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon e564ecdca4b4848d (2 x LummaStealer, 1 x Stop, 1 x PrivateLoader)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://45.91.200.135/api/crazyfish.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.91.200.135/api/crazyfish.php https://threatfox.abuse.ch/ioc/1317143/
http://45.91.200.135/api/twofish.php https://threatfox.abuse.ch/ioc/1317144/

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15564517054045e4735b8c627d7f5c0d.exe
Verdict:
Malicious activity
Analysis date:
2024-08-30 04:28:28 UTC
Tags:
evasion privateloader berbew
Link:
https://app.any.run/tasks/58325a71-a18c-4b4a-9c0f-92530a09da6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.1239.5762.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d14785fe69a9e56049eab3
Tags:
Malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin packed shell32
Link:
https://www.filescan.io/uploads/66d1478558cbff3e3abe6d75/reports/ed15d0f8-bbf3-4271-b8d1-b5ace7365dca/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e0d537f8669e6764bf4a4b8f4013ec219958749a5fde8b11fb52faaedde3cada
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4857cc0e-dca9-427c-9a72-007049badaa2
Result
Threat name:
Djvu, Neoreklami, Stealc, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1501576
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Creates files in the recycle bin to hide itself
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Djvu Ransomware
Yara detected Neoreklami
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501576 Sample: gHPYUEh253.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 161 yip.su 2->161 163 stadiatechnologies.com 2->163 165 7 other IPs or domains 2->165 195 Multi AV Scanner detection for domain / URL 2->195 197 Suricata IDS alerts for network traffic 2->197 199 Found malware configuration 2->199 201 22 other signatures 2->201 15 gHPYUEh253.exe 1 28 2->15         started        20 Install.exe 2->20         started        signatures3 process4 dnsIp5 175 195.10.205.48, 49730, 80 TSSCOM-ASRU Russian Federation 15->175 177 yip.su 188.114.97.3 CLOUDFLARENETUS European Union 15->177 179 6 other IPs or domains 15->179 123 C:\Users\...\oOMgVil3z78TF92yUiI1jBjJ.exe, PE32 15->123 dropped 125 C:\Users\...\iyhiDENXt_q0EUrAsx1Gpb4x.exe, PE32 15->125 dropped 127 C:\Users\...\ZwL0OipB1WfKucHfLydAfltr.exe, PE32 15->127 dropped 133 11 other malicious files 15->133 dropped 181 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->181 183 Drops PE files to the document folder of the user 15->183 185 Found many strings related to Crypto-Wallets (likely being stolen) 15->185 187 Found direct / indirect Syscall (likely to bypass EDR) 15->187 22 3rS3zgtrHYzvSBWEegYZ8AEZ.exe 2 15->22         started        25 iyhiDENXt_q0EUrAsx1Gpb4x.exe 7 15->25         started        28 oOMgVil3z78TF92yUiI1jBjJ.exe 3 15->28         started        32 4 other processes 15->32 129 C:\Windows\Temp\...\RRJEdwx.exe, PE32 20->129 dropped 131 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 20->131 dropped 189 Creates files in the recycle bin to hide itself 20->189 191 Modifies Windows Defender protection settings 20->191 193 Modifies Group Policy settings 20->193 30 cmd.exe 20->30         started        file6 signatures7 process8 file9 225 Multi AV Scanner detection for dropped file 22->225 227 Writes to foreign memory regions 22->227 229 Allocates memory in foreign processes 22->229 34 RegAsm.exe 38 22->34         started        39 conhost.exe 22->39         started        153 C:\Users\user\AppData\Local\...\Install.exe, PE32 25->153 dropped 41 Install.exe 25->41         started        231 Injects a PE file into a foreign processes 28->231 43 RegAsm.exe 28->43         started        233 Modifies Windows Defender protection settings 30->233 45 forfiles.exe 30->45         started        47 conhost.exe 30->47         started        155 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 32->155 dropped 157 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 32->157 dropped 159 C:\ProgramData\...\etzpikspwykg.exe, PE32+ 32->159 dropped 235 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->235 237 Contains functionality to inject code into remote processes 32->237 239 Contains functionality to register a low level keyboard hook 32->239 241 2 other signatures 32->241 49 cmd.exe 32->49         started        51 RegAsm.exe 32->51         started        53 conhost.exe 32->53         started        signatures10 process11 dnsIp12 167 46.8.231.109 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 34->167 135 C:\Users\user\AppData\...\softokn3[1].dll, PE32 34->135 dropped 137 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 34->137 dropped 139 C:\Users\user\AppData\...\mozglue[1].dll, PE32 34->139 dropped 149 13 other files (9 malicious) 34->149 dropped 203 Tries to steal Mail credentials (via file / registry access) 34->203 205 Found evasive API chain (may stop execution after checking locale) 34->205 207 Tries to steal Crypto Currency Wallets 34->207 209 Searches for specific processes (likely to inject) 34->209 141 C:\Users\user\AppData\Local\...\Install.exe, PE32 41->141 dropped 55 Install.exe 41->55         started        169 193.176.190.41 AGROSVITUA unknown 43->169 171 aldiablo.cl 186.64.114.115 ZAMLTDACL Chile 43->171 143 C:\Users\user\AppData\...\softokn3[2].dll, PE32 43->143 dropped 145 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 43->145 dropped 147 C:\Users\user\AppData\...\mozglue[1].dll, PE32 43->147 dropped 151 5 other files (3 malicious) 43->151 dropped 211 Tries to harvest and steal ftp login credentials 43->211 213 Tries to harvest and steal browser information (history, passwords, etc) 43->213 215 Tries to harvest and steal Bitcoin Wallet information 43->215 217 Modifies Windows Defender protection settings 45->217 58 cmd.exe 45->58         started        60 7z.exe 49->60         started        62 conhost.exe 49->62         started        64 mode.com 49->64         started        66 6 other processes 49->66 173 147.45.68.138 FREE-NET-ASFREEnetEU Russian Federation 51->173 file13 signatures14 process15 signatures16 243 Multi AV Scanner detection for dropped file 55->243 245 Uses schtasks.exe or at.exe to add and modify task schedules 55->245 247 Modifies Windows Defender protection settings 55->247 68 cmd.exe 55->68         started        71 forfiles.exe 55->71         started        73 schtasks.exe 55->73         started        249 Uses cmd line tools excessively to alter registry or file data 58->249 75 reg.exe 58->75         started        77 Conhost.exe 60->77         started        process17 signatures18 219 Suspicious powershell command line found 68->219 221 Uses cmd line tools excessively to alter registry or file data 68->221 223 Modifies Windows Defender protection settings 68->223 79 forfiles.exe 68->79         started        82 forfiles.exe 68->82         started        84 forfiles.exe 68->84         started        92 3 other processes 68->92 86 cmd.exe 71->86         started        88 conhost.exe 71->88         started        90 conhost.exe 73->90         started        process19 signatures20 255 Modifies Windows Defender protection settings 79->255 94 cmd.exe 79->94         started        97 cmd.exe 82->97         started        99 cmd.exe 84->99         started        257 Suspicious powershell command line found 86->257 101 powershell.exe 86->101         started        103 cmd.exe 92->103         started        105 cmd.exe 92->105         started        process21 signatures22 251 Uses cmd line tools excessively to alter registry or file data 94->251 107 reg.exe 94->107         started        109 reg.exe 97->109         started        111 reg.exe 99->111         started        113 WMIC.exe 101->113         started        253 Suspicious powershell command line found 103->253 115 powershell.exe 103->115         started        117 reg.exe 105->117         started        process23 process24 119 gpupdate.exe 115->119         started        process25 121 conhost.exe 119->121         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e0d537f8669e6764bf4a4b8f4013ec219958749a5fde8b11fb52faaedde3cada
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0d537f8669e6764bf4a4b8f4013ec219958749a5fde8b11fb52faaedde3cada/
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-08-26 12:49:00 UTC
File Type:
PE+ (Exe)
Extracted files:
21
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dktp6dgtztwjp2kjohuae7megmvq5e2l7piwep3kl5k5xpdzlna._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240830-evspksxemq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Looks up external IP address via web service
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/54a326a8-12d8-497e-b109-12f05ad8683c
Unpacked files
SH256 hash:
e0d537f8669e6764bf4a4b8f4013ec219958749a5fde8b11fb52faaedde3cada
MD5 hash:
15564517054045e4735b8c627d7f5c0d
SHA1 hash:
feb10e43a661ecaeb4da1c8b37f54ae93d90e315
Link:
https://www.unpac.me/results/c6643aa9-450e-4a8a-bcf2-cba83af6ef8b/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0d537f8669e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0d537f8669e6764bf4a4b8f4013ec219958749a5fde8b11fb52faaedde3cada

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments