MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0d5e662bb29b62dc06e8c1c5ed07beb282ee6bb61b1fba4fb9393dd3cac4645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0d5e662bb29b62dc06e8c1c5ed07beb282ee6bb61b1fba4fb9393dd3cac4645
SHA3-384 hash: 68d1aac0c63e9eaf79445e02b1dc3d720364beb6707b83f496f9c3416fdce51915235c50193a7f9513f1ec74a14a3aa9
SHA1 hash: 66bfd894f485cf552def2d25808108ff55dd0189
MD5 hash: e6e40ec931ee73bebf8eacf05f55b30e
humanhash: red-cardinal-steak-quebec
File name:e0d5e662bb29b62dc06e8c1c5ed07beb282ee6bb61b1fba4fb9393dd3cac4645
Download: download sample
File size:41'729'829 bytes
First seen:2022-10-05 14:32:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 786432:EeYtsO1bayaqfBZCvnAaqp5fMkq3FWGGdu35BCHJFzGhBLh1/Laxsx5QXe:E9V1baqfBZIAavkq3MGyuJKFahtLaCL/
TLSH T1859733C573D65B78D0730D7042EDBB48EDAE2031FA54D709FB844AC9BBBA8C29504AB5
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon 69d4d45455d0f469
Reporter Anonymous
Tags:Clipboard Jacker exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Running batch commands
DNS request
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a file
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Delayed reading of the file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41337/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/633d95a0d089a0c15dd55612/reports/0fe079ac-9948-485a-9a34-789cc613aedb/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/292714
Signature
Command shell drops VBS files
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 197400 Sample: electrum-gold-3.0.1.exe Startdate: 19/12/2019 Architecture: WINDOWS Score: 60 77 Multi AV Scanner detection for submitted file 2->77 79 Obfuscated command line found 2->79 11 electrum-gold-3.0.1.exe 13 2->11         started        15 java.exe 2->15         started        process3 file4 67 C:\Users\user\...\jre-8u151-windows-x64.exe, PE32 11->67 dropped 83 Obfuscated command line found 11->83 17 cmd.exe 1 11->17         started        signatures5 process6 signatures7 75 Potential malicious VBS script found (suspicious strings) 17->75 20 cmd.exe 2 17->20         started        23 conhost.exe 1 17->23         started        process8 signatures9 81 Command shell drops VBS files 20->81 25 electrum.exe 291 20->25         started        28 python.exe 11 20->28         started        30 jre-8u151-windows-x64.exe 27 20->30         started        34 2 other processes 20->34 32 icacls.exe 23->32         started        process10 file11 49 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32 25->49 dropped 51 C:\Users\user\AppData\...\unicodedata.pyd, PE32 25->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\sip.pyd, PE32 25->53 dropped 63 78 other files (none is malicious) 25->63 dropped 36 electrum.exe 16 25->36         started        55 C:\Users\user\AppData\...\unicodedata.pyd, PE32 28->55 dropped 57 C:\Users\user\AppData\Local\...\select.pyd, PE32 28->57 dropped 59 C:\Users\user\AppData\Local\...\python27.dll, PE32 28->59 dropped 65 4 other files (none is malicious) 28->65 dropped 39 python.exe 28->39         started        61 C:\Users\user\AppData\Roaming\...\awt.dll, PE32 30->61 dropped 41 conhost.exe 32->41         started        process12 dnsIp13 69 us.electrum.be 36->69 71 raspi.hsmiths.com 36->71 73 32 other IPs or domains 36->73 43 cmd.exe 39->43         started        process14 process15 45 conhost.exe 43->45         started        47 java.exe 43->47         started       
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dk6myv3fg3c3qdorqof5ud35muc5zv3mgy7xjh3soj52pfmizcq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery pyinstaller spyware
Link:
https://tria.ge/reports/221005-rwva1seeg7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Drops startup file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6e0cc6d9-ed86-453f-8a91-d9758fa1a8ea
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0d5e662bb29b62dc06e8c1c5ed07beb282ee6bb61b1fba4fb9393dd3cac4645

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.hybrid-analysis.com/sample/e0d5e662bb29b62dc06e8c1c5ed07beb282ee6bb61b1fba4fb9393dd3cac4645?environmentId=100

Comments