MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e18efb7cff387e8b7ab7e7882841d21e5d6c3e9bddaa289a30315a54352bc39a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e18efb7cff387e8b7ab7e7882841d21e5d6c3e9bddaa289a30315a54352bc39a
SHA3-384 hash: 653fd3fd8d5a06639c5549ee02db6251aaa5a194480375a5d418bac39bf81eafc3a8a8d28293abde15dcbf4a709879c6
SHA1 hash: 6f6223bbfac0b87e03cdbc0eb3e7c71f9ca92c28
MD5 hash: f246340ac7099b305bc56b03c317e6fb
humanhash: ten-april-fruit-fix
File name:f246340ac7099b305bc56b03c317e6fb
Download: download sample
File size:8'914'398 bytes
First seen:2021-10-07 19:01:37 UTC
Last seen:2021-10-07 20:01:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bbadd88e560afea1d0dd8f728c4701ca (2 x ValleyRAT, 1 x Gh0stRAT, 1 x PythonStealer)
ssdeep 196608:BXU97Bz21W0x7QICteEroXxtVfEqlbkkwR7VTEJZFWylVoUaQ4bnlw3cil:ZU9lz21W6QInEroXNfEqirRRoJZTlVok
Threatray 12 similar samples on MalwareBazaar
TLSH T13C963314DF115A89E1A0403077740C33C07794FB8F64A8B6A82DE61B52EBEDCA6B5DBC
File icon (PE):PE icon
dhash icon 10508717d4f0708c
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PyInstaller
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195940/
Detection(s):
SecuriteInfo.com.PyInstaller.206.26078.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed python
Link:
https://www.filescan.io/uploads/615f4431b95458900cde6d3b/reports/78f0cd5d-1256-4d8e-aef7-b9f711c4ef03/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5af0e35-9e4e-48c2-8078-3c60208116c1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/866650
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499078 Sample: XSvPlzgmSh Startdate: 07/10/2021 Architecture: WINDOWS Score: 48 63 Multi AV Scanner detection for submitted file 2->63 9 XSvPlzgmSh.exe 27 2->9         started        12 Windows Explorer.exe 27 2->12         started        14 Windows Explorer.exe 27 2->14         started        process3 file4 41 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->41 dropped 43 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->43 dropped 45 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 9->45 dropped 53 20 other files (none is malicious) 9->53 dropped 16 XSvPlzgmSh.exe 1 9->16         started        55 23 other files (none is malicious) 12->55 dropped 20 Windows Explorer.exe 12->20         started        47 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->47 dropped 49 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 14->49 dropped 51 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 14->51 dropped 57 20 other files (none is malicious) 14->57 dropped process5 dnsIp6 59 smtp.gmail.com 142.250.145.109, 465, 49747, 49754 GOOGLEUS United States 16->59 39 C:\Users\user\...\Windows Explorer.exe, PE32+ 16->39 dropped 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        file7 process8 process9 26 reg.exe 1 1 22->26         started        28 cmd.exe 1 22->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10 34 Windows Explorer.exe 26->34         started        37 conhost.exe 28->37         started        dnsIp11 61 smtp.gmail.com 34->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e18efb7cff387e8b7ab7e7882841d21e5d6c3e9bddaa289a30315a54352bc39a/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 02:41:00 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712
16a9bd04b1d92c0853acb7a0e7e9d3a047e9a55829245be9aa23b5088a072f4a
2fb7c093711d15951d5345cdf0ba45305986f318118a58762e164bf9d5a2459a
3f09f8df1e94e9588e4f9584e4d97eae73bf6e7375c92751cbb1f7e9647242d3
45a3cf3b9fe14d68e6e67ba32c9efb36df82cf3435f2ec229fb687f59ab06ebf
a267a87d74e15c2b281f4268cf1e3d7e5c5586cf856549528e42d9436e04c9b9
e4d74735b0fe22e977c622d8bcd6de638ebbb71aaaace38a0a924fc514131e18
e8f57a83f154fb0c67f6064d3dc6914ad4278e5f79d054ec66c3b8383aeb5b5e
fed02796762f63978094ad4b21b1952948cea78281abb55ba58bbb7886531ea1
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence pyinstaller upx
Link:
https://tria.ge/reports/211007-xptnsscgf3/
Behaviour
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
e18efb7cff387e8b7ab7e7882841d21e5d6c3e9bddaa289a30315a54352bc39a
MD5 hash:
f246340ac7099b305bc56b03c317e6fb
SHA1 hash:
6f6223bbfac0b87e03cdbc0eb3e7c71f9ca92c28
Link:
https://www.unpac.me/results/8dffc897-9a57-43c5-b900-a691f05aa3f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/e18efb7cff387e8b7ab7e7882841d21e5d6c3e9bddaa289a30315a54352bc39a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e18efb7cff387e8b7ab7e7882841d21e5d6c3e9bddaa289a30315a54352bc39a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1660099/
Cape
Cape
https://www.capesandbox.com/analysis/195940/

Comments


Avatar
zbet commented on 2021-10-07 19:01:39 UTC

url : hxxp://51.195.199.224/filez/Adobe.exe