MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TitanStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc
SHA3-384 hash:	d649a1975c23a85a64b188822035ec23bdcc80afbc6a6601894dbac2fc4f33b93cd0b3bbf8bb122cfb5080bb9586d194
SHA1 hash:	763ac1ea8c3de617457f64a8ce4eabe7ab8a3abb
MD5 hash:	e7f46144892fe5bdef99bdf819d1b9a6
humanhash:	cat-spring-edward-queen
File name:	e7f46144892fe5bdef99bdf819d1b9a6.exe
Download:	download sample
Signature	TitanStealer Create hunting rule
File size:	2'823'168 bytes
First seen:	2022-11-12 08:02:20 UTC
Last seen:	2022-11-12 10:40:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4718c85fe28e792412bf1679bc40c971 (49 x RedLineStealer, 1 x ArkeiStealer, 1 x TitanStealer)
ssdeep	49152:/l8ZYyJ/sr3IRLVK7/NczUVAEcLLpvdXhWZsP4Xcm:/a6yJ4okbNckAEcPpvjWZswX
Threatray	640 similar samples on MalwareBazaar
TLSH	T1DBD5CF36E75A74EDD7775238461FDEBB5A48E5044132AB37F7DBCA0CA63282B3409281
TrID	44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe TitanStealer

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-12 03:08:56 UTC

Tags:

trojan amadey loader rat redline stealer

Link:

https://app.any.run/tasks/a864b279-83ef-498e-857b-f7330009a702

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/332838/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.9740.1447.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for the window

Reading critical registry keys

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Sending an HTTP POST request

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/51629/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/636f53377662ecf10839db85/reports/c8b0583d-0e5f-4650-a44e-8b9db276ec92/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/340e656c-3624-4da4-8732-4ee447523c5a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad.troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1111760

Signature

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2022-11-12 08:03:13 UTC

File Type:

PE (Exe)

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4jjkktsed2uivl5gsqszhbvp2abbknebv4s2ln5s35dnc6wfh7ga._file

Verdict:

malicious

TitanStealer

30c1f93a3d798bb18ef3439db0ada4e0059e1f6ddd5d860ec993393b31a62842

TitanStealer

7bb10303027c42b4893bc186be547fbd8f0d59a8a8171703c8ad88680831785f

TitanStealer

81173b89b99d19283f9ebe3ee7e2aa13070618cbb1d9d7c96a2bbf8be985dc7a

TitanStealer

a7dfb6bb7ca1c8271570ddcf81bb921cf4f222e6e190e5f420d4e1eda0a0c1f2

TitanStealer

be607f4670ec8ae8808e6c46603344dcd3d0e58c7e2c7644cf6a360e60f92ce7

TitanStealer

cbeb11d02bffea1aaf17e598dd3318b156a1870500eca06249b7a8be1802ad88

TitanStealer

+ 630 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

spyware

Link:

https://tria.ge/reports/221112-jxpsxshe8x/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f565d367-c9d4-44f9-95e0-f7cd7587fc7a

Unpacked files

SH256 hash:

7dec1beb0f5a4284d8f3dfbbfdac2635bc4c1fdb1cbb0d4348b3df77ac3ad1cf

MD5 hash:

666467d7953be0095b98f4a284acfe8d

SHA1 hash:

76731e62055bb3f94c6e6fabdb5be9044c65cbab

Link:

https://www.unpac.me/results/8f36b50d-4604-4f6a-9b26-79318ad20028/

SH256 hash:

e624d7d05ea04ba285ff13d462f6c3fad4fd7d642bac0aa47a6b6de835749991

MD5 hash:

6f65f107ab0683040cb1f75a13af32c3

SHA1 hash:

3bfe801f81b198a299be39072f0532b8c496026d

Link:

https://www.unpac.me/results/8f36b50d-4604-4f6a-9b26-79318ad20028/

SH256 hash:

e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc

MD5 hash:

e7f46144892fe5bdef99bdf819d1b9a6

SHA1 hash:

763ac1ea8c3de617457f64a8ce4eabe7ab8a3abb

Link:

https://www.unpac.me/results/8f36b50d-4604-4f6a-9b26-79318ad20028/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e252a54e441e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GHISLER_Stealer_1 Create hunting rule
Author:	Andre Gironda
Description:	GHISLER Golang based GO Stealer , POST /sendlog to http port 5000 , Userid HTTP header

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers