MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3433215e57803029ce2a3e019d844b377aeb77ea11e0154289fbd4c24838d51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3433215e57803029ce2a3e019d844b377aeb77ea11e0154289fbd4c24838d51
SHA3-384 hash: 61f0c6b75da90495acff56fc5ca70d619b595295317de4d8e4ea6b97e6c0eed00ec1e862a19c7bd1bfb34abf4ab39cc9
SHA1 hash: 19468c85dd6772e7d5566bd9f3c216c4e8bfcfae
MD5 hash: 3350aae4c4ebb8a9d200f05d1fd7950b
humanhash: bulldog-asparagus-wyoming-eleven
File name:3350aae4c4ebb8a9d200f05d1fd7950b.exe
Download: download sample
File size:4'591'104 bytes
First seen:2021-01-02 09:34:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f1f6d93d68be901a0f8e8f9c68c8e208 (2 x Smoke Loader, 1 x CryptBot, 1 x DanaBot)
ssdeep 98304:6BUTbjO/W5dAZ90tFI/SXlYKrDiaSROWH8Uyds3EpzesCSxph+2PKvP/3UcZXToA:SYGTKIGYCAROWcgsT6X/3Uc5W9ffUE6i
Threatray 1'331 similar samples on MalwareBazaar
TLSH 7C2623565164A7BCF0952930D63A69E48A0F2B335DDD31353E13CBE4863A9D2F682F0B
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3350aae4c4ebb8a9d200f05d1fd7950b.exe
Verdict:
Malicious activity
Analysis date:
2021-01-02 09:38:58 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/062243be-fd99-48bb-aca8-269661063669

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110298/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Launching a process
Creating a process with a hidden window
Modifying an executable file
Creating a window
Creating a file in the %temp% directory
Changing a file
Sending a custom TCP request
Reading critical registry keys
Forced system process termination
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Deleting a recently created file
Stealing user critical data
Infecting executable files
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572926
Signature
Bypasses PowerShell execution policy
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335525 Sample: Fk13Yj65TM.exe Startdate: 02/01/2021 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Machine Learning detection for sample 2->68 70 4 other signatures 2->70 9 Fk13Yj65TM.exe 1 2->9         started        process3 file4 48 C:\Users\user\Desktop\FK13YJ~1.EXE.dll, PE32 9->48 dropped 12 rundll32.exe 9->12         started        process5 signatures6 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->74 15 rundll32.exe 8 24 12->15         started        process7 dnsIp8 54 108.62.118.103, 443, 49723 LEASEWEB-USA-WDCUS United States 15->54 40 C:\Users\user\...\JSAMSIProvider32.dll, PE32 15->40 dropped 42 C:\Users\user\AppData\...\tmp2533.tmp.ps1, ASCII 15->42 dropped 44 C:\Users\user\...\ProvProvider.dll.mui, PE32 15->44 dropped 46 3 other files (none is malicious) 15->46 dropped 56 System process connects to network (likely due to code injection or exploit) 15->56 58 Tries to steal Instant Messenger accounts or passwords 15->58 60 Tries to steal Mail credentials (via file access) 15->60 62 2 other signatures 15->62 20 powershell.exe 15 15->20         started        23 powershell.exe 17 15->23         started        25 schtasks.exe 1 15->25         started        27 schtasks.exe 1 15->27         started        file9 signatures10 process11 signatures12 72 Uses nslookup.exe to query domains 20->72 29 nslookup.exe 1 20->29         started        32 conhost.exe 20->32         started        34 conhost.exe 23->34         started        36 conhost.exe 25->36         started        38 conhost.exe 27->38         started        process13 dnsIp14 50 8.8.8.8.in-addr.arpa 29->50 52 localhost 29->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3433215e57803029ce2a3e019d844b377aeb77ea11e0154289fbd4c24838d51/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-01-02 09:35:05 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
22ed8ba56c9a195d2f2b50133b9ba06e6cc0705fd3003cd76c2717547443f3d4
3dff6f068aaf451982f4cd74c0e6dbda2e214346d33947d8bbf0d71d26b2699f
4067636da0258032856bcba46483e656841dc9866eed7ee22e2f155eea4b4d70
6172ae75fca2550266d932f8b7a5bb55fbfd5ac7342136c1082c50a839afb6c1
87b4206c21e302ab8db1494fb73f0398009a10d7f4363e9c6cdef845811f60ec
9836dae82868c0e7f17114f7fe63e0f5b94f8e99e0c597f43ae12a365458ff69
af60e77e82cc0ab917461efb7fad074044c7c90959a9b6e118dd5bf379e09d06
badee00726d2f0373378c3d60ba224a5f50d192d6b1886c3d831efe8bd3d846e
d6640a1ff78ab00ccc4f3388b310325036c34ecd40af501ddddc652fb6f28f3b
de0916556f63cf540c814626a4098d996a55ea99bfca9cc2032e0f6994c1479d
+ 1'321 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware upx
Link:
https://tria.ge/reports/210102-crxjkqvydj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
e3433215e57803029ce2a3e019d844b377aeb77ea11e0154289fbd4c24838d51
MD5 hash:
3350aae4c4ebb8a9d200f05d1fd7950b
SHA1 hash:
19468c85dd6772e7d5566bd9f3c216c4e8bfcfae
Link:
https://www.unpac.me/results/b693198b-251c-4328-8262-b5594f0b42fe/
SH256 hash:
187e210baee59b2ed86ba5ff00949b15843c59e7b8e8b81583d0b10bd775713d
MD5 hash:
03262a34525f52e976bdc6a765eb8ccc
SHA1 hash:
24995e2b3c5319d92fe35bb891085b00da1b7075
Link:
https://www.unpac.me/results/b693198b-251c-4328-8262-b5594f0b42fe/
SH256 hash:
437148a117de6336097527c0256ef299c7162ac5e4fc02c176d606ee174044e1
MD5 hash:
93094398d21dee47bd6bcb6e612509a7
SHA1 hash:
1a511e2d1654b0a1a052ba48f10740159160ffd5
Link:
https://www.unpac.me/results/b693198b-251c-4328-8262-b5594f0b42fe/
SH256 hash:
d33ca5446399cc610653ec6ef86880c9494047aa6f916fddd93290c96bb08cbd
MD5 hash:
8416981f424fd3a6e60e90cd624499d7
SHA1 hash:
6f91ed1b26e9a4b59efa5354cf4f1fe92a36a567
Link:
https://www.unpac.me/results/b693198b-251c-4328-8262-b5594f0b42fe/
SH256 hash:
243f5832f05d856b586d7b19c5c1b35535f229a9cae4021d6d8754e4245c561b
MD5 hash:
f67127e9b550ed72cc23be806599e320
SHA1 hash:
f293a32a32a61ef5f92afcbc03dcd7c8334258d1
Link:
https://www.unpac.me/results/b693198b-251c-4328-8262-b5594f0b42fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3433215e57803029ce2a3e019d844b377aeb77ea11e0154289fbd4c24838d51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e3433215e57803029ce2a3e019d844b377aeb77ea11e0154289fbd4c24838d51

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/947426/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110298/

Comments