MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6432f09b652cd3f577cde0671ef18ad9cd6fe5d0b45460a740254dd097f4d51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	e6432f09b652cd3f577cde0671ef18ad9cd6fe5d0b45460a740254dd097f4d51
SHA3-384 hash:	c5ad5cc84026426db05359e357a8c2cdebfef2ce2c029549658e336c272c20cf892c215ef956b6fa5318583b8c59b9f7
SHA1 hash:	44cfc8598dac982bc04d00a6ab8b07d5bef3b409
MD5 hash:	6a7c97e1f4292f0e7d38d0f5019bb896
humanhash:	muppet-table-venus-muppet
File name:	win.exe
Download:	download sample
File size:	5'734'912 bytes
First seen:	2022-09-28 23:38:22 UTC
Last seen:	2022-10-01 17:02:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (61 x LummaStealer, 49 x AuroraStealer, 45 x Vidar)
ssdeep	49152:xE0B0Bl2d+1eTK/P9ulyuO3Vr8micZfViEnzR5n8o0NNkH+Yytpk3IZ5+JEckVr1:xE0DdlGElyGEnzH01YUVAk5wNL3BEp
Threatray	11 similar samples on MalwareBazaar
TLSH	T137463952FACB84F5EA03193014A7A2BF57316D054F24CFCBEA14BF6AE8776911D32219
gimphash	8eee94a8b0f25e5324c2a3bb3297f6a2b7dac30950158bfd3418898f4124acc1
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	r3dbU7z
Tags:	Chaos exe

Intelligence

File Origin

# of uploads :

# of downloads :

326

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/314539/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a file

Sending a custom TCP request

Launching a process

Creating a file in the system32 subdirectories

Creating a window

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

golang greyware

Link:

https://www.filescan.io/uploads/6334db185c60ccc9fcfe7bc1/reports/e60e09f7-93de-418c-ba9d-011ed555e5c8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ee081c1b-b3fc-4ab9-bb73-00c953e51736

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.expl

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1079649

Signature

Antivirus detection for URL or domain

Connects to many different private IPs (likely to spread or exploit)

Drops PE files with benign system names

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e6432f09b652cd3f577cde0671ef18ad9cd6fe5d0b45460a740254dd097f4d51/

Threat name:

Win32.Ransomware.Foreign

Status:

Malicious

First seen:

2022-09-28 23:39:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4zbs6cnwklgt6v343ydhd3yyvwonn7s5bncumctuajkn2cl7jviq._file

Verdict:

malicious

2ea6afd8cd172d7a43de0e037d7250b9036de4b87e1f0c10ba04c286c8c58704

42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3

446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32

57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5

73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e

96f69fe5148b0838909afe927aa280b4919b7f12b1593ed4a461de49fa725b1b

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9

+ 1 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/220928-3m96naadgm/

Behaviour

GoLang User-Agent

Adds Run key to start application

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/53a39c8c-9c18-4c12-9d1c-1f3ebbfd88f6

Unpacked files

SH256 hash:

e6432f09b652cd3f577cde0671ef18ad9cd6fe5d0b45460a740254dd097f4d51

MD5 hash:

6a7c97e1f4292f0e7d38d0f5019bb896

SHA1 hash:

44cfc8598dac982bc04d00a6ab8b07d5bef3b409

Link:

https://www.unpac.me/results/c00d8f80-f740-447d-86f1-c13501ee6234/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/e6432f09b652cd3f577cde0671ef18ad9cd6fe5d0b45460a740254dd097f4d51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	methodology_golang_build_strings Create hunting rule
Author:	smiller
Description:	Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe e6432f09b652cd3f577cde0671ef18ad9cd6fe5d0b45460a740254dd097f4d51

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/314539/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample