MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77
SHA3-384 hash: 36b0aa9594514ae56b828236cdd659c820d03b6922645517d31b2549afe89f79d9167d18d24075cfdf7be6d48334f2ef
SHA1 hash: ab0f365d3513775cd39195a484f1b98145dd3ae2
MD5 hash: ed73536c23e3888e120f9b7f09859c38
humanhash: batman-washington-cat-salami
File name:Nixlupa.exe
Download: download sample
File size:537'760 bytes
First seen:2024-01-21 14:13:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 319b1edcc4538be377f43066c635ffef (8 x RedLineStealer, 2 x njrat, 2 x 44CaliberStealer)
ssdeep 12288:oxjrr7F5qfMs8WdkI308n5b3ib38nbiXVyasFYH0:oxLsMs8Wdbk8hioraRH0
Threatray 41 similar samples on MalwareBazaar
TLSH T1B1B4DF22B984F472C3211C36CAA1F7685938BD20CF6149DB677C7E1D4E3C7D1A62A792
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 2058b6b2696ce813
Reporter vmovupd
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
426
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472061/
Detection(s):
Win.Dropper.njRAT-9986242-0
Create hunting rule

Win.Dropper.Nanocore-9986456-0
Create hunting rule

Win.Packed.Bladabindi-10017056-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint lolbin overlay packed setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/65ad267568f6c896b6d3fb9b/reports/b48ac6d2-84af-4a23-90d0-dbdff526aa1e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cdeafdc6-95c9-441d-9300-7764efe355c3
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1378286
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-01-21 14:14:05 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zbxn7ooic7q2vtx6k6h2kh4g7t7mc4vqjayrzy6yj7cpphmdv3q._file
Verdict:
unknown
Similar samples:
0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf
39fb3298539178ecc5326fb33b22bf62785fff8fe58eda6e51e214a53a634693
b25ebc1b52d81dfb1cf844c3b87d65c0a307589b2775c12aa7c7c2ebcf74fcd1
e62bf7ac957d0adf76ee5a050299b27473e7096abcafc4f2c42590aaf197462b
e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77
e84cac854a439ca9097b29ead5938b3fc4f867dbc7d0c388633db9df0760edcc
ef9824bc08faee0f6cfa5ae692a33019ab4a100c55c1bbcab9a1d2c96d274abd
+ 31 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240121-rjfl4addbk/
Unpacked files
SH256 hash:
e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77
MD5 hash:
ed73536c23e3888e120f9b7f09859c38
SHA1 hash:
ab0f365d3513775cd39195a484f1b98145dd3ae2
Link:
https://www.unpac.me/results/9a2816ee-fb8e-4802-95d4-4988074dcb54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e64376fdce40bf0d5677f2bc7d28fc37e7f60b95824188e71ec27e27bcec1d77

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/472061/

Comments


Avatar
commented on 2024-01-21 20:57:17 UTC

The executable is faulty for multiple reasons. It was supposed to drop and execute 7d5a7a36c5dec7d16bd7f3abf823879346d4ad40cea0beeeab483ba702ba9a5b (njrat sample) and beacon to potential-instances.gl.at.ply[.]gg.