MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e88175232d055153cb8ed4f4d46fc97a612eebe5460063f1c6fd14edbf25cb7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	e88175232d055153cb8ed4f4d46fc97a612eebe5460063f1c6fd14edbf25cb7d
SHA3-384 hash:	9966857e2758863394a024b22aedb04ec2c8dbb993796e98f25e45cdbc1284e8664b686042609318865afbaea115698b
SHA1 hash:	9823ca025f735b0fd6b85842fdf32ea3327ef0d7
MD5 hash:	1f3a1e87f0ae00264d59b3071fc50c4b
humanhash:	beryllium-july-muppet-video
File name:	1f3a1e87f0ae00264d59b3071fc50c4b.exe
Download:	download sample
File size:	712'192 bytes
First seen:	2023-10-22 18:06:39 UTC
Last seen:	2023-10-22 18:48:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	77bb604ddb8d2a9df61815c9b5a4d907 (3 x Tofsee, 2 x Stealc, 1 x TeamBot)
ssdeep	12288:iEq9lhhJyvzVuJrvNJokMdbqzpHOefQZWBh4lWhffcIaalKNjsP0NXat:iEaMvI9lCk1QQIWNE3aQsmKt
Threatray	7 similar samples on MalwareBazaar
TLSH	T1D1E412117B91D072E0672D361971C9901E66BCE3AB2546CB33A93F6E5E316E01FA6F03
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	70d0dcd0d4d8d2dd (2 x Smoke Loader, 1 x MarsStealer, 1 x Stealc)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1f3a1e87f0ae00264d59b3071fc50c4b.exe

Verdict:

Suspicious activity

Analysis date:

2023-10-22 18:35:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7d672f1e-eb06-4a68-8176-5c0d8538e05b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Siggen21.47285.19079.29087.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Сreating synchronization primitives

Creating a window

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Enabling autorun by creating a file

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/653564cb4678fc28dfc4916f/reports/ffeedefb-29ae-4cb5-96d5-d7b0fc961d45/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e88175232d055153cb8ed4f4d46fc97a612eebe5460063f1c6fd14edbf25cb7d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

IntelRapid

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c04f31ec-26c3-4cb3-8bc8-74e09995d551

Result

Threat name:

Clipboard Hijacker

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1330151

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to modify clipboard data

Delayed program exit found

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Clipboard Hijacker

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e88175232d055153cb8ed4f4d46fc97a612eebe5460063f1c6fd14edbf25cb7d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e88175232d055153cb8ed4f4d46fc97a612eebe5460063f1c6fd14edbf25cb7d/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-10-21 19:49:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5caxkiznavivhs4o2t2ni36jpjqs527fiyagh4og7uko3pzfzn6q._file

Verdict:

malicious

4290c815db722f3b8accc02b6ea6f3a86f2851181533b72748ac4143ffd1edc4

7541fd59acda46d343e7defac745807ce464770d91f0be69e3ca57414550b7a6

90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c

a3b44503cd29c9e1c7b2bdde2848ac884ac170829b0add20aa7c3e2b9e55a496

bf208ca88ac059bbd01a06c624628d02bae92a68d46589bc9903f6c2a69a334c

de41d77e137dd2ae35d5623085bcc3a9e46957ce7dfec655693c7c3120aaeeb9

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231022-wqck8scb6w/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

99c036b4cedaa42c096b914851bf208de86bbd2e8055017cedf7b9a10256bbc9

MD5 hash:

f94ab634fe04f61641bada09f045f459

SHA1 hash:

7a4c66096585c04fb4c7671600dc92b14d572d0d

Link:

https://www.unpac.me/results/3876cc64-dd05-4eef-b414-57cecb082944/

SH256 hash:

e88175232d055153cb8ed4f4d46fc97a612eebe5460063f1c6fd14edbf25cb7d

MD5 hash:

1f3a1e87f0ae00264d59b3071fc50c4b

SHA1 hash:

9823ca025f735b0fd6b85842fdf32ea3327ef0d7

Link:

https://www.unpac.me/results/3876cc64-dd05-4eef-b414-57cecb082944/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e88175232d055153cb8ed4f4d46fc97a612eebe5460063f1c6fd14edbf25cb7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe e88175232d055153cb8ed4f4d46fc97a612eebe5460063f1c6fd14edbf25cb7d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2628134/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample