MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
SHA3-384 hash: cc59b719e18d1fbb14051e5a1bab2f5b5f5447c7bb80eaf6a7aaf26a169db91271301c249e1bd38794cb620d4d1dd5bf
SHA1 hash: 0461f1c46644acde8020bb59b53b1e34b65977ca
MD5 hash: 75b9ef9142a78671d449c8d22ab6be14
humanhash: nebraska-carolina-mars-earth
File name:app.exe
Download: download sample
File size:1'290'240 bytes
First seen:2024-05-04 22:17:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 26600adf486f72b556f917a64c8fd23f
ssdeep 24576:CIFxe+AY3rqYsavMOQdbac5IQH97wiI3dzAr09UDZ5YUD8:1xeSNR0vbac5/d8P3diDZ6q
Threatray 1 similar samples on MalwareBazaar
TLSH T18255CF05F3D2B8B1D15192772DC96161B6ED993048D83F0732D0EE5E1B3B9A6B40FE2A
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13097/50/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon ccdcccaeaeda8694
Reporter smica83
Tags:185.213.208.245 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c.exe
Verdict:
Suspicious activity
Analysis date:
2024-05-04 22:20:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e14b64e2-422c-4bf7-a3e2-8f2711b50fc0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint keylogger lolbin packed risepro shell32
Link:
https://www.filescan.io/uploads/6636b41bd1046c89340e9d6f/reports/822cc97c-f9dc-49e7-ac9d-01baf4979512/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/705a389c-06c6-4b3c-a82b-9c9d3b372601
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1436386
Signature
Contains functionality to infect the boot sector
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436386 Sample: app.exe Startdate: 05/05/2024 Architecture: WINDOWS Score: 100 29 api.ipify.org 2->29 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Machine Learning detection for sample 2->39 41 2 other signatures 2->41 9 app.exe 5 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\Temp\...\app.exe, PE32 9->27 dropped 43 Detected unpacking (creates a PE file in dynamic memory) 9->43 45 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 9->45 47 Contains functionality to infect the boot sector 9->47 49 Queries memory information (via WMI often done to detect virtual machines) 9->49 13 app.exe 10 9 9->13         started        17 conhost.exe 9->17         started        signatures6 process7 dnsIp8 31 144.208.127.230, 49789, 80 SHOCK-1US United States 13->31 33 api.ipify.org 172.67.74.152, 443, 49788 CLOUDFLARENETUS United States 13->33 51 Multi AV Scanner detection for dropped file 13->51 53 Detected unpacking (creates a PE file in dynamic memory) 13->53 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->55 57 7 other signatures 13->57 19 cmd.exe 1 13->19         started        21 conhost.exe 13->21         started        signatures9 process10 process11 23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started       
Score:
68%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-05-03 08:18:41 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5g6ejt2urjyookcuteqjs4726rfxg5g6zykbhx6nya57ewtmlgoa._file
Verdict:
unknown
Similar samples:
84ceb797473ad98c67911806e95126fbe51d1ad8b6f50ba979de91dd3c5e0ce0
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240504-17xpysgc42/
Unpacked files
SH256 hash:
a495a63d97f6ce5a8a36d8d84543138c871faafe6dd098c8f029ec4874cd8220
MD5 hash:
cd8f92a073dd992eab53fff30a6d4d78
SHA1 hash:
144a8bb351a879c4582a807a7b1ad0210fcc0dc0
Link:
https://www.unpac.me/results/07e75e84-ff44-41fc-9690-d192261d3c7a/
SH256 hash:
e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
MD5 hash:
75b9ef9142a78671d449c8d22ab6be14
SHA1 hash:
0461f1c46644acde8020bb59b53b1e34b65977ca
Link:
https://www.unpac.me/results/07e75e84-ff44-41fc-9690-d192261d3c7a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9bc44cf548a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments