MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6
SHA3-384 hash: 2d411e46bf92fa5edd9c8f84a87ba5bb05bac3e7c8ee0a65c60985b9782390f71b805c7ac80175cb383781744b1c46ab
SHA1 hash: b68969d2e7b034d401fd5f41925957494fbeb069
MD5 hash: 980ad224affecc07a99bb27a5c12920f
humanhash: item-kilo-music-fruit
File name:SecuriteInfo.com.Win32.PWSX-gen.25896.31134
Download: download sample
File size:1'549'464 bytes
First seen:2022-11-30 14:30:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 65e2071a6dbd1bcc77513fd1371485e4 (3 x LgoogLoader, 1 x SystemBC)
ssdeep 24576:OfAW8lIzg9X3qiO0SnEye/U/UwagpCoNc415paUp45IWDPIdELpksWb+sIaFErhc:OgIzQqiAEyHUiDXu5INAWnZx
Threatray 209 similar samples on MalwareBazaar
TLSH T12175E084E9C047A0FC9F1EF9C73DB318553DAA60AB15C8E3A6E07A825FD8031F969355
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0cccc4569aad4f0 (1 x LgoogLoader)
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:mamba.net
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-09T13:15:06Z
Valid to:2023-01-07T13:15:05Z
Serial number: 031d4a436b6f82fd6e30a68de3ef8fcb7ff4
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5a1a87dc9952097cdff925972177336fbcaa2b675e8d255f35e9d3b72efe81c9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.25896.31134
Verdict:
Suspicious activity
Analysis date:
2022-11-30 14:33:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb91d47b-4906-4da0-8d5c-a0f6eafa0fc4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/340150/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25896.31134.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63876927559d07a06f48caaa/reports/3da0cdbd-67c2-44d3-b1f5-86b52636033a/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Khalesi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc5f743a-c3e1-4084-9166-b14b7e7e668c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1124055
Signature
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Found evasive API chain (may stop execution after checking mutex)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756779 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AntiVM3 2->36 38 Machine Learning detection for sample 2->38 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->40 8 SecuriteInfo.com.Win32.PWSX-gen.25896.31134.exe 13 2->8         started        process3 dnsIp4 28 loopplanet.com 67.227.214.170, 443, 49702 LIQUIDWEBUS United States 8->28 30 x8tpofhefgpkzv017a.tck2rcht 8->30 56 Found evasive API chain (may stop execution after checking mutex) 8->56 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 Injects a PE file into a foreign processes 8->62 12 ngentask.exe 1 8->12         started        signatures5 process6 dnsIp7 32 abnpmgnt.com 77.91.74.76, 49703, 49704, 49705 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 12->32 24 C:\Users\user\AppData\...\nsis_uns1fe82eb.dll, PE32+ 12->24 dropped 64 Query firmware table information (likely to detect VMs) 12->64 66 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->68 70 4 other signatures 12->70 17 rundll32.exe 12 12->17         started        file8 signatures9 process10 dnsIp11 26 abnpmgnt.com 17->26 42 System process connects to network (likely due to code injection or exploit) 17->42 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->44 46 Tries to steal Mail credentials (via file / registry access) 17->46 48 2 other signatures 17->48 21 WerFault.exe 17->21         started        signatures12 process13 signatures14 50 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 21->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->52 54 Queries memory information (via WMI often done to detect virtual machines) 21->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 05:46:42 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5hjpzbdfhxwz4o3ksxjqvsgintl5vzstderyzgaqe5564nge2xla._file
Verdict:
malicious
Similar samples:
12994830e14070b3af49df398138e277adfd261693b829032ed745873f334782
2c3310a45db53d2bc092521b417c9434c919dce00876b386e39a5b7cffa3c58f
2c989418ee6df1ae08f2332ca25edc3c7ace2aa9f8ef710b80857c500b4f4c01
3c645242b178e6248f189ace55b2c3c0af905b5f35a0cc7d03600dd148ae915a
3e45e89d63f4a3f2091d7b1f5b2c331779c735cc45581b3f0d6f293e45fc45f1
44212fc0e7338e59097d84235ef677051327e3486960b2801099ab57f51de83a
44593f2948e2800c83e9d21abb9759e206ea94385ee5c0ddc9dc6a3e4d09273d
44cb5f67a1313320c87d07074faf1c5d98fb8e7731293558b03a834d4aac6511
45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676
94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900
+ 199 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221130-rvpzxaca7z/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a7ad96aa-b9e2-49c9-b8e8-3c7604c1ccd9
Unpacked files
SH256 hash:
1a93a1ddfd74dcdc29f44bef640da930ff498d93f8b78014e43615c28ac5f2d2
MD5 hash:
1f1c4e6cf763568dafae00628abcecfc
SHA1 hash:
e24b27db7626714eeb486baadeba9669f80920b5
Link:
https://www.unpac.me/results/a61906b5-0318-4a3e-b40f-f7e5af06c025/
SH256 hash:
e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6
MD5 hash:
980ad224affecc07a99bb27a5c12920f
SHA1 hash:
b68969d2e7b034d401fd5f41925957494fbeb069
Link:
https://www.unpac.me/results/a61906b5-0318-4a3e-b40f-f7e5af06c025/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9d2fc84653d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/340150/

Comments