MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eae52236c435290e8bd36a3ce2cab5299b9ec04566b0ceb4521bc174b519aab7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sliver


Vendor detections: 15


Intelligence 15 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eae52236c435290e8bd36a3ce2cab5299b9ec04566b0ceb4521bc174b519aab7
SHA3-384 hash: 08c369380790f58bdf8b4b85f11bbf1b83288e9394ce74236daf45d0e9848a891c10dd90bed2acf618fc18c2cc7e2b35
SHA1 hash: 2955db386e5cf0dc05d5573c13e79a6a292725d8
MD5 hash: fa3102d579b1b05b124c915605cdb7d8
humanhash: sodium-robert-connecticut-fourteen
File name:fa3102d579b1b05b124c915605cdb7d8.exe
Download: download sample
Signature Sliver
Create hunting rule
File size:5'129'728 bytes
First seen:2024-12-27 07:39:33 UTC
Last seen:2025-03-05 08:20:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2d457ad8ac36fc9f18d45bffcd450c2 (23 x CobaltStrike, 8 x Sliver, 5 x Lazarus)
ssdeep 49152:BXAEpSOZBHozGr4I/o6BsxPPR03X7/3OT9R1Rc7i5ELHISofNycKJrrOMFt:zPIihwqOeXLOhRDELHOVRQrrOe
TLSH T1E6363A57ED9145E9C0EED2318A629253BA717C485F3123E72B90F7382F76BD0AA79304
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:185-215-113-209 exe sliver

Intelligence

File Origin
# of uploads :
2
# of downloads :
407
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
284af7a36d9455e68802400e9aea770501468f873a42ea49c2485cbcae75fec1.exe
Verdict:
Malicious activity
Analysis date:
2024-12-26 15:23:23 UTC
Tags:
amadey botnet stealer loader themida stealc evasion arch-exec lumma autoit gcleaner golang remote chaosrat alfac2 websocket github cryptbot rat remcos telegram auto coinminer arch-doc pastebin credentialflusher asyncrat
Link:
https://app.any.run/tasks/5a53ee85-ebbf-4169-aeb8-be42dde25a3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.WinGo.Agent.11037.1067.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=676e59e475bf3268d2fec3ce
Tags:
virus remo
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Moving of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand golang lolbin
Link:
https://www.filescan.io/uploads/676e59dc0dd45a148a409197/reports/7fbb976a-0532-45c1-8e9c-8c72f85c35e2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/eae52236c435290e8bd36a3ce2cab5299b9ec04566b0ceb4521bc174b519aab7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Clash
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/450b79ff-6bf9-42b3-bc3b-f0d1e6527b7b
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1581254
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Attempt to bypass Chrome Application-Bound Encryption
Connects to many ports of the same IP (likely port scanning)
Found Tor onion address
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Notepad Making Network Connection
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Suspicious Process Parents
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581254 Sample: 0A7XTINw3R.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 104 inet-ip.info 2->104 106 webhook.site 2->106 108 ipapi.co 2->108 134 Suricata IDS alerts for network traffic 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 Multi AV Scanner detection for submitted file 2->138 140 6 other signatures 2->140 11 0A7XTINw3R.exe 13 2->11         started        16 cmd.exe 1 2->16         started        18 cmd.exe 1 2->18         started        20 svchost.exe 1 1 2->20         started        signatures3 process4 dnsIp5 124 185.196.8.218, 49730, 49731, 56711 SIMPLECARRER2IT Switzerland 11->124 98 C:\Users\user\AppData\Local\...\winclock.exe, PE32+ 11->98 dropped 100 C:\Users\user\AppData\Local\...\malnotify.exe, PE32+ 11->100 dropped 102 C:\...\ddd06ef82d6d579523a798f429f6f5ae.bat, DOS 11->102 dropped 156 Found Tor onion address 11->156 158 Uses schtasks.exe or at.exe to add and modify task schedules 11->158 22 malnotify.exe 11->22         started        25 winclock.exe 1 11->25         started        28 schtasks.exe 1 11->28         started        38 3 other processes 11->38 30 cscript.exe 2 16->30         started        32 conhost.exe 16->32         started        34 cscript.exe 2 18->34         started        36 conhost.exe 18->36         started        file6 signatures7 process8 dnsIp9 142 Hijacks the control flow in another process 22->142 144 Found Tor onion address 22->144 146 Writes to foreign memory regions 22->146 152 4 other signatures 22->152 40 notepad.exe 22->40         started        118 webhook.site 178.63.67.153 HETZNER-ASDE Germany 25->118 120 ipapi.co 104.26.8.44 CLOUDFLARENETUS United States 25->120 122 127.0.0.1 unknown unknown 25->122 148 Attempt to bypass Chrome Application-Bound Encryption 25->148 150 Suspicious powershell command line found 25->150 43 chrome.exe 25->43         started        45 powershell.exe 11 25->45         started        47 conhost.exe 28->47         started        49 malnotify.exe 30->49         started        52 winclock.exe 34->52         started        54 conhost.exe 34->54         started        56 conhost.exe 38->56         started        58 2 other processes 38->58 signatures10 process11 dnsIp12 112 inet-ip.info 157.7.208.157 INTERQGMOInternetIncJP Japan 40->112 60 powershell.exe 11 40->60         started        62 powershell.exe 40->62         started        64 powershell.exe 40->64         started        66 powershell.exe 40->66         started        114 192.168.2.4, 443, 49730, 49731 unknown unknown 43->114 116 239.255.255.250 unknown Reserved 43->116 68 chrome.exe 43->68         started        71 conhost.exe 45->71         started        126 Hijacks the control flow in another process 49->126 128 Found Tor onion address 49->128 130 Writes to foreign memory regions 49->130 132 4 other signatures 49->132 73 notepad.exe 49->73         started        signatures13 process14 dnsIp15 76 conhost.exe 60->76         started        78 conhost.exe 62->78         started        80 conhost.exe 64->80         started        110 45.150.223.100 SPRINTLINKUS United Kingdom 68->110 154 System process connects to network (likely due to code injection or exploit) 73->154 82 powershell.exe 73->82         started        84 powershell.exe 73->84         started        86 powershell.exe 73->86         started        88 powershell.exe 73->88         started        signatures16 process17 process18 90 conhost.exe 82->90         started        92 conhost.exe 84->92         started        94 conhost.exe 86->94         started        96 conhost.exe 88->96         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eae52236c435290e8bd36a3ce2cab5299b9ec04566b0ceb4521bc174b519aab7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eae52236c435290e8bd36a3ce2cab5299b9ec04566b0ceb4521bc174b519aab7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lssenweguuq5c6tni6ofsvvfgnz5qcfm2ym5ncsdpaxjnizvk3q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access discovery execution spyware stealer
Link:
https://tria.ge/reports/241227-jhl4gstkam/
Behaviour
Enumerates system info in registry
GoLang User-Agent
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Uses browser remote debugging
Verdict:
Malicious
Tags:
ip_address_lookup_website
YARA:
n/a
Link:
https://app.threat.zone/submission/ebb2dc0a-5d13-4a7c-a1ca-07d027539345
Unpacked files
SH256 hash:
eae52236c435290e8bd36a3ce2cab5299b9ec04566b0ceb4521bc174b519aab7
MD5 hash:
fa3102d579b1b05b124c915605cdb7d8
SHA1 hash:
2955db386e5cf0dc05d5573c13e79a6a292725d8
Detections:
Sliver
Create hunting rule
Link:
https://www.unpac.me/results/988c728c-9642-4880-9021-0ee2a6a4f996/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eae52236c435/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eae52236c435290e8bd36a3ce2cab5299b9ec04566b0ceb4521bc174b519aab7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Sliver

Executable exe eae52236c435290e8bd36a3ce2cab5299b9ec04566b0ceb4521bc174b519aab7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3338111/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3243486/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryW
kernel32.dll::LoadLibraryExW
kernel32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::SetConsoleCtrlHandler
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetSystemDirectoryA

Comments