MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0
SHA3-384 hash: 38febeaaef9a090e3d4a6ea6849c52ececade856441fe011774ea499bc9f7fa5653cc3bde487149e156c535f81262d4f
SHA1 hash: 4ec80034f42c077be82a0bf31bfe5b73f6ce281c
MD5 hash: fb70cec4b4450ef2ab595994eb5e2cb8
humanhash: beryllium-dakota-fifteen-earth
File name:ImageGrabber.exe
Download: download sample
File size:6'557'421 bytes
First seen:2021-10-21 23:16:34 UTC
Last seen:2021-10-22 00:08:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2cdcfb3a828433ba76b5b41f45519bd9 (2 x ROKRAT, 1 x IcedID)
ssdeep 196608:pMZdShWAAd8qCRASRD/rWInNvJsUN8mM2mJWR:5hBNWInHN8mM+
Threatray 54 similar samples on MalwareBazaar
TLSH T1E36633997AA50CD5D47B023289608432F1F67C210360C65F57B83B2BBFB35917D3AB6A
File icon (PE):PE icon
dhash icon 00b0b27268f0b2cc
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PyInstaller
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199207/
Detection(s):
SecuriteInfo.com.PyInstaller.8815.26333.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6171f4efa9d585e6d532fc0b/reports/c9d27375-df0b-4841-9708-e67a5df2657c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GetYourFilesBack Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c368fe38-479c-48a9-9404-49eb1b24af75
Result
Threat name:
Discord Token Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/874918
Signature
Contains functionality to infect the boot sector
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Yara detected Discord Token Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507346 Sample: ImageGrabber.exe Startdate: 22/10/2021 Architecture: WINDOWS Score: 72 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected Discord Token Grabber 2->33 35 Initial sample is a PE file and has a suspicious name 2->35 8 ImageGrabber.exe 18 2->8         started        process3 file4 23 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->23 dropped 25 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->25 dropped 27 C:\Users\user\AppData\Local\...\python36.dll, PE32+ 8->27 dropped 29 11 other files (none is malicious) 8->29 dropped 37 Contains functionality to infect the boot sector 8->37 12 ImageGrabber.exe 1 8->12         started        15 conhost.exe 8->15         started        signatures5 process6 signatures7 39 Modifies the context of a thread in another process (thread injection) 12->39 41 Hides threads from debuggers 12->41 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        process8 process9 21 mode.com 1 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0/
Threat name:
Win64.Infostealer.Disco
Create hunting rule
Status:
Malicious
First seen:
2021-10-17 12:09:25 UTC
AV detection:
4 of 45 (8.89%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
053e7603d2776f39c17d74cd5a095d2fa4727ce019cb91274c135be4b9732358
4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc
622fb838298b78969dfbe0d1ff0c2fcea071b77e9a30332805a532683a039570
6239fb903c570cff86d4a21391c9a012dd27016243cc5ba67b3c93828a8badd4
8d11da2582a4e82ff7ca02288211613a1f7326b7426eb245138a1160e3dddfb4
8f8efcd4031721a458abbf5a0e164eb9d318fe8f5a16c5d1a174e13125128539
a11e597e813bde2241d999f3c2aa8fdecc7f1131507e4aa5fba6ba82dbd75459
b371f1cb76629e00e4cd545187ea722a7e5e98ac10ef5ff35495499136ed28cd
e8f57a83f154fb0c67f6064d3dc6914ad4278e5f79d054ec66c3b8383aeb5b5e
ed3588a0ea55834f7964684d9b97f05a70aea91fbc9eb4f1c5d0a1248acc7fbf
+ 44 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/211021-29pb2aahd8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Unpacked files
SH256 hash:
eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0
MD5 hash:
fb70cec4b4450ef2ab595994eb5e2cb8
SHA1 hash:
4ec80034f42c077be82a0bf31bfe5b73f6ce281c
Link:
https://www.unpac.me/results/91649acf-d1a8-4f4c-9077-7c220d9e9f1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199207/

Comments