MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275
SHA3-384 hash: 74b73aacd95a0fa1ed18ef48df1eb610fe6260002c6f99b7788943fd1ed5c21c4b01ed457ac36ed39aa8d9cb0521597d
SHA1 hash: 0c8c616bbdf2b7996358142af6a6ba886fc2b2a9
MD5 hash: 13348cb1966e434e5cb63b82e42291b7
humanhash: william-robert-leopard-batman
File name:toba22bbc.exe
Download: download sample
Signature VectorStealer
Create hunting rule
File size:1'000'960 bytes
First seen:2023-04-20 12:26:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:8FUrdbfahvepYoeyAmzhocZn+M+WGDBGkV:8Yb1bPhoCnD+WGIkV
Threatray 17 similar samples on MalwareBazaar
TLSH T1092512387B4C9F96C0BE463AA2D151B54770C4675B8FD71FEC8918F819833ABC29A607
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter FXOLabs
Tags:exe VectorStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
toba22bbc.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 12:27:28 UTC
Tags:
stealer evasion
Link:
https://app.any.run/tasks/a25d2e25-dd5b-46e1-8560-a0c60fde536d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383767/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.77684.22873.29724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Running batch commands
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a process from a recently created file
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed
Link:
https://www.filescan.io/uploads/64412f972efbb8b9c3f531da/reports/eaab971e-89d1-4fe1-af33-9911d3807293/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
VectorStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e47a263-444e-459a-b314-0302a9cbe392
Result
Threat name:
Vector Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218005
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected Vector Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 850950 Sample: toba22bbc.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 68 discord.com 2->68 70 premium251.web-hosting.com 2->70 72 ipinfo.io 2->72 88 Found malware configuration 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected Vector Stealer 2->92 94 8 other signatures 2->94 9 svchost.exe 1 2->9         started        12 toba22bbc.exe 2 2->12         started        signatures3 process4 file5 104 System process connects to network (likely due to code injection or exploit) 9->104 106 Multi AV Scanner detection for dropped file 9->106 108 May check the online IP address of the machine 9->108 15 svchost.exe 9->15         started        18 svchost.exe 14 63 9->18         started        21 cmd.exe 1 9->21         started        30 2 other processes 9->30 66 C:\Users\user\AppData\...\toba22bbc.exe.log, ASCII 12->66 dropped 110 Injects a PE file into a foreign processes 12->110 23 toba22bbc.exe 15 65 12->23         started        25 cmd.exe 2 12->25         started        27 cmd.exe 3 12->27         started        32 2 other processes 12->32 signatures6 process7 dnsIp8 112 Injects a PE file into a foreign processes 15->112 34 svchost.exe 15->34         started        38 cmd.exe 15->38         started        40 cmd.exe 15->40         started        42 cmd.exe 15->42         started        74 162.159.135.232, 443, 49714 CLOUDFLARENETUS United States 18->74 114 System process connects to network (likely due to code injection or exploit) 18->114 116 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->116 118 Tries to steal Mail credentials (via file / registry access) 18->118 48 2 other processes 21->48 76 discord.com 162.159.128.233, 443, 49711, 49717 CLOUDFLARENETUS United States 23->76 78 premium251.web-hosting.com 67.223.118.32, 49712, 49715, 49718 VIMRO-AS15189US United States 23->78 80 ipinfo.io 34.117.59.81, 443, 49710, 49713 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->80 120 Uses schtasks.exe or at.exe to add and modify task schedules 25->120 122 Drops PE files with benign system names 25->122 44 conhost.exe 25->44         started        62 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 27->62 dropped 64 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 27->64 dropped 46 conhost.exe 27->46         started        50 2 other processes 30->50 52 2 other processes 32->52 file9 signatures10 process11 dnsIp12 82 discord.com 34->82 84 premium251.web-hosting.com 34->84 86 ipinfo.io 34->86 96 System process connects to network (likely due to code injection or exploit) 34->96 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->98 100 Tries to steal Mail credentials (via file / registry access) 34->100 102 Tries to harvest and steal browser information (history, passwords, etc) 34->102 54 conhost.exe 38->54         started        56 schtasks.exe 38->56         started        58 conhost.exe 40->58         started        60 conhost.exe 42->60         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-19 20:31:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xhxdasgbxvyjqd5pgli5o2rrte4qyirjcsowdq6g63y74lv6j2q._file
Verdict:
malicious
Similar samples:
04aeeb558307512ff291173335df224b236c303b3bf1ef1f40e3b4568f920cef
VectorStealer
48ae64ee3a74c4d134f8c6542d9374325cfd89430d27dd810d3fe0f4961d105e
VectorStealer
62931fe87c3452571f8bc4470b8115e18395e95d4c60255614e5eb51fed8f7c9
VectorStealer
6e6362d1a6101b847c0fcd3dfcb43f4bc08ea0960d54e03b2223f3bb28f9a329
VectorStealer
74a6443ca7db8a108e7b5575710258ba406f7a5ebd030944b1ecef0db790f809
VectorStealer
7e8d18b9cb6c22b74f8d426e6b40e1a2ed7c1cb0526517b72e08a0bf7657e6ff
VectorStealer
7f08a164914b44c402b96fb5cd938da92a5111353ae22b34581f2ff8cca6670e
VectorStealer
9659456fb12526439a9aa77f861032516aad72e8080f37fa6c8e91cd65c9a546
VectorStealer
a198a5cd953ee0d2fc3f0d44dda511551166effb99c5eeaadeecfde03cd23978
VectorStealer
cfdb801f1f89a49e08c334de4281e917d77307f436f403795da440501ed91878
VectorStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230420-pmq6wsbg9s/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
bc70785def0afa8d23720fb4078be9284e15a9e1ce3f779a66d4b732844ee2d4
MD5 hash:
f3ec8d7c3ad1aefe2adea56523030044
SHA1 hash:
54df319971fa09554df431749d8d11a3614a0bfb
Link:
https://www.unpac.me/results/c3c98f8e-c211-4c31-af9d-8099448bca24/
SH256 hash:
d74dbff4cfb3251af61e1078f47d5548a0463475f988763ec346ae2a2941c630
MD5 hash:
5627ba069d4234dd099e60214c3f1dc3
SHA1 hash:
265fbf5d0b7dad3698e72d0a72b05b0d3987c10b
Link:
https://www.unpac.me/results/c3c98f8e-c211-4c31-af9d-8099448bca24/
SH256 hash:
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275
MD5 hash:
13348cb1966e434e5cb63b82e42291b7
SHA1 hash:
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9
Link:
https://www.unpac.me/results/c3c98f8e-c211-4c31-af9d-8099448bca24/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/383767/
  
URLhaus
https://urlhaus.abuse.ch/url/2615234/

Comments