MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee4c7bdf3abd06150a2c2e6fe94bd41dc4157241c2a9cd4b6b0eb1842c70ee0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee4c7bdf3abd06150a2c2e6fe94bd41dc4157241c2a9cd4b6b0eb1842c70ee0b
SHA3-384 hash: 11b1fd3c27ece18b99a0ebe86ba130d2aa2f8f535ddf9c9ae221882b13b431e1c2f21f9fdda6b5f8838f14b6067f18bd
SHA1 hash: 3a57b35d4e05a68bcc66358974755c47c427cb30
MD5 hash: af3504a8c3832ead7682686b8c0c602c
humanhash: montana-aspen-avocado-utah
File name:bbx0BqhoWryhUrV.exe
Download: download sample
Signature VectorStealer
Create hunting rule
File size:3'155'968 bytes
First seen:2022-10-20 05:56:57 UTC
Last seen:2022-10-20 07:25:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:V0fWUgzTHIy72PiEVfUXb3nvf4giqp7aL4fTEOcF1LSMyZFdj:V0frgzToywiExULnGZL4rEOoy5
Threatray 2'120 similar samples on MalwareBazaar
TLSH T109E5F1F626D4161BE42972B58193E5F322FB6E116051E1CB58C31FAFBC802BBA51734B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1031ccc4ccccaa10 (14 x Loki, 12 x SnakeKeylogger, 11 x Formbook)
Reporter 0xToxin
Tags:exe VectorStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbx0BqhoWryhUrV.exe
Verdict:
Malicious activity
Analysis date:
2022-10-20 05:58:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/862830eb-8fd0-44b2-b4d5-15721261e1ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321904/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.60767.32507.12632.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6350e32f2d8b9371cb337199/reports/f0e25e53-b3ce-4179-b999-d3266416ddd9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c75f936-858e-48b4-922d-bc8363af6a9a
Result
Threat name:
Vector Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1093940
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Vector Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee4c7bdf3abd06150a2c2e6fe94bd41dc4157241c2a9cd4b6b0eb1842c70ee0b/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 00:28:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zghxxz2xudbkcrmfzx6ss6udxcbk4sbyku42s3lb2yyildq5yfq._file
Verdict:
malicious
Similar samples:
2fcc629586efc9cb1a3f5773f8b2908743e3c7aa76f0597871b6ea8e0cfab9c3
VectorStealer
403482dd22ddee05c4675772c8692ff5ba9b18eacac6755187bd22d42db9d4c3
VectorStealer
49139beffbec5c8b7f4f11e82112e0972f60de6b7064456b1cec936d5dd20cec
VectorStealer
54a2bf7657956c3c3aabf32f1961f4c3d69732d49cf57981f9a20949ebb22c08
VectorStealer
9f94bfaf7433e3b0142b5a57965199ec01c4e69b1c5598642d165138ebf742f3
VectorStealer
a9a61d46548276ace7d943faa87221d5a9d25147a2419b80833b8e673185f3d7
VectorStealer
b7899c0b3cb13fdc7531fa445e82d4f4a86d0691951b48bb55c529bab90b1719
VectorStealer
ee6a61f1176307566990e3ac0eacef9a696929e2f1246abf9706300294cdde61
VectorStealer
+ 2'110 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/221020-gnkrhagehl/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/98344055-b4ee-4939-9ee2-c3109209b0bf
Unpacked files
SH256 hash:
b467eedeea64f41e0a9fa3b2ccbbcff67aa2d8839db22440c3bb8839f692eb30
MD5 hash:
893f20d4a77b6553be55b0b1fe8a6e27
SHA1 hash:
f02471072e17d8dcb06d58e862683ad4b3ff0769
Link:
https://www.unpac.me/results/bb5c7426-8e90-4a40-9324-a702c4d5e031/
SH256 hash:
5a498deb61e9ce49569bb39a85b01b13116e5dc680a0d393d166cf370992465d
MD5 hash:
805b7bde21ed0c137ba4ffc9790db2aa
SHA1 hash:
9140c7b12397712b57413c15e968e0e5aeafe1bb
Link:
https://www.unpac.me/results/bb5c7426-8e90-4a40-9324-a702c4d5e031/
SH256 hash:
b76dac41d0c7de5baddf326dde275ce3603eb3bdd8aeabbd034d57df6059c4ef
MD5 hash:
d5a193dd38b47096316e37ffe4be68e0
SHA1 hash:
67b485a034bcbecb1073a2a100b9ce9d23b221aa
Link:
https://www.unpac.me/results/bb5c7426-8e90-4a40-9324-a702c4d5e031/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/bb5c7426-8e90-4a40-9324-a702c4d5e031/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/bb5c7426-8e90-4a40-9324-a702c4d5e031/
SH256 hash:
ee4c7bdf3abd06150a2c2e6fe94bd41dc4157241c2a9cd4b6b0eb1842c70ee0b
MD5 hash:
af3504a8c3832ead7682686b8c0c602c
SHA1 hash:
3a57b35d4e05a68bcc66358974755c47c427cb30
Link:
https://www.unpac.me/results/bb5c7426-8e90-4a40-9324-a702c4d5e031/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee4c7bdf3abd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/ee4c7bdf3abd06150a2c2e6fe94bd41dc4157241c2a9cd4b6b0eb1842c70ee0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VectorStealer

Executable exe ee4c7bdf3abd06150a2c2e6fe94bd41dc4157241c2a9cd4b6b0eb1842c70ee0b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321904/

Comments