MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee835f420a3c30232007a44df153e8b3318faadb70b1f126c70149f5ec191b5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	ee835f420a3c30232007a44df153e8b3318faadb70b1f126c70149f5ec191b5f
SHA3-384 hash:	d3bd19c810a28e3a0aabd3d83ccdf3a46576b25486b04841713f6df315b5d90d91d4375599afef4522edd3ecbfa75627
SHA1 hash:	54262cf1ab28a47557c9849ebd23d10a5ac56181
MD5 hash:	c26d10bb3f1f2471829499da20f35c64
humanhash:	golf-earth-tango-snake
File name:	c26d10bb3f1f2471829499da20f35c64.exe
Download:	download sample
File size:	305'152 bytes
First seen:	2023-10-16 08:14:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	89b4938a013d6b8954f68c2ef1293c62 (10 x RedLineStealer, 4 x Amadey, 4 x LummaStealer)
ssdeep	6144:GJsICnU9Q8syOBk5+yURBPqGNDUc1xsefFhlUmPoJ:CsICnVk5+17PqXc1xhfFhxPoJ
Threatray	348 similar samples on MalwareBazaar
TLSH	T17154CF0AB5C19632C4AD45F447F0BAA893AFF9314A32BA7F73A899FE5D160C15D9301C
TrID	39.5% (.EXE) InstallShield setup (43053/19/16) 28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.6% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c26d10bb3f1f2471829499da20f35c64.exe

Verdict:

Malicious activity

Analysis date:

2023-10-16 08:20:50 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/caa47b3a-5c3e-4da1-8454-4319f7eaffc5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454748/

Detection(s):

Win.Trojan.Pwsx-10011270-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/652cf10c28455aedec11d782/reports/dcb080d9-3463-41e5-a39c-1a76acc45a9f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ee835f420a3c30232007a44df153e8b3318faadb70b1f126c70149f5ec191b5f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d8df998d-d2ad-4480-bd77-7c581b242f6d

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1326285

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Found API chain indicative of debugger detection

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ee835f420a3c30232007a44df153e8b3318faadb70b1f126c70149f5ec191b5f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee835f420a3c30232007a44df153e8b3318faadb70b1f126c70149f5ec191b5f/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-15 06:28:43 UTC

File Type:

PE (Exe)

AV detection:

23 of 38 (60.53%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=52bv6qqkhqycgiahurg7cu7iwmyy7kw3ocy7cjwhafe7l3azdnpq._file

Verdict:

malicious

347f0e9c3b75ed07fe583c1977aee33329700ab45f88d514f77672575a6162e7

43f0a52ef8cb607408de462ccb9bb10f8e94df9aeefea05f84276eba99bc216d

5ccd3fc1613c48f85aad3fb1946ec858d17e42021e77a1cd681406b6b6b0b557

6fbe5dbf861f1d8462e335e010d3a5cb165234f7b6f675cc0a5a54c763535848

715fc5bc735ea20bc439af30c2fa0072ac9f900b747c3911abf953db81ca09ff

7ee31d9861f8144887ba4516b71831a3991858a6815faa8fd2b643b0265e5c38

cdd2732dab9b93cef835ca681538205972a178fec406812be33889a4aa28b4d4

cfbd24a3ff45eb3d630bbe3fa9d8db4fc6c4e78da702a3e5f1aec08973b60c2a

da77f764acbaab6b9eb2bd7db1a8c3e6ccc6b73d5c12e2c239c5fd6cb78a04c4

+ 338 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231016-j5ktyacg5x/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

c359cad2d4b0cb214d0e84d78cc648637cb3f09e3ac774b97d1b50175752706e

MD5 hash:

2da2d4908005e48f676c9b1310aca54c

SHA1 hash:

964698d411f778c036fe13913e915d641b2908e8

Link:

https://www.unpac.me/results/23fa00a8-ea79-438b-8995-ccbe68839967/

SH256 hash:

ee835f420a3c30232007a44df153e8b3318faadb70b1f126c70149f5ec191b5f

MD5 hash:

c26d10bb3f1f2471829499da20f35c64

SHA1 hash:

54262cf1ab28a47557c9849ebd23d10a5ac56181

Link:

https://www.unpac.me/results/23fa00a8-ea79-438b-8995-ccbe68839967/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ee835f420a3c30232007a44df153e8b3318faadb70b1f126c70149f5ec191b5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ee835f420a3c30232007a44df153e8b3318faadb70b1f126c70149f5ec191b5f

(this sample)

Cape

https://www.capesandbox.com/analysis/454748/

URLhaus

https://urlhaus.abuse.ch/url/2719349/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample