MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef1a6de96a75c8541e856d1811cd41e19ec65ff98d7eca00daf73615ae6c790c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef1a6de96a75c8541e856d1811cd41e19ec65ff98d7eca00daf73615ae6c790c
SHA3-384 hash: 6709e881436e7841c5cab254f588dd922158072aa8e25d47cee23bdb07549f9d60e3e399159c1a408547ce75a2e71bcc
SHA1 hash: d70ecc79996ce88fdb1dea83a012c586f2e8bc9a
MD5 hash: 90e040ad0bc66ef17d109d03218040d6
humanhash: west-montana-sink-river
File name:90e040ad0bc66ef17d109d03218040d6
Download: download sample
File size:1'407'488 bytes
First seen:2021-12-04 00:19:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f875630aadecfb0f9b32d3379416fdf
ssdeep 24576:QH+9mwfaxNwTnfWKZrAZ/LD47RHQ9WFqc804cYq4IVJt:QH+9mBLwbfWirA5LsQ9W402YVJ
Threatray 185 similar samples on MalwareBazaar
TLSH T1C1557E0AA3A901ECD0ABD278CA52960BD7B1780503709BDF17D95B562F23FE15E7E720
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-12-03 10:36:39 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar
Link:
https://app.any.run/tasks/920aaea8-5a9a-46f4-88ad-f5ee42204f90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211156/
Detection(s):
Win.Malware.Spyagent-9830839-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Reading critical registry keys
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint greyware
Link:
https://www.filescan.io/uploads/61aab43a4d8e6f3a5e0e5608/reports/92aedcd0-cb64-46f4-b4fe-c1e909d26b74/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d25dad65-cfa4-4b9a-90fb-fd4696a07304
Result
Threat name:
Backstage Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/901223
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef1a6de96a75c8541e856d1811cd41e19ec65ff98d7eca00daf73615ae6c790c/
Threat name:
Win64.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 13:40:05 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62
21aba879ca90e3d4b3b58f61316b6b42c97d31f62dea2a0992460eece4bc0566
2324a8b31b75b3f2667591acd0d45a013e8b457c27c402cd377fe58914f9c7aa
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
8a9d5d586ceb774620efaaa7e7b548f093e08d7cac416ab638048827b88d2340
8b29e9ccade9fe2c7b10904abb38519cd22b896df00aa7e8798c32e2d37a2205
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
+ 175 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/211204-amsmdshfar/
Behaviour
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ef1a6de96a75c8541e856d1811cd41e19ec65ff98d7eca00daf73615ae6c790c
MD5 hash:
90e040ad0bc66ef17d109d03218040d6
SHA1 hash:
d70ecc79996ce88fdb1dea83a012c586f2e8bc9a
Link:
https://www.unpac.me/results/9bce94b8-ac5c-486e-9b91-7dd0e89df339/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef1a6de96a75c8541e856d1811cd41e19ec65ff98d7eca00daf73615ae6c790c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ef1a6de96a75c8541e856d1811cd41e19ec65ff98d7eca00daf73615ae6c790c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211156/
  
URLhaus
https://urlhaus.abuse.ch/url/1849993/

Comments


Avatar
zbet commented on 2021-12-04 00:19:56 UTC

url : hxxp://tg8.cllgxx.com/sr21/siww1047.exe