MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef99b50ff04775515690718cf8e37ab4ef0c2ffebac4394b0cb7e8dc9e959175. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef99b50ff04775515690718cf8e37ab4ef0c2ffebac4394b0cb7e8dc9e959175
SHA3-384 hash: 91deca55db6895dcb944cff0af5f04ed1b6879106a3bafd52f6f649e3ed69425a3aac45ca2a319a53442bd0544d37043
SHA1 hash: 563a4a2a38a74859108f4b2e8adefd998214dab2
MD5 hash: 1fad42aeb237cb7c66f57a03a9689c0e
humanhash: hotel-video-emma-hydrogen
File name:1fad42aeb237cb7c66f57a03a9689c0e
Download: download sample
File size:609'280 bytes
First seen:2023-03-13 05:01:04 UTC
Last seen:2023-03-13 07:33:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:sx/vuq8v/Ak3vlmUGC7R6f7dMWmpQd9m7VofaOagv4ftt+xYM0MfuExUuaWHN9n+:sSv3TD7R6fRfmpQd9m6OhVt+OMfuEmaC
Threatray 2'341 similar samples on MalwareBazaar
TLSH T181D4236D13EC0539D39ECD7E0289CA4226E07284B56B85AF9DE73718ECA3C452DE4B47
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-03-11 16:29:43 UTC
Tags:
loader smoke trojan amadey rat redline stealer blackguard
Link:
https://app.any.run/tasks/8de7588d-5e6a-46c0-82be-fec0f7991935

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373851/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.67531.5733.29504.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Reading critical registry keys
Creating a file
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/640eae4bd120e535218ea7fe/reports/eca4a04b-4d02-49a5-9cf1-b7edce38db1a/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/ef99b50ff04775515690718cf8e37ab4ef0c2ffebac4394b0cb7e8dc9e959175
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/83a654b5-abc6-4bee-94b9-35563a970406
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192207
Signature
Antivirus / Scanner detection for submitted sample
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 825083 Sample: Lu4tTvHBn7.exe Startdate: 13/03/2023 Architecture: WINDOWS Score: 100 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Machine Learning detection for sample 2->45 47 3 other signatures 2->47 8 Lu4tTvHBn7.exe 14 10 2->8         started        process3 dnsIp4 35 transfer.sh 144.76.136.153, 443, 49684 HETZNER-ASDE Germany 8->35 37 198.105.127.58, 49683, 81 ASDETUKhttpwwwheficedcomGB European Union 8->37 39 168.98.4.0.in-addr.arpa 8->39 31 C:\Users\user\AppData\Local\...\Ltrqpvxh..exe, PE32 8->31 dropped 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->49 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->51 53 Tries to steal Mail credentials (via file / registry access) 8->53 55 2 other signatures 8->55 13 Ltrqpvxh..exe 1 6 8->13         started        file5 signatures6 process7 file8 33 C:\Users\user\AppData\Roaming\...\Vkxxjqy.exe, PE32 13->33 dropped 57 Creates an undocumented autostart registry key 13->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->59 61 Encrypted powershell cmdline option found 13->61 63 Injects a PE file into a foreign processes 13->63 17 Ltrqpvxh..exe 13->17         started        19 powershell.exe 16 13->19         started        21 Ltrqpvxh..exe 13->21         started        23 Ltrqpvxh..exe 13->23         started        signatures9 process10 process11 25 explorer.exe 2 125 17->25         started        27 Ltrqpvxh..exe 17->27         started        29 conhost.exe 19->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef99b50ff04775515690718cf8e37ab4ef0c2ffebac4394b0cb7e8dc9e959175/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-03-11 18:26:23 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56m3kd7qi52vcvuqoggpry32wtxqyl76xlcdssymw7unzhuvsf2q._file
Verdict:
malicious
Similar samples:
0ab6fc39f65f1c1d2196dcaa8ded12df941a3051c523d902f4e6458bd40a9e7a
3d5194f12c6b21b79d636f65e29f308aad0bfdd1cd7e00c54cb8488b1867ff9f
5cfe7a77271ab8187988cdd1a9259c16cb636dcf6c63aceb977f62aa570ab419
600a67fd5cd4296edff5d830aa6ada02a9a7d328f74e1cdfd3c0d15642c2bc0e
841c1860b52b3817eed70e4d1f1bca972f0406e666bd8d034735fe70cc713831
9d668aa6479e36725aa0803a16cde42939599516b9d58e40fc98b2b03d2e74ea
b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86
c4cbf62a71ead3837c2f1e83256e5e2d4e5b135c13c5e2fbf116dcfd6a4be53a
+ 2'331 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230313-fn4zpsaf7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ef99b50ff04775515690718cf8e37ab4ef0c2ffebac4394b0cb7e8dc9e959175
MD5 hash:
1fad42aeb237cb7c66f57a03a9689c0e
SHA1 hash:
563a4a2a38a74859108f4b2e8adefd998214dab2
Link:
https://www.unpac.me/results/b3e5b24c-5a04-46e0-8d11-72a69df766f1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef99b50ff047/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ef99b50ff04775515690718cf8e37ab4ef0c2ffebac4394b0cb7e8dc9e959175

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ef99b50ff04775515690718cf8e37ab4ef0c2ffebac4394b0cb7e8dc9e959175

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2568197/
Cape
Cape
https://www.capesandbox.com/analysis/373851/

Comments


Avatar
zbet commented on 2023-03-13 05:01:08 UTC

url : hxxp://62.204.41.88/lend/purelog1.exe