MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f96156a90a64cbe2fc1e09223065f670306b4172bd548a06f20d5106292adc53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f96156a90a64cbe2fc1e09223065f670306b4172bd548a06f20d5106292adc53
SHA3-384 hash: aadc0958d9e80b45c39fbf89776cceffa451c4878e5b266c5cab69eb40417452f23c11a1b269a96cd981d88f81594d0e
SHA1 hash: fadc29f0e01a70bf2fa8da27c3ea81029f0bd4d1
MD5 hash: 9f879935bfa26dd6adf6c245ddda43d0
humanhash: cardinal-bravo-august-ceiling
File name:MariyelsTherapy.exe
Download: download sample
File size:82'879'697 bytes
First seen:2024-03-20 15:53:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:TX6LBYNOEhwytNEH6vYQxwrBZHBFdNYZvpXuyUsAI:TOuNOPytNEKRxEzFCHUsA
TLSH T1C908337A23497235F87831FD5D3D1AEFDB58E060678134F36C7F99828C47C8269688A6
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b61a63636535350d
Reporter beansoup
Tags:discord electron exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
494
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f96156a90a64cbe2fc1e09223065f670306b4172bd548a06f20d5106292adc53.exe
Verdict:
Malicious activity
Analysis date:
2024-03-20 15:56:23 UTC
Tags:
evasion generic stealer
Link:
https://app.any.run/tasks/90708eea-ba44-4809-88d4-afd0ea867788

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for the window
Creating a file
Creating a file in the %AppData% subdirectories
Changing a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Launching a tool to kill processes
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65fb06a0fc3fe20efe6a6502/reports/2676cfd0-d8c6-4634-9959-1a8ff2c58ef4/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f96156a90a64cbe2fc1e09223065f670306b4172bd548a06f20d5106292adc53
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/1412579
Signature
Drops large PE files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1412579 Sample: MariyelsTherapy.exe Startdate: 20/03/2024 Architecture: WINDOWS Score: 34 67 notduvet.site 2->67 69 ipinfo.io 2->69 7 MariyelsTherapy.exe 12 196 2->7         started        11 MariyelsTherapy.exe 5 2->11         started        14 MariyelsTherapy.exe 2->14         started        process3 dnsIp4 51 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 7->51 dropped 53 C:\Users\user\AppData\Local\...\System.dll, PE32 7->53 dropped 55 C:\Users\user\AppData\Local\...\StdUtils.dll, PE32 7->55 dropped 65 14 other files (none is malicious) 7->65 dropped 77 Drops large PE files 7->77 73 ipinfo.io 34.117.186.192, 443, 49718, 49760 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 11->73 75 notduvet.site 104.21.28.247, 443, 49719, 49720 CLOUDFLARENETUS United States 11->75 57 b50f8b11-3325-4116...26a5ef748b.tmp.node, PE32+ 11->57 dropped 59 65afc41c-8c84-4146...5de28cae49.tmp.node, PE32+ 11->59 dropped 16 cmd.exe 1 11->16         started        18 cmd.exe 1 11->18         started        20 MariyelsTherapy.exe 11->20         started        29 7 other processes 11->29 61 3bdc68ef-a1d6-4fa4...d65e582e75.tmp.node, PE32+ 14->61 dropped 63 218b500a-0507-4165...648010ae16.tmp.node, PE32+ 14->63 dropped 23 cmd.exe 14->23         started        25 cmd.exe 14->25         started        27 MariyelsTherapy.exe 14->27         started        31 7 other processes 14->31 file5 signatures6 process7 dnsIp8 33 conhost.exe 16->33         started        35 chcp.com 1 16->35         started        37 tasklist.exe 1 18->37         started        39 conhost.exe 18->39         started        71 chrome.cloudflare-dns.com 162.159.61.3, 443, 49717, 49740 CLOUDFLARENETUS United States 20->71 43 2 other processes 23->43 45 2 other processes 25->45 41 conhost.exe 29->41         started        47 5 other processes 29->47 49 6 other processes 31->49 process9
Score:
6%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/f96156a90a64cbe2fc1e09223065f670306b4172bd548a06f20d5106292adc53
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fqvnkikmtf6f7a6berdazpwoaygwqlsxvkiubxsbviqmkjk3rjq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/240320-tcbexacb75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Checks installed software on the system
Drops startup file
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f96156a90a64/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

rar 4f93bc8a8c04b2a9ebd71eeb34d40019172a7a259e591282f40b583330c32720

Executable exe f96156a90a64cbe2fc1e09223065f670306b4172bd548a06f20d5106292adc53

(this sample)

  
Link
https://mariyelstherapy.org/
  
Dropped by
SHA256 4f93bc8a8c04b2a9ebd71eeb34d40019172a7a259e591282f40b583330c32720
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2788234/
  
Dropped by
MD5 2ff900b42a29aaf58739543e26fc1ff6

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments