MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EpsilonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4
SHA3-384 hash: a4b002eea53cae2ab632cf6c8213c06bef787907086e0d59a902f33956296ce640847bafcf1e7e399061e4817fb7751b
SHA1 hash: bf80943ae4cae562426aeb1d6c79b36c07de9a8a
MD5 hash: 29e770ca5b5180b014aa526979001d50
humanhash: finch-kansas-snake-black
File name:29e770ca5b5180b014aa526979001d50.exe
Download: download sample
Signature EpsilonStealer
Create hunting rule
File size:64'840'784 bytes
First seen:2023-09-26 04:31:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:pm6TABwOUSLHPbhnqSPZNx5lR8H1U5jfjTOlaz7:U6T6mSLHP1NZ9UVWjLTOwz7
Threatray 4 similar samples on MalwareBazaar
TLSH T1D0E73325FE509963C80A613B8E2883E6E6D13B443704EB070FA5DB56BB55D909F12EBC
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 100c3232b2b24c30 (38 x EpsilonStealer)
Reporter abuse_ch
Tags:EpsilonStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
29e770ca5b5180b014aa526979001d50.exe
Verdict:
Malicious activity
Analysis date:
2023-09-26 04:33:12 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/e6d97f34-13d8-4830-bcdc-128ca3aa4568

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Creating a window
Creating a process from a recently created file
Creating a file
DNS request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Changing a file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Deleting a recently created file
Replacing files
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65125ec533582f234e0337e5/reports/8d9f3cab-5f12-460e-a0f7-05dbc99e0e8f/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1314239
Signature
Antivirus / Scanner detection for submitted sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314239 Sample: l4hqXSH8qO.exe Startdate: 26/09/2023 Architecture: WINDOWS Score: 84 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for submitted file 2->60 8 l4hqXSH8qO.exe 182 2->8         started        process3 file4 32 C:\Users\user\AppData\...\VoidOfSpace.exe, PE32+ 8->32 dropped 34 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 38 16 other files (none is malicious) 8->38 dropped 11 VoidOfSpace.exe 48 8->11         started        process5 dnsIp6 46 api.epsilon1337.com 20.124.93.151, 443, 49783, 49784 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->46 48 ipinfo.io 34.117.59.81, 443, 49782 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 11->48 50 192.168.2.1 unknown unknown 11->50 40 be314c03-2b57-4843...c1123c0c26.tmp.node, PE32+ 11->40 dropped 42 6ee381ac-1900-4841...81b81f0f17.tmp.node, PE32+ 11->42 dropped 62 May check the online IP address of the machine 11->62 64 Tries to harvest and steal browser information (history, passwords, etc) 11->64 16 reg.exe 1 11->16         started        19 VoidOfSpace.exe 13 11->19         started        22 cmd.exe 1 11->22         started        24 2 other processes 11->24 file7 signatures8 process9 dnsIp10 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->52 26 conhost.exe 16->26         started        44 dns.google 19->44 28 tasklist.exe 1 22->28         started        30 conhost.exe 22->30         started        signatures11 process12
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-05 18:25:39 UTC
File Type:
PE (Exe)
Extracted files:
138
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oeiznjltlgxgkz2rti6beum3wdnxrfi3ya7dveoih6ocu7dwdca._file
Verdict:
unknown
Similar samples:
866ad0e1f44d12677e3cd565d47283d6229df46e23387c1ed482abe145ce080d
EpsilonStealer
90e7e0b24ef5cfae31312e39e5ac1cf13c23ffef9f7135f0fc6d44cc7da47195
EpsilonStealer
ce17af59a2414b2dd199529a1c0e47d9bdd9b7f01c793b0e7dacaf27b12abca3
EpsilonStealer
Result
Malware family:
epsilon
Create hunting rule
Score:
  10/10
Tags:
family:epsilon persistence spyware stealer
Link:
https://tria.ge/reports/230926-e5zkwafg72/
Behaviour
Enumerates processes with tasklist
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects EpsilonStealer ASAR
Epsilon Stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments