MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbfa8f32f35e7925f320978a55f28df0c6214cefd8a93fa02a0c1d946d100715. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbfa8f32f35e7925f320978a55f28df0c6214cefd8a93fa02a0c1d946d100715
SHA3-384 hash: 78ef2485c9bcd7a0acf2f3e14d7061ba5473c456b80812b5ed7f1e85c5f3ae6e89b8ba9df7f0613b3a40f33e28b06af1
SHA1 hash: 38bb84519bd71133d1df4f7c7db387055c634cbd
MD5 hash: 9de36c98f536475f24a05cc8dda87b38
humanhash: fourteen-berlin-oxygen-saturn
File name:SecuriteInfo.com.Win64.PWSX-gen.3187.26224
Download: download sample
Signature VectorStealer
Create hunting rule
File size:1'121'280 bytes
First seen:2023-03-28 07:32:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:17LXnVC7Ko7A11cljuxSd9Hbf0RnV8XJefZXZXqc1rnRqaJ:13FC7T7gBSbf0RV1F3rnRqq
Threatray 1'240 similar samples on MalwareBazaar
TLSH T13635331A537A3223F965123962C6BA5C8F73056CE4EA67587CABD0FE38267441C23377
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe VectorStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win64.PWSX-gen.3187.26224
Verdict:
Malicious activity
Analysis date:
2023-03-28 07:33:13 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/e15728f2-5cdf-415a-92e5-2a63d8707de2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378121/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.3187.26224.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun for a service
Blocking the User Account Control
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6422983680ca4ca1ff59c144/reports/ccd1279d-dc1e-446e-8992-080317a201ad/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fbfa8f32f35e7925f320978a55f28df0c6214cefd8a93fa02a0c1d946d100715
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
VectorStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e784702e-7cc2-4cb6-b91f-da26dfb277c2
Result
Threat name:
Vector Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203229
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Disables UAC (registry)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Yara detected Vector Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836151 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 28/03/2023 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Vector Stealer 2->37 39 9 other signatures 2->39 7 SecuriteInfo.com.Win64.PWSX-gen.3187.26224.exe 5 5 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 7->23 dropped 25 SecuriteInfo.com.W....3187.26224.exe.log, CSV 7->25 dropped 41 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->41 43 Writes to foreign memory regions 7->43 45 Adds a directory exclusion to Windows Defender 7->45 47 3 other signatures 7->47 11 jsc.exe 15 66 7->11         started        15 powershell.exe 19 7->15         started        17 WsatConfig.exe 7->17         started        19 4 other processes 7->19 signatures5 process6 dnsIp7 27 api.telegram.org 149.154.167.220, 443, 49708, 49709 TELEGRAMRU United Kingdom 11->27 29 ipinfo.io 34.117.59.81, 443, 49706 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 11->29 31 discord.com 162.159.138.232, 443, 49707 CLOUDFLARENETUS United States 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 May check the online IP address of the machine 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbfa8f32f35e7925f320978a55f28df0c6214cefd8a93fa02a0c1d946d100715/
Threat name:
Win64.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 16:37:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7p5i6mxtlz4sl4zas6ffl4un6ddccthp3cut7ibkbqozi3iqa4kq._file
Verdict:
unknown
Similar samples:
1e979fa4a0145a6da971bf2f00dcfaf6f909357f6bc56d243ac9a8821efd85bc
VectorStealer
2267fac6e4bcace94d9ed232cc4ba7e128424e80c5730ea38f23610c11bdc168
VectorStealer
28ff484ca36b3a1f5d7f59a25e947e9a6b12ca34214f9bcfca01cee5745e6b6a
VectorStealer
34a6cb7776062b6a981d8f2b1fd7e6e7fc6fb9c5253f57a06cef1903569fd532
VectorStealer
35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975
VectorStealer
36f8d4d85b7d03fdbd622909d93638fa20bbdcc1e832591b82dbe7f710ab0be0
VectorStealer
6159a8ba420cbed9d0ca9abb371cd8b1e600c0e2fd7763f32cec6917605d51d9
VectorStealer
9ef8d74a3ef84feb99d45e04e084fb628c091f8fa3b81b42faacc235ab2e753e
VectorStealer
d69974ab2591e06f55c58786be3fc436fe992c501dd37724869747e2369c909d
VectorStealer
fb8fdb08cf7984a3bac0cc7daeea3790a92306467543cf556945fc479a165dd8
VectorStealer
+ 1'230 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection evasion persistence trojan
Link:
https://tria.ge/reports/230328-jdj4bsbd7t/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Uses the VBS compiler for execution
Windows security modification
Looks for VMWare Tools registry key
Sets service image path in registry
Looks for VirtualBox Guest Additions in registry
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
fbfa8f32f35e7925f320978a55f28df0c6214cefd8a93fa02a0c1d946d100715
MD5 hash:
9de36c98f536475f24a05cc8dda87b38
SHA1 hash:
38bb84519bd71133d1df4f7c7db387055c634cbd
Link:
https://www.unpac.me/results/3caf3657-20c9-45d0-987a-fa8acb5caa95/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fbfa8f32f35e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbfa8f32f35e7925f320978a55f28df0c6214cefd8a93fa02a0c1d946d100715

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/378121/

Comments