MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd5bc7be5d95a9fb3a0187a82c1ed19637744c3fd1a8111801f4718c9f786e47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DuvetStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd5bc7be5d95a9fb3a0187a82c1ed19637744c3fd1a8111801f4718c9f786e47
SHA3-384 hash: 2f28d5b5792595cef0839fdd4a4273d56b6957a3be74106c0279f746092ae457b93ddec05c52a47833f2c9df6d3616b5
SHA1 hash: a49280febf013ac687300da34e3401ac08db659f
MD5 hash: 9f5c5ed55af22a0fc9a3a101c4826bae
humanhash: finch-idaho-equal-single
File name:PyPi-update.exe
Download: download sample
Signature DuvetStealer
Create hunting rule
File size:82'942'196 bytes
First seen:2024-07-06 17:26:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:TR6LBY7BMlYvQaxWxYQdZHBFdNYZvpXuyp3uOt1qwk:Tcu7i2vfoxRdzFCHYAAB
Threatray 286 similar samples on MalwareBazaar
TLSH T130083322028760A9E41031FC7B3FD4BBA5159E207394B1F2ABE57DC368B5482D7778AD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon ac9eda8ab282a282 (4 x DuvetStealer, 1 x GuLoader)
Reporter kam193
Tags:Duvet DuvetStealer exe


Avatar
kam193
Delivered through the better-gradient PyPI package.

Intelligence

File Origin
# of uploads :
1
# of downloads :
585
Origin country :
AT AT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fd5bc7be5d95a9fb3a0187a82c1ed19637744c3fd1a8111801f4718c9f786e47.exe
Verdict:
Malicious activity
Analysis date:
2024-07-06 17:28:09 UTC
Tags:
evasion discordgrabber generic stealer
Link:
https://app.any.run/tasks/7db36528-5855-4d42-b014-a4a31f92be4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668980303b2ddaaafa49a297win10vpnfull_triage
Tags:
Discovery Execution Generic Network Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for the Windows task manager window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Modifying a system file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66897e69910ce98966fbf188/reports/3c345bdd-7193-4727-9769-a5beb5f71aa7/overview
Verdict:
Suspicious
Labled as:
VHO_Trojan_Win64_Convagent_gen
Link:
https://www.hybrid-analysis.com/sample/fd5bc7be5d95a9fb3a0187a82c1ed19637744c3fd1a8111801f4718c9f786e47
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1468550
Signature
AI detected suspicious sample
Drops large PE files
Loading BitLocker PowerShell Module
Tries to steal communication platform credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468550 Sample: PyPi-update.exe Startdate: 06/07/2024 Architecture: WINDOWS Score: 56 53 ipinfo.io 2->53 55 eduardalinn.lol 2->55 63 AI detected suspicious sample 2->63 8 Installer.exe 5 2->8         started        13 PyPi-update.exe 12 196 2->13         started        signatures3 process4 dnsIp5 59 ipinfo.io 34.117.186.192, 443, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->59 61 eduardalinn.lol 188.114.96.3, 443, 49742, 49743 CLOUDFLARENETUS European Union 8->61 41 f2b5ba75-ee5f-47f0...333e6deffb.tmp.node, PE32+ 8->41 dropped 43 928f6b7b-7778-471f...f1c83e9b37.tmp.node, PE32+ 8->43 dropped 65 Tries to steal communication platform credentials (via file / registry access) 8->65 15 powershell.exe 35 8->15         started        18 powershell.exe 8->18         started        20 cmd.exe 1 8->20         started        22 6 other processes 8->22 45 C:\Users\user\AppData\Local\...\Installer.exe, PE32+ 13->45 dropped 47 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 13->47 dropped 49 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 13->49 dropped 51 13 other files (none is malicious) 13->51 dropped 67 Drops large PE files 13->67 file6 signatures7 process8 dnsIp9 69 Loading BitLocker PowerShell Module 15->69 25 conhost.exe 15->25         started        27 conhost.exe 18->27         started        29 conhost.exe 20->29         started        31 chcp.com 1 20->31         started        57 chrome.cloudflare-dns.com 172.64.41.3, 443, 49751 CLOUDFLARENETUS United States 22->57 33 mshta.exe 22->33         started        35 conhost.exe 22->35         started        37 conhost.exe 22->37         started        39 3 other processes 22->39 signatures10 process11
Score:
3%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/fd5bc7be5d95a9fb3a0187a82c1ed19637744c3fd1a8111801f4718c9f786e47
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vn4pps5swu7woqbq6ucyhwrsy3xitb72gubcgab6ryyzh3ynzdq._file
Verdict:
unknown
Similar samples:
07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec
DuvetStealer
182d5eaca9805eff8657a5146f7127f797644d91c5f0f4b1343e86018c6eb7a2
DuvetStealer
1a7d1373265847ad8469a5df8553ff02083382c92ea203647e47748c0d6d0344
DuvetStealer
231e1d13bb881ffdef37c2c09ec64c0d978a4377eff635b433599cba0f01c2ff
DuvetStealer
2f72367bd43d9c3405c880334c577d8a282cd2a5018bc76c67783a326eb754aa
DuvetStealer
555d0020f21f464dbf6e2a43ed8c0cfc024a189953d19e712a65d61dc224dab5
DuvetStealer
6b2e51f4c3cadfd3441d843a96ebb56c50cb132ced3083bbf2f0ac760aca121c
DuvetStealer
7ab82c1ffa37f1538594cc5ad56f6dd047baf2c30bfcce614f1ad28b56196d35
DuvetStealer
fd5bc7be5d95a9fb3a0187a82c1ed19637744c3fd1a8111801f4718c9f786e47
DuvetStealer
+ 276 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/240706-v1emxaygqg/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Checks installed software on the system
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b71278dc-e2ec-4a9e-91d9-88fcfafaaf67
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://tria.ge/240706-tw86aavcpk/behavioral2
  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments