MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48
SHA3-384 hash: bd6d8bb57ba935c2f97bfe35a334168fe4283ac291f103979a7c342dadc7bf1e1df05bc82c14060d98696c7fbd385c77
SHA1 hash: fae9ae27839a58084fc4b2d528631e0446afc73e
MD5 hash: 8d41f5eaac4acca0d1d675b28da1df58
humanhash: pluto-magnesium-princess-juliet
File name:In-depth advertising materials for Facebook .exe
Download: download sample
File size:22'704'160 bytes
First seen:2022-12-11 16:21:24 UTC
Last seen:2022-12-11 17:32:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 160cd5026138919c15e173f4531495be
ssdeep 393216:+ErQzkhHVVXQI2yP+5idDZNGWW42ZyQKEbpEXp5Qoy:+MJRXQI2yPNZEV423hNE55Q1
Threatray 17 similar samples on MalwareBazaar
TLSH T1A63733EA303B484EF4C694FEB464618D69996D6C5C0A603C4181A075AAFEF4C4F5FFB2
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4cc04a4c5c5a0004 (7 x AgentTesla, 4 x Smoke Loader, 2 x DarkCloud)
Reporter Anonymous
Tags:CreatesProcesses exe WindowsDefenderDesactivation

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
EC EC
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://drive.google.com/file/d/1kUGuX6laOi1_xTWqxZN5iQvo0SS6-p-A/view
Verdict:
No threats detected
Analysis date:
2022-12-11 16:15:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f4043c6-ff75-481f-bc46-ac33fc31eb13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Nuitka-9959738-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Launching a service
Modifying a system executable file
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed python shell32.dll
Link:
https://www.filescan.io/uploads/639603ae04e0e79bdf423f97/reports/00149ac7-2a4b-4443-a1b3-eb8450fde6da/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1132264
Signature
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Suspicious command line found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 764988 Sample: In-depth advertising materi... Startdate: 11/12/2022 Architecture: WINDOWS Score: 92 75 tinyurl.com 2->75 77 lumtest.com 2->77 79 2 other IPs or domains 2->79 97 Multi AV Scanner detection for domain / URL 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Uses the Telegram API (likely for C&C communication) 2->101 12 In-depth advertising materials for Facebook   .exe 67 2->12         started        signatures3 process4 file5 67 C:\Users\user\AppData\Local\Temp\...\Word.exe, PE32+ 12->67 dropped 69 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 12->69 dropped 71 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 12->71 dropped 73 45 other files (none is malicious) 12->73 dropped 15 Word.exe 4 6 12->15         started        process6 dnsIp7 83 api.telegram.org 149.154.167.220, 443, 49701, 49702 TELEGRAMRU United Kingdom 15->83 85 lumtest.com 3.94.40.55, 49699, 49709, 80 AMAZON-AESUS United States 15->85 87 3.94.72.89, 49700, 49708, 80 AMAZON-AESUS United States 15->87 65 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 15->65 dropped 89 Found API chain indicative of debugger detection 15->89 91 Creates multiple autostart registry keys 15->91 93 Tries to harvest and steal browser information (history, passwords, etc) 15->93 95 2 other signatures 15->95 20 cmd.exe 1 15->20         started        23 cmd.exe 15->23         started        25 cmd.exe 1 15->25         started        27 3 other processes 15->27 file8 signatures9 process10 dnsIp11 103 Suspicious powershell command line found 20->103 30 powershell.exe 11 20->30         started        33 conhost.exe 20->33         started        35 conhost.exe 23->35         started        37 powershell.exe 23->37         started        39 conhost.exe 25->39         started        81 192.168.2.1 unknown unknown 27->81 41 conhost.exe 27->41         started        43 conhost.exe 27->43         started        45 conhost.exe 27->45         started        signatures12 process13 signatures14 107 Uses cmd line tools excessively to alter registry or file data 30->107 47 fodhelper.exe 3 12 30->47         started        50 reg.exe 1 30->50         started        52 reg.exe 1 1 30->52         started        54 3 other processes 30->54 process15 signatures16 109 Encrypted powershell cmdline option found 47->109 56 powershell.exe 24 47->56         started        process17 signatures18 105 Uses cmd line tools excessively to alter registry or file data 56->105 59 conhost.exe 56->59         started        61 reg.exe 1 56->61         started        63 reg.exe 1 56->63         started        process19
Gathering data
Threat name:
Win64.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-11 16:22:29 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
4 of 26 (15.38%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aapz2nhgssr5nyybuttgb4wznpc5nktitdzu2rayq3dpsfqntzea._file
Verdict:
unknown
Similar samples:
348f79dc98ed91d11dea91d8295eac25cbd8a67daaa52ab0120708d2c7bde40c
3fe6c3edb6593444aaed9ae78a6164a3c98a10a32012d32c35ca4aa987db2c61
41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d
438a7ec2cc82a114b13aa6b44ae9b044597d1d0643ec1d138a39fe24628fe4df
6399814e06253b852792dccb2e02cd468233cf5ada2ed39e5f7202e8d24f8901
a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec
ba8dd9dce58e357ee307686279eae636f20fbc8bb03a441f79697bcba63a009c
cf68ac02858c0053067b47b24338b564aeb92f25310765a2bad8928174285a62
db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183
fde6da45bacb901c194e7443ed04aba47a388cb5ee4fb193f0e528e1abc4cabb
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221211-tt83habg3x/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Gathering data
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/001f9d34e694/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48

(this sample)

  
Delivery method
Distributed via web download

Comments