MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18
SHA3-384 hash: 8789858f9ad44342fae37493159c65ba56d475bd06acca5fb8dbfd845b7a80573adb20c638bc05caa83d3f5350385a43
SHA1 hash: e541a4969eee255c101ab42783e97d0fa40a62de
MD5 hash: adbbe3b5fb02bb3b6eba57f019933412
humanhash: six-steak-october-wolfram
File name:0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18
Download: download sample
File size:908'288 bytes
First seen:2023-05-25 21:24:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 12288:yMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9au2Twxk3Soj:ynsJ39LyjbJkQFMhmC+6GD9UTwxgZ
Threatray 81 similar samples on MalwareBazaar
TLSH T103157E23B2D18437E1731A3C5D6BA3A4983BBE612E34694F37E41E8D5F396816C25393
TrID 73.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
21.6% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
1.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18
Verdict:
Malicious activity
Analysis date:
2023-05-25 21:24:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b7668b0-91d7-42bc-a6dc-23bc5d051b5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391872/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Sending an HTTP GET request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87941/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe darkkomet dropper evasive fingerprint greyware hacktool keylogger lolbin macros macros-on-close macros-on-open optix packed shell32.dll unsafe
Link:
https://www.filescan.io/uploads/646fd22f4ecb266ede2137fb/reports/3df38aab-dfc7-4399-9f45-c709f0216749/overview
Verdict:
Malicious
Labled as:
Delf.NBX virus
Link:
https://www.hybrid-analysis.com/sample/0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a745d3e-b45d-4716-b3ec-ca865fcd829d
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242857
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 875866 Sample: 9ubdLPo2dg Startdate: 26/05/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 11 other signatures 2->61 7 9ubdLPo2dg.exe 1 6 2->7         started        10 EXCEL.EXE 22 15 2->10         started        12 Synaptics.exe 2->12         started        process3 file4 25 C:\Users\user\...\._cache_9ubdLPo2dg.exe, PE32 7->25 dropped 27 C:\ProgramData\Synaptics\Synaptics.exe, PE32 7->27 dropped 29 C:\ProgramData\Synaptics\RCX3E29.tmp, PE32 7->29 dropped 31 C:\...\Synaptics.exe:Zone.Identifier, ASCII 7->31 dropped 14 Synaptics.exe 36 7->14         started        19 ._cache_9ubdLPo2dg.exe 1 7->19         started        process5 dnsIp6 41 freedns.afraid.org 174.128.246.100, 49700, 80 ST-BGPUS United States 14->41 43 docs.google.com 142.250.203.110, 443, 49701, 49702 GOOGLEUS United States 14->43 45 xred.mooo.com 14->45 33 C:\Users\user\Downloads\ChromeSetup.exe, PE32 14->33 dropped 35 C:\Users\user\Documents\~$cache1, PE32 14->35 dropped 37 C:\Users\user\AppData\Local\...\cGfLNtDE.exe, PE32 14->37 dropped 39 2 other malicious files 14->39 dropped 47 Antivirus detection for dropped file 14->47 49 Multi AV Scanner detection for dropped file 14->49 51 Drops PE files to the document folder of the user 14->51 53 Machine Learning detection for dropped file 14->53 21 WerFault.exe 24 9 14->21         started        23 conhost.exe 19->23         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18/
Threat name:
Win32.Worm.Zorex
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 20:44:06 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
33 of 35 (94.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aas6outlpveanm62fqeehgkdadbdlbr6ma5sthegukzs2zucx4ma._file
Verdict:
malicious
Similar samples:
1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180
23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
6ae9300941c5572a3eec4d9b891e405318fd5595395c9251fe6baab66fa6700e
9360554f2e28415c1060e32aed40757998e0b16db0905f4ae5e1d21676b00ec5
a5fb447c2992f48abd863452bcd6934032cf29bef1f0907bd9344a31a41e0edb
caac1ca43926e89b75c3a5f17be13f381c421730cafaca62c7d1d2a6fd2deeff
d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230525-z9k89scd94/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b7cf11ea6620c988fb51576cf43f4b66459d354f353478cf094ef8ea51d5afaa
MD5 hash:
b3048aa13c4fdd44110be73cc2b7b5b7
SHA1 hash:
87dcb56313c93bed7e25a72251c05a3927572d24
Link:
https://www.unpac.me/results/a3932823-505a-447b-9cff-0be93bde3700/
SH256 hash:
0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18
MD5 hash:
adbbe3b5fb02bb3b6eba57f019933412
SHA1 hash:
e541a4969eee255c101ab42783e97d0fa40a62de
Link:
https://www.unpac.me/results/a3932823-505a-447b-9cff-0be93bde3700/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0025e7526b7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/391872/

Comments