MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01d96676851421e591657a6114eee8b52a123ae66585edd8870cb5b949626ddc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Reconyc


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01d96676851421e591657a6114eee8b52a123ae66585edd8870cb5b949626ddc
SHA3-384 hash: 5ddb6166dc53dc6b3aac287fe82cd31150910537de41f8d5349522da2fc77c4ae0d53d64eee42dd26cde039bfce9ee1e
SHA1 hash: 724c8e6900db473acda78df3853342eef8f6ceea
MD5 hash: b08bbaa3c6e24bf92335b71ae25c31a0
humanhash: nitrogen-fix-delaware-butter
File name:virussign.com_b08bbaa3c6e24bf92335b71ae25c31a0
Download: download sample
Signature Reconyc
Create hunting rule
File size:547'840 bytes
First seen:2022-07-15 17:13:01 UTC
Last seen:2024-07-24 10:43:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:+Z0SXsEqvBk6Y+fJJFL456Fg1/Zz/U4sqZ83DSBP8Mw:tVXF01gAgD0PZw
TLSH T1C1C4026585374B77DCDA1DF0D3B608A04D54369742AC6386CA5B8B5EC3F3838C4E6B8A
TrID 35.6% (.EXE) Win32 Executable (generic) (4505/5/1)
16.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
16.0% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
Reporter KdssSupport
Tags:exe Reconyc


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
virussign.com_b08bbaa3c6e24bf92335b71ae25c31a0
Verdict:
Malicious activity
Analysis date:
2022-07-16 00:57:47 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/4a2f1acb-efde-45df-8e4e-27ab07ca8f04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/290375/
Detection(s):
Win.Malware.Wacatac-9877409-0
Create hunting rule

Win.Packed.Razy-9883441-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Replacing executable files
DNS request
Сreating synchronization primitives
Launching a process
Sending an HTTP GET request
Sending a custom TCP request
Moving of the original file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62d1a079d6d93426cef20339/reports/df31d718-f901-4eb6-b42f-01c456289476/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1033266
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 665762 Sample: ovVFbnqzTY.com_b08bbaa3c6e2... Startdate: 16/07/2022 Architecture: WINDOWS Score: 92 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Machine Learning detection for sample 2->51 53 3 other signatures 2->53 8 ovVFbnqzTY.exe 2 2->8         started        12 ovVFbnqzTY.exe 2->12         started        process3 dnsIp4 27 C:\Users\user\Desktop\ovVFbnqzTY.exe, PE32 8->27 dropped 29 C:\Users\user\...\old_ovVFbnqzTY.exe (copy), PE32 8->29 dropped 31 C:\Users\...\ovVFbnqzTY.exe:Zone.Identifier, ASCII 8->31 dropped 55 Antivirus detection for dropped file 8->55 57 Machine Learning detection for dropped file 8->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 15 ovVFbnqzTY.exe 8->15         started        33 www.qkcRLKV4pe.com 12->33 35 172.67.34.170, 443, 49766, 49767 CLOUDFLARENETUS United States 12->35 37 3 other IPs or domains 12->37 61 Hides threads from debuggers 12->61 19 schtasks.exe 1 12->19         started        file5 signatures6 process7 dnsIp8 39 www.U2EpGgs8tp.com 15->39 41 www3.l.google.com 142.250.186.46, 49752, 49765, 80 GOOGLEUS United States 15->41 43 2 other IPs or domains 15->43 45 Hides threads from debuggers 15->45 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01d96676851421e591657a6114eee8b52a123ae66585edd8870cb5b949626ddc/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 23:00:24 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahmwm5ufcqq6lelfpjqrj3xiwuvbeoxgmwc63wehbs23sslcnxoa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220715-vrfhvadhgp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
2c494ec48c7cdfe4d51e2bb6d2aa5a0192f1ba58410f3264820e1ad66bd8d404
MD5 hash:
bab472e71684e39b9da2cec18f2a3e09
SHA1 hash:
bcecf946b274a7ee22c0e57f1c161ccefa863518
Link:
https://www.unpac.me/results/ede0c477-afb4-4208-a3c0-41bb9b8b161a/
SH256 hash:
ab23ee93c55f416bd5042bf181dda56c6f4cccc459e28aa345e8a65608871da2
MD5 hash:
dc992d33d944188bf67fade5385f4bd9
SHA1 hash:
58fc335d1d8178730e8d63e03d19c6d65d0c9529
Link:
https://www.unpac.me/results/ede0c477-afb4-4208-a3c0-41bb9b8b161a/
SH256 hash:
28f41922aedb9dc3c7fc34be7fe961a44a53df75557321a42b29198c50c912a5
MD5 hash:
2b935aa5fc19582f8235c85e14de2de0
SHA1 hash:
268a0ec47a277eab3ae22b6baddeef47152ae4b5
Link:
https://www.unpac.me/results/ede0c477-afb4-4208-a3c0-41bb9b8b161a/
SH256 hash:
01d96676851421e591657a6114eee8b52a123ae66585edd8870cb5b949626ddc
MD5 hash:
b08bbaa3c6e24bf92335b71ae25c31a0
SHA1 hash:
724c8e6900db473acda78df3853342eef8f6ceea
Link:
https://www.unpac.me/results/ede0c477-afb4-4208-a3c0-41bb9b8b161a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01d96676851421e591657a6114eee8b52a123ae66585edd8870cb5b949626ddc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Reconyc

Executable exe 01d96676851421e591657a6114eee8b52a123ae66585edd8870cb5b949626ddc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/290375/

Comments