MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02216d2a51d07a55660dbd40857d118281c281a974935f00b15078e5207c2d4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments 1

SHA256 hash:	02216d2a51d07a55660dbd40857d118281c281a974935f00b15078e5207c2d4b
SHA3-384 hash:	28e3f1c02b4c573f9aba923df4ee2bd83279936a371f9037f1504e555a01ab18ba59e94a9b7e11560fb28a59cbbde06f
SHA1 hash:	4c106a9795635f7fd479aae4acdf37c93e2f422f
MD5 hash:	671918b0dc1885b5b37cd776a40638b9
humanhash:	skylark-yellow-stairway-fish
File name:	671918b0dc1885b5b37cd776a40638b9
Download:	download sample
File size:	8'195'584 bytes
First seen:	2023-08-25 02:16:56 UTC
Last seen:	2023-08-25 16:02:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	196608:Q5sT5so57UnkJbSK1sWb2dSIaZUGsJNRfCi8bBJ5/RdoHtomK/VT:v57Unk8K1w6z3/3JdT
Threatray	3 similar samples on MalwareBazaar
TLSH	T1AB86330438445EECF156DDBFB963DB3F05ADDF689442C6A259A01FA4BC0A18E4F0BB58
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	de8e9e989e9e98b0 (2 x RedLineStealer, 1 x Stealc, 1 x LummaStealer)
Reporter	zbetcheckin
Tags:	32 exe

Intelligence

File Origin

# of uploads :

# of downloads :

267

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

671918b0dc1885b5b37cd776a40638b9

Verdict:

Malicious activity

Analysis date:

2023-08-25 02:20:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/25b00388-d0ea-4e22-8b0a-ff8b0264e92d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/444609/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2161.16198.31769.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Сreating synchronization primitives

Launching a service

Launching a process

Searching for the window

Searching for synchronization primitives

Creating a window

Modifying a system executable file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm obfuscated packed packed smartassembly

Link:

https://www.filescan.io/uploads/64e80f1f9ff753467d7f91c5/reports/18e1c5a4-dfe6-4779-a6de-a471aaac0a88/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/02216d2a51d07a55660dbd40857d118281c281a974935f00b15078e5207c2d4b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1071d0f5-737b-4a46-8b8d-36b499381f34

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1297101

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Set autostart key via New-ItemProperty Cmdlet

Suspicious powershell command line found

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02216d2a51d07a55660dbd40857d118281c281a974935f00b15078e5207c2d4b/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-08-23 16:25:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 38 (44.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aiqw2ksr2b5fkzqnxvaik7irqka4fanjosjv6afrkb4okid4fvfq._file

Verdict:

malicious

13993a109f4064a70ae87d660099352109c6115065444c46e5cb4854496ce6da

cbe8c12a97e6afdce354524b36314c07ab3345dd2776a7f8f070733270cf4cff

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/230825-cqpq1sgf35/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Enumerates connected drives

Modifies Installed Components in the registry

Unpacked files

SH256 hash:

bb6bae1db624330fb209d5c36f40d1d019036c6ab77bac108e87644caaf3eee6

MD5 hash:

0cd7a52e335afe895bc9a2721e10fe45

SHA1 hash:

5b970e5c8ee9dce97384beca793f5b39a986a1a3

Link:

https://www.unpac.me/results/89b7a9df-1b20-44c8-b73c-8d762167ffd3/

SH256 hash:

5de35892bcdf6b2d1abbc2184ec72384f35afb672484f21cad759597392d42d6

MD5 hash:

f97e560734c5d6771d03cd58243c8e33

SHA1 hash:

4a60a25d9216f0c9e15c873743e90bd851ea0dfe

Link:

https://www.unpac.me/results/89b7a9df-1b20-44c8-b73c-8d762167ffd3/

SH256 hash:

a59abb276531f11cfba9c6d9dde345666b93c4721533c38769699eb320c8be3c

MD5 hash:

b60e3b773eebd0e5932df3c71e623ea7

SHA1 hash:

4186947ab530a9927b4bef34a08e001b03cf9747

Link:

https://www.unpac.me/results/89b7a9df-1b20-44c8-b73c-8d762167ffd3/

SH256 hash:

02216d2a51d07a55660dbd40857d118281c281a974935f00b15078e5207c2d4b

MD5 hash:

671918b0dc1885b5b37cd776a40638b9

SHA1 hash:

4c106a9795635f7fd479aae4acdf37c93e2f422f

Link:

https://www.unpac.me/results/89b7a9df-1b20-44c8-b73c-8d762167ffd3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/02216d2a51d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02216d2a51d07a55660dbd40857d118281c281a974935f00b15078e5207c2d4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 02216d2a51d07a55660dbd40857d118281c281a974935f00b15078e5207c2d4b

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2706882/

Cape

https://www.capesandbox.com/analysis/444609/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-08-25 02:16:57 UTC

url : hxxp://193.233.255.9/lend/fqwrqwesda.exe