MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02a8afb13fb3fa71b1607c1c878322ab3894d6e3d646ac17782339cc6065ce45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02a8afb13fb3fa71b1607c1c878322ab3894d6e3d646ac17782339cc6065ce45
SHA3-384 hash: 4070c448f3d4bc17d1e5f16c1c336df8b5dfffa0a4494dece34c78323fc9ef823b0e64559bdaa7a87b5867cb347f0a3c
SHA1 hash: e4283cbbb00aa69a5cdd53216412e6d280a5ca8d
MD5 hash: c0b72f02482b0a580b2775a3ce0e0636
humanhash: princess-eighteen-potato-cardinal
File name:2e6rgr.exe
Download: download sample
File size:6'503'993 bytes
First seen:2023-06-15 08:52:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 196608:O3F6n80W6uG0AL1ITY/AUlhJ/CwYWcxJZgt:KFREC+1XVCwyxUt
Threatray 22 similar samples on MalwareBazaar
TLSH T158663387F782C0B1C8B504B41522DB764E766D3297F9D9E7AFD03E2ACE213D05631A4A
TrID 68.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
10.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon fadadac2a2b8c4e4 (11 x Nitol, 2 x Amadey, 2 x AgentTesla)
Reporter obfusor
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e6rgr.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 08:55:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9f68e545-e65e-43f6-8d98-42c088a4ca4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399089/
Detection(s):
MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90840/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin obfuscated overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/648ad17240b26d42ee55ab72/reports/726cffa2-cd02-4113-a49a-d272fb680846/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/02a8afb13fb3fa71b1607c1c878322ab3894d6e3d646ac17782339cc6065ce45
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/17b796b8-9739-49a1-8db5-acc868d76e70
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1255171
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02a8afb13fb3fa71b1607c1c878322ab3894d6e3d646ac17782339cc6065ce45/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-15 08:53:10 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
3 of 37 (8.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akuk7mj7wp5hdmlapqoipazcvm4jjvxd2zdkyf3yem44yydfzzcq._file
Verdict:
malicious
Similar samples:
1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d
1e7ed9a8dd2e513ace96352932af722d1c3c88641b97f8f59a50774ef1dc31ea
4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
61d451ce5a169591bd4e8633c9030a8afb54027e66dbae6127984caa48bc2568
827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88
86e69b16379a3aa41a658af413ea71364341da11e2f7d724dcefeac6eaa504ec
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/230615-kta12afd4v/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
1661b6a5fb9e7f59f5b8ec29f6d0d1b369f1db890fa5122973730d4153931c7d
MD5 hash:
653805bcf9e4d8f6e462b82b72b51c1f
SHA1 hash:
db38be6a1d65e1c30330ed5f77548ecac20e9429
Link:
https://www.unpac.me/results/4af1adf4-f9c4-41fb-9fc1-92f9f0711940/
SH256 hash:
f1e33e5fc5bc58fa6bec864b11e8ba2d78bb2bd168fc54c55718aa550d568617
MD5 hash:
57a5253baf5955e1c0a150efb32909b4
SHA1 hash:
956448746a31facee402de3275a0ea9fc173524b
Link:
https://www.unpac.me/results/4af1adf4-f9c4-41fb-9fc1-92f9f0711940/
SH256 hash:
e69898ecd1c8c12a7949ab5823e04f8eba838f4c44f5d9af59083a9a37c14272
MD5 hash:
fa763f64b2be3139e7c56f369680aec2
SHA1 hash:
3d9b731d4a1ec98e3ccda9141a01df713addc663
Link:
https://www.unpac.me/results/4af1adf4-f9c4-41fb-9fc1-92f9f0711940/
SH256 hash:
02a8afb13fb3fa71b1607c1c878322ab3894d6e3d646ac17782339cc6065ce45
MD5 hash:
c0b72f02482b0a580b2775a3ce0e0636
SHA1 hash:
e4283cbbb00aa69a5cdd53216412e6d280a5ca8d
Link:
https://www.unpac.me/results/4af1adf4-f9c4-41fb-9fc1-92f9f0711940/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02a8afb13fb3fa71b1607c1c878322ab3894d6e3d646ac17782339cc6065ce45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399089/

Comments