MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03614d528809171ea45459ac44783c841827e663322e3fdfe5b3e2477d47a160. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03614d528809171ea45459ac44783c841827e663322e3fdfe5b3e2477d47a160
SHA3-384 hash: 9131c550bfa860abaefb4e5610885a96cf132df796816fd5639e079afbc4c92b6683b3d3ebcbaa9bb1151c6c346cecf5
SHA1 hash: 760074b351752bf974c8726ffde399b71cde0edf
MD5 hash: f5348421d46972d15e25f871bc07ecc2
humanhash: william-maine-fish-arizona
File name:f5348421d46972d15e25f871bc07ecc2.exe
Download: download sample
File size:812'071 bytes
First seen:2021-12-06 07:35:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:0Qnk3GDYKGcblwtX+t4Y8v1gZpg33B3XIOMeb9Xg8xgernDi5kivGXk6rM2:IAOcZwXYE1pB3XIOMG1pgerDgkgtOp
TLSH T160050201BBC188B1E4731C325A296F266D3D7C202E25DF6FB3E4796DDA35081A624B77
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f5348421d46972d15e25f871bc07ecc2.exe
Verdict:
Malicious activity
Analysis date:
2021-12-06 07:41:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd913340-7820-4814-961a-834fe049eba4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211668/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Launching a service
Launching a process
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1041/overview
Behaviour
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61adbd634d8e6f3a5e13dd9f/reports/3e7e6f34-ab68-46b6-9d50-a31373098408/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/49acda88-d596-4fc2-8a26-c7f92390bf5a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902028
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Multi AV Scanner detection for submitted file
Sigma detected: Conti Backup Database
Sigma detected: Disable or Delete Windows Eventlog
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Sigma detected: PowerShell SAM Copy
Sigma detected: Suspicious PowerShell Invocations - Generic
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534507 Sample: l24t7vaE9E.exe Startdate: 06/12/2021 Architecture: WINDOWS Score: 100 76 Sigma detected: Powershell adding suspicious path to exclusion list 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Sigma detected: PowerShell SAM Copy 2->80 82 7 other signatures 2->82 10 l24t7vaE9E.exe 4 13 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 9 1 2->16         started        19 6 other processes 2->19 process3 dnsIp4 58 C:\Users\user\AppData\Local\...\format.vbs, ASCII 10->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\term.exe, PE32 10->60 dropped 21 wscript.exe 1 10->21         started        92 Changes security center settings (notifications, updates, antivirus, firewall) 13->92 72 127.0.0.1 unknown unknown 16->72 62 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 19->62 dropped file5 signatures6 process7 process8 23 term.exe 9 21->23         started        file9 56 C:\Users\user\AppData\...\motherhood.exe, PE32 23->56 dropped 26 motherhood.exe 9 12 23->26         started        process10 file11 64 C:\Windows\Resources\Themes\...\svchost.exe, PE32 26->64 dropped 66 C:\Users\user\AppData\...\???????????????.exe, PE32 26->66 dropped 68 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 26->68 dropped 70 40b92fae-7c09-4d6a-ba84-b99c939670ca.exe, PE32 26->70 dropped 84 Creates autostart registry keys with suspicious names 26->84 86 Drops PE files to the startup folder 26->86 88 Creates an autostart registry key pointing to binary in C:\Windows 26->88 90 2 other signatures 26->90 30 AdvancedRun.exe 1 26->30         started        33 powershell.exe 26->33         started        35 powershell.exe 26->35         started        37 7 other processes 26->37 signatures12 process13 dnsIp14 74 192.168.2.1 unknown unknown 30->74 40 AdvancedRun.exe 30->40         started        42 conhost.exe 33->42         started        44 conhost.exe 35->44         started        54 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 37->54 dropped 46 conhost.exe 37->46         started        48 conhost.exe 37->48         started        50 conhost.exe 37->50         started        52 3 other processes 37->52 file15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03614d528809171ea45459ac44783c841827e663322e3fdfe5b3e2477d47a160/
Threat name:
Win32.Trojan.PShell
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 06:25:01 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/211206-je8s3sdedk/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
0e9738ca2407852407355b77c956022d5f54db87a2aa24b95413037a6e7a565a
MD5 hash:
8cfe2bd5b788fee42f872aa4b4c83a9e
SHA1 hash:
db9792ebb870cd39db4210e982f57ce2c0ca018a
Link:
https://www.unpac.me/results/88fb85a5-f4f5-4930-bbb5-a8f29a7101b7/
SH256 hash:
c65ca40f4b630ac789451f4a6cf088fe0db50b77929a92208fdb58b353e097ef
MD5 hash:
4604e6b63d04518cdfa09cabc554fba0
SHA1 hash:
40bfd568a2b09b4468f4c7f4bee3662739302e67
Link:
https://www.unpac.me/results/88fb85a5-f4f5-4930-bbb5-a8f29a7101b7/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/88fb85a5-f4f5-4930-bbb5-a8f29a7101b7/
SH256 hash:
03614d528809171ea45459ac44783c841827e663322e3fdfe5b3e2477d47a160
MD5 hash:
f5348421d46972d15e25f871bc07ecc2
SHA1 hash:
760074b351752bf974c8726ffde399b71cde0edf
Link:
https://www.unpac.me/results/88fb85a5-f4f5-4930-bbb5-a8f29a7101b7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/03614d528809/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03614d528809171ea45459ac44783c841827e663322e3fdfe5b3e2477d47a160

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 03614d528809171ea45459ac44783c841827e663322e3fdfe5b3e2477d47a160

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1709504/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211668/

Comments