MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0416391e5b60e03e48bf3e97db2893369f6601d45d4307cf46c19e3ac23fd5dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0416391e5b60e03e48bf3e97db2893369f6601d45d4307cf46c19e3ac23fd5dc
SHA3-384 hash: 2ea0ae9433f99e861c34eb3436f84e91a36af39c37231f9388496252c1638d2d827d23f48bfb9a8e6835134d10dc7935
SHA1 hash: 55ad82b808ebaf0373dd92fa6d74a0e3c594c1d4
MD5 hash: 7edee4ba5b18fcb785b990bb844b0f3c
humanhash: spaghetti-arizona-wyoming-sweet
File name:7edee4ba5b18fcb785b990bb844b0f3c
Download: download sample
File size:606'720 bytes
First seen:2022-07-17 09:07:27 UTC
Last seen:2022-07-17 09:49:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 6144:OhhpaWEL76e2gNWN8SJVwmlCtCvLm2x/rxuNkHVNy+Ex46pEY7DCHTxyG7fl8dot:
Threatray 2'269 similar samples on MalwareBazaar
TLSH T1A4D49B3908FD063342A5E1EA9FD4EA67F580C8E266185E7A92C3CE89571385720DFD3D
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291325/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.1359.14291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Unauthorized injection to a recently created process
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Apocalypse Clipper
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c70bcc0f-e61f-469e-bd02-7576116ddd9b
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1034604
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 667099 Sample: hpqvgliRwv Startdate: 17/07/2022 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected MicroClip 2->49 51 Sigma detected: Schedule system process 2->51 53 3 other signatures 2->53 8 hpqvgliRwv.exe 1 2->8         started        12 winlogon.exe 1 2->12         started        14 winlogon.exe 2->14         started        16 3 other processes 2->16 process3 file4 45 C:\Users\user\AppData\...\hpqvgliRwv.exe.log, ASCII 8->45 dropped 55 Detected unpacking (changes PE section rights) 8->55 57 Detected unpacking (overwrites its own PE header) 8->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 18 hpqvgliRwv.exe 1 8 8->18         started        61 Multi AV Scanner detection for dropped file 12->61 63 Machine Learning detection for dropped file 12->63 65 Injects a PE file into a foreign processes 12->65 21 winlogon.exe 12->21         started        23 winlogon.exe 14->23         started        25 winlogon.exe 16->25         started        27 winlogon.exe 16->27         started        29 winlogon.exe 16->29         started        31 4 other processes 16->31 signatures5 process6 file7 37 C:\Users\user\AppData\Roaming\winlogon.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\...\winlogon.exe, PE32 18->39 dropped 41 C:\Users\...\winlogon.exe:Zone.Identifier, ASCII 18->41 dropped 43 C:\Users\...\winlogon.exe:Zone.Identifier, ASCII 18->43 dropped 33 schtasks.exe 1 18->33         started        process8 process9 35 conhost.exe 33->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0416391e5b60e03e48bf3e97db2893369f6601d45d4307cf46c19e3ac23fd5dc/
Threat name:
ByteCode-MSIL.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2022-07-17 07:12:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqldshs3mdqd4sf7h2l5wketg2pwmaoulvbqpt2gygpdvqr72xoa._file
Verdict:
malicious
Similar samples:
2e1c65ba7dcbd574aa70123733a3a6239560de434d0602b693733482555c0b14
2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5
5f5ddb7f5934fc851903768ea0911a87b6278e0927169974f8442db9b0d1ca9a
64d0b1816a61739747fc22199afe846b83427afb5a9536ba7d6a03c6d9a5d297
a229aee8edf8ebb3b5e3e418879641216f49d6e00f8358a0debd4c00ddf825e9
bb13cf7f4d7f5db58730a4dd948093ab12ee0f65c2393784e43143913d51130b
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
ea315e9e65af9d1d95ac0636abde389107bb131f99e9eeac2dd16821be1ba888
f2000a110ef3052177a9a035ae3d6c811590d6d02534afc6e94d313b31a6b8eb
+ 2'259 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220717-k3v3kaaben/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
32fd27d73b190f6ceea5e2f2de7f3266f27a85e37b40df39855b4d694e90a512
MD5 hash:
f1a790b4218c91f21a9a72bbbfe832c3
SHA1 hash:
40056818d693fae78c0c9d7fa15ee0a179a95e8a
Link:
https://www.unpac.me/results/4b0cf72a-b426-4f19-abbc-84ab3f46625f/
SH256 hash:
0416391e5b60e03e48bf3e97db2893369f6601d45d4307cf46c19e3ac23fd5dc
MD5 hash:
7edee4ba5b18fcb785b990bb844b0f3c
SHA1 hash:
55ad82b808ebaf0373dd92fa6d74a0e3c594c1d4
Link:
https://www.unpac.me/results/4b0cf72a-b426-4f19-abbc-84ab3f46625f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/0416391e5b60e03e48bf3e97db2893369f6601d45d4307cf46c19e3ac23fd5dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0416391e5b60e03e48bf3e97db2893369f6601d45d4307cf46c19e3ac23fd5dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2258252/
Cape
Cape
https://www.capesandbox.com/analysis/291325/

Comments


Avatar
zbet commented on 2022-07-17 09:07:29 UTC

url : hxxp://rostwant.ml/c_omicron_qtrdecebeb.exe