MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 046790ee0a686933cd5104cf204067df20b5cdc70d048327b20c2683a3a74570. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 046790ee0a686933cd5104cf204067df20b5cdc70d048327b20c2683a3a74570
SHA3-384 hash: 9ff168e48495eae58fe9b06831952a136b41096ed90b2588dab6a7e42d294b6e4240f38cfabf3ec923d26b79eb2de961
SHA1 hash: 6dd41278346c607cc807ad13de671c10eb8c5ea6
MD5 hash: d4ac0ab4354200c6b04261e93a73da69
humanhash: charlie-mobile-delta-colorado
File name:046790ee0a686933cd5104cf204067df20b5cdc70d048327b20c2683a3a74570
Download: download sample
File size:401'269 bytes
First seen:2022-11-05 00:27:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 6144:wsxanyfX5k7JlJDlABKUtfU/WQcb5Z8WDKb099p6+VZhKlG0YKW5HFpa3mhVctZ:N0nyfXuIBDtfuJWDKb0A+VeGOWFeZ
Threatray 319 similar samples on MalwareBazaar
TLSH T1DA84F06374C1D032D01350309A99ABA2B9B9F9351776698BFF890F2D7B316E2D316783
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter DesdinovaOsint
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
PT PT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
046790ee0a686933cd5104cf204067df20b5cdc70d048327b20c2683a3a74570
Verdict:
Malicious activity
Analysis date:
2022-11-05 00:05:02 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/01bef713-9dcb-4fbd-b925-ff6bdf0c1838

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328863/
Detection(s):
Win.Packed.njRAT-7136186-0
Create hunting rule

Win.Malware.Coinminer-6821120-0
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Launching a tool to kill processes
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/48734/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6365ae125a664bb7b89c33d9/reports/cdca7e94-3e22-4e80-949f-d9958e861eed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ae43cd7f-18d1-4990-86ab-b990afcab5e4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1105889
Signature
Antivirus detection for dropped file
Drops PE files to the startup folder
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 738552 Sample: i3AL5SNZdE.exe Startdate: 05/11/2022 Architecture: WINDOWS Score: 96 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 2 other signatures 2->56 10 i3AL5SNZdE.exe 3 7 2->10         started        13 phrdgjvn.exe 2->13         started        process3 file4 44 C:\log\Rar.exe, PE32 10->44 dropped 15 wscript.exe 1 10->15         started        process5 dnsIp6 48 192.168.2.1 unknown unknown 15->48 18 cmd.exe 1 15->18         started        process7 process8 20 RAMPAGE.EXE 11 18->20         started        24 Rar.exe 5 18->24         started        26 taskkill.exe 1 18->26         started        28 6 other processes 18->28 file9 38 C:\Users\user\AppData\...\phrdgjvn.exe, PE32 20->38 dropped 40 C:\ProgramData\Microsoft\...\vesyuinl.exe, PE32 20->40 dropped 58 Antivirus detection for dropped file 20->58 60 Multi AV Scanner detection for dropped file 20->60 62 Machine Learning detection for dropped file 20->62 64 3 other signatures 20->64 30 explorer.exe 12 20->30         started        42 C:\log\RAMPAGE.EXE, PE32 24->42 dropped 34 MpCmdRun.exe 1 26->34         started        signatures10 process11 dnsIp12 46 gjtglunfe.biz 35.205.61.67, 49699, 80 GOOGLEUS United States 30->46 66 System process connects to network (likely due to code injection or exploit) 30->66 36 conhost.exe 34->36         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/046790ee0a686933cd5104cf204067df20b5cdc70d048327b20c2683a3a74570/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2019-01-21 03:56:47 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
18 of 42 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=artzb3qknbuthtkrathsaqdh34qlltohbucigj5sbqtihi5hivya._file
Verdict:
malicious
Similar samples:
02384895e3cc26b4844744ad987dcbad59a24f03053a5f4f82af768767aac548
16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6
2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56
2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0
b396f55b0cb17ada2fd582e0dfd39feca81ba7466c7d01cbfb19d2229a3b2993
b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34
cafdf53f2f34de585341dc789407f511561213235e850ffdf25e3fa793971eaa
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
+ 309 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221105-asbwtsebgr/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/55d0005c-9ab7-4b48-8c4c-8a37d2afc2e2
Unpacked files
SH256 hash:
4f233e619d56cda14e9bc29ceccabf0dd3804b03514425e50eb0eecde3395472
MD5 hash:
0b1e2d08330b0a38c7735057a673fc26
SHA1 hash:
049ecd0288fdead2ecd159b43c33662b0b2cff3f
Link:
https://www.unpac.me/results/3606e4af-4bd8-4d46-b399-d7c37f82b1ed/
SH256 hash:
3f562eb80748c46db6651878123e66fa96341b76da4d43661efa10895658b6da
MD5 hash:
777333a9b7012fe89324cddff7037b7c
SHA1 hash:
f9fdf2a18ba40ecf1dbc2404fa5b67b7692cc745
Link:
https://www.unpac.me/results/3606e4af-4bd8-4d46-b399-d7c37f82b1ed/
SH256 hash:
9d3c8a21a3b275e7c570ed805b2bbb525d9e69be61983b492155275773867c47
MD5 hash:
754220d399923eb96ce096768f3dc4fc
SHA1 hash:
b2a829afc720ce51f1152c6b051c0e897285373b
Link:
https://www.unpac.me/results/3606e4af-4bd8-4d46-b399-d7c37f82b1ed/
SH256 hash:
046790ee0a686933cd5104cf204067df20b5cdc70d048327b20c2683a3a74570
MD5 hash:
d4ac0ab4354200c6b04261e93a73da69
SHA1 hash:
6dd41278346c607cc807ad13de671c10eb8c5ea6
Link:
https://www.unpac.me/results/3606e4af-4bd8-4d46-b399-d7c37f82b1ed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/046790ee0a68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/046790ee0a686933cd5104cf204067df20b5cdc70d048327b20c2683a3a74570

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/328863/

Comments