MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04784d46d726d64b9c5a4562c89230e2be58e0349b0bee477c56699676549ef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04784d46d726d64b9c5a4562c89230e2be58e0349b0bee477c56699676549ef9
SHA3-384 hash: 9b6cba06f09ab209e3af3fcfa2ab40a61a47e0f1257e203511848bff304a5c58a3763f749f357d49a873522aad97ae22
SHA1 hash: 222365dab4d6229890d167e8db998aa92bd99a14
MD5 hash: 0d7cf01e79d3a6a9f4374842e8fb9598
humanhash: bulldog-jersey-asparagus-mockingbird
File name:31463680_D01_flat_31463680_D01_flat.pdf.exe
Download: download sample
File size:912'264 bytes
First seen:2021-05-24 16:14:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:eHLmCiIhVQZd5zZxGQF7RlotMuk3G39rKKuOcn:zBd5tx/FxyOKuOcn
Threatray 528 similar samples on MalwareBazaar
TLSH CD15E112B5C68872D5231A711939A720593B7D544B389A0F63EC3D2FBBB32926931F73
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
31463680_D01_flat_31463680_D01_flat.pdf.exe
Verdict:
No threats detected
Analysis date:
2021-05-24 16:39:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d7c1cc3d-3ede-4977-bc46-2ea50e46cb51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Program Files subdirectories
Launching a process
Creating a process from a recently created file
Creating a file
Creating a service
Launching a service
Sending a UDP request
DNS request
Sending a custom TCP request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/790587
Signature
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionalty to change the wallpaper
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 422984 Sample: 31463680_D01_flat_31463680_... Startdate: 24/05/2021 Architecture: WINDOWS Score: 96 51 clientconfig.passport.net 2->51 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 6 other signatures 2->65 9 31463680_D01_flat_31463680_D01_flat.pdf.exe 3 6 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 47 support-Y3Jpc2dvbj...GV2YWd1c3Rhcg==.exe, PE32 9->47 dropped 20 AcroRd32.exe 15 39 9->20         started        22 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgbGVsZW5vbWFzY29uZWxnYXJyb3RlcXVlbGV2YWd1c3Rhcg==.exe 6 9->22         started        67 Changes security center settings (notifications, updates, antivirus, firewall) 12->67 24 MpCmdRun.exe 12->24         started        69 Query firmware table information (likely to detect VMs) 15->69 49 127.0.0.1 unknown unknown 17->49 26 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgbGVsZW5vbWFzY29uZWxnYXJyb3RlcXVlbGV2YWd1c3Rhcg==.exe 2 22 17->26         started        29 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgbGVsZW5vbWFzY29uZWxnYXJyb3RlcXVlbGV2YWd1c3Rhcg==.exe 3 17->29         started        file6 signatures7 process8 dnsIp9 31 RdrCEF.exe 66 20->31         started        34 AcroRd32.exe 8 6 20->34         started        36 conhost.exe 24->36         started        55 anyplace-gateway.info 76.72.163.161, 443, 49703, 49704 DATABASEBYDESIGNLLCUS United States 26->55 process10 dnsIp11 57 192.168.2.1 unknown unknown 31->57 38 RdrCEF.exe 31->38         started        41 RdrCEF.exe 31->41         started        43 RdrCEF.exe 31->43         started        45 2 other processes 31->45 process12 dnsIp13 53 80.0.0.0 NTLGB United Kingdom 38->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04784d46d726d64b9c5a4562c89230e2be58e0349b0bee477c56699676549ef9/
Threat name:
Win32.Trojan.AnyplaceControl
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 16:14:15 UTC
AV detection:
15 of 47 (31.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ar4e2rwxe3lexhc2ivrmrerq4k7frybutmf64r34kzuzm5sut34q._file
Verdict:
suspicious
Similar samples:
060f47ff732e52dad19d6f2803617491cf640f845d828846b481184427e379a9
267c37f15594e1b55c509e743784ba4e05a7f2d5aa554a55a9357d1fc45b74f4
41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51
4f79aa8d648c5a999fb91196040b6b68db284ba1b892217563df71db9ae477f3
61640080e5604b1f88734d5d6d4dc118a79f3670053d5b297e0353dce9fa60bb
8ea2458e1ff6924354036dedcbf1ee6ae2a406c97f984651b1d6ba9309c3a1e7
a144d424d0ace63551d67ee67efe8ff6242df2b5c55d8f2494e0731f2d88f711
bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38
d322d619b77d7e1734dedd8f7f00c815fad6a59621ed9021be4a7866123c33a4
ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33
+ 518 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit persistence
Link:
https://tria.ge/reports/210524-kfpyr7tcln/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04784d46d726d64b9c5a4562c89230e2be58e0349b0bee477c56699676549ef9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 04784d46d726d64b9c5a4562c89230e2be58e0349b0bee477c56699676549ef9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments