MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c
SHA3-384 hash: 91a824c1ee46eb16d48284011c03c5b6fa330664e9ff7a176d0d8b5ee30d75bbd8a2ed957d55bbbe6e5683a3aaedc869
SHA1 hash: 0546178c38a3abb7837156bd6ff5fe890fa07e41
MD5 hash: 6f504e4d2887038775a8636d246f38a1
humanhash: kitten-cup-comet-king
File name:aXSz3.exe
Download: download sample
File size:94'720 bytes
First seen:2021-04-11 23:37:46 UTC
Last seen:2021-04-12 00:37:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:H7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfiwRwOr:b7DhdC6kzWypvaQ0FxyNTBfiOf
Threatray 47 similar samples on MalwareBazaar
TLSH 5E936D41F3E202F7EAF1053100AA626F973663389764E8DBC74C3D529913AD5A63D3E9
Reporter ffforward
Tags:CollectorProject exe Loader PandaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aXSz3.exe
Verdict:
Malicious activity
Analysis date:
2021-04-11 23:39:12 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/6be732d1-f368-4ae9-a236-f4e1305676cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133572/
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Replacing files
Reading critical registry keys
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Running batch commands
Forced system process termination
Deleting a recently created file
Stealing user critical data
Launching a file downloaded from the Internet
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e22aa44a-787b-4fd0-975c-4a585a433081
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/672354
Signature
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
PowerShell case anomaly found
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385125 Sample: aXSz3.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 92 60 Multi AV Scanner detection for domain / URL 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 11 aXSz3.exe 8 2->11         started        13 aXSz3.exe 8 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        18 conhost.exe 11->18         started        20 cmd.exe 1 2 13->20         started        22 conhost.exe 13->22         started        signatures5 78 Uses cmd line tools excessively to alter registry or file data 15->78 80 Bypasses PowerShell execution policy 15->80 82 Drops PE files to the startup folder 15->82 84 PowerShell case anomaly found 15->84 24 aXSz3.exe 8 15->24         started        process6 process7 26 cmd.exe 3 24->26         started        30 conhost.exe 24->30         started        file8 50 C:\Users\user\AppData\Roaming\...\aXSz3.exe, PE32 26->50 dropped 52 C:\Users\user\...\aXSz3.exe:Zone.Identifier, ASCII 26->52 dropped 68 Uses cmd line tools excessively to alter registry or file data 26->68 70 Opens network shares 26->70 72 PowerShell case anomaly found 26->72 32 cmd.exe 1 26->32         started        35 reg.exe 1 1 26->35         started        37 reg.exe 1 1 26->37         started        signatures9 process10 signatures11 58 PowerShell case anomaly found 32->58 39 powershell.exe 14 21 32->39         started        process12 dnsIp13 54 23.92.213.108, 49712, 80 DACEN-2US United States 39->54 48 C:\Users\user\AppData\Local\...\DyEqOdpm.exe, PE32 39->48 dropped 66 Powershell drops PE file 39->66 44 DyEqOdpm.exe 7 39->44         started        file14 signatures15 process16 dnsIp17 56 prtboss.com 111.90.156.90, 49714, 80 VERDINABZ Malaysia 44->56 74 Multi AV Scanner detection for dropped file 44->74 76 Tries to harvest and steal browser information (history, passwords, etc) 44->76 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-10 20:06:59 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
27 of 48 (56.25%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05a8800b05cf0c4293f9dcc297873f36691161746aec7b65e31b0e32c8f0bebb
076dfc0a55afc36cdfd6dff84cfd0feae23029843e745b7f122980b341f7b710
28d1ce2d141fcfc52b6b8a81f5424920ba2818a14e8ac201446697ff977082de
3ae3550b6baf30136ce9b846725c3322f23ee8428c2984750a2cfe02843993e9
8d31cd4a15ce8347ee5d40ec43f3f0f6f1938887613d8dd58962df1cf7bfebca
bf8e538a1d561cdae7c44e0e722e114c9f9e71bf30a6aa1ddbfca6d4998796ba
df1decc9154f20f51344ffe9b9916d3aef823d779fbd9494c535c562fadd9cdb
e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
f5e4f8cf4a6691806c1fa4f0718cae9d5ff5ad41088b57a4cbcdabed09dcba2e
f65104f0852b7100789837a9a52099a876bc6279f7d2f0d9d74946326cfe915e
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210411-w484abm4tx/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Registers COM server for autorun
Malware Config
Dropper Extraction:
http://23.92.213.108/po/tai1.exe
Unpacked files
SH256 hash:
05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c
MD5 hash:
6f504e4d2887038775a8636d246f38a1
SHA1 hash:
0546178c38a3abb7837156bd6ff5fe890fa07e41
Link:
https://www.unpac.me/results/0a39dcf6-e32b-4100-859d-6b03a93ea079/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

0a9f466fb5526fd512dd48c3ba9551dbd342bdb314a87d5c6f730d3c80041da6

Executable exe 05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1106793/
  
Dropped by
SHA256 0a9f466fb5526fd512dd48c3ba9551dbd342bdb314a87d5c6f730d3c80041da6
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133572/

Comments