MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06a8a0cdefdff7c5fea9e0597c88458b16165963a9b0e2a3ae6c6920148b077d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06a8a0cdefdff7c5fea9e0597c88458b16165963a9b0e2a3ae6c6920148b077d
SHA3-384 hash: 8cdcd29fde90209dbe951ff70988e36904eb8b0a25c3ea14cda80d5908090a6878f4b9315d3642938637acffbb6bea5b
SHA1 hash: a451ae23bf7d4920bbe9b58172469e6f817b6aa3
MD5 hash: 467721f93f996e9cd32aa5934cdf6dc2
humanhash: september-steak-illinois-jupiter
File name:SecuriteInfo.com.Variant.Fugrafa.249470.8167.8990
Download: download sample
File size:2'290'343 bytes
First seen:2022-06-25 01:49:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e92b2275a730f59940462780c383a1b0 (26 x CryptOne, 3 x Loki, 2 x Mimic)
ssdeep 24576:I/XEXjJSFHUK2/mXVwp7QYR5WVrmUz3Lo3mJbsXHsokrhbrAGP1AOgEqVqd/i5jv:I/oSupO2mJJok5HqOgEqVqhi5N/CTk
Threatray 80 similar samples on MalwareBazaar
TLSH T142B54609A187E27BFCEC08A3455080D0C2AC7FAA7B528DCDE97AD586541F442F7B6D87
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283179/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22793/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62b669a37e9a4f0a86dede41/reports/41eedd9b-e41d-45ec-9f8b-427a068da531/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b70e58f-0c59-4880-aa30-872520e5dfdf
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1019624
Signature
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 652120 Sample: SecuriteInfo.com.Variant.Fu... Startdate: 25/06/2022 Architecture: WINDOWS Score: 56 10 SecuriteInfo.com.Variant.Fugrafa.249470.8167.exe 3 8 2->10         started        file3 31 C:\Users\user\AppData\Local\...\YLk~aUhs.cpl, PE32 10->31 dropped 13 control.exe 1 10->13         started        process4 process5 15 rundll32.exe 13->15         started        process6 17 rundll32.exe 15->17         started        process7 19 rundll32.exe 1 14 17->19         started        dnsIp8 33 74.215.36.107, 49756, 8080 FUSE-NETUS United States 19->33 29 C:\Users\user\AppData\Local\Temp\4069fd.exe, PE32 19->29 dropped 35 System process connects to network (likely due to code injection or exploit) 19->35 24 4069fd.exe 19->24         started        file9 signatures10 process11 signatures12 37 Multi AV Scanner detection for dropped file 24->37 27 WerFault.exe 21 16 24->27         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06a8a0cdefdff7c5fea9e0597c88458b16165963a9b0e2a3ae6c6920148b077d/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-25 05:29:51 UTC
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2ukbtpp3734l7vj4bmxzccfrmlbmwldvgyofi5onrusafela56q._file
Verdict:
malicious
Similar samples:
1813421d5c1ef2be1cce2ea7716850f675c86600f1182465794583943706a8c7
3d10fa199856942dc50bb810376aa0e06a08ad01699871f945c7e3fe6198266f
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
862436265855ac8c2d4c8517da3d7f7572c57ccb520f6f76c18348fcaa893503
868bb2b1387c06898cc942fc7a2858a19c907622379e9705eeed3591c488cdb9
938c6ed84dd404ed8129ef773cc695ddecfb29203e34189760324caa569dfc97
a0dc657791e6bf1267c8ccb48f337569d9b77f46922c5dd4761010fc7b8f94a6
eba009319ed5e3e7a1350fc1464cc99aafb6405f0db3385c080cd0db10ce97c5
+ 70 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220625-b89ngahedl/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
06a8a0cdefdff7c5fea9e0597c88458b16165963a9b0e2a3ae6c6920148b077d
MD5 hash:
467721f93f996e9cd32aa5934cdf6dc2
SHA1 hash:
a451ae23bf7d4920bbe9b58172469e6f817b6aa3
Link:
https://www.unpac.me/results/2525201c-5401-4f75-9291-c325b7fd35fc/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06a8a0cdefdf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06a8a0cdefdff7c5fea9e0597c88458b16165963a9b0e2a3ae6c6920148b077d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 06a8a0cdefdff7c5fea9e0597c88458b16165963a9b0e2a3ae6c6920148b077d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/283179/
  
URLhaus
https://urlhaus.abuse.ch/url/2249060/
  
Delivery method
Distributed via web download

Comments