MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cutwail


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28
SHA3-384 hash: dcf92311c2ba8b1e0b6d6c9e3f820472b6a3169e97bda7d58d481deb61b15577dc5a9de5d8cef354f1000b82c8fad834
SHA1 hash: 1b77f4b3443037620ed75804e422fa347d146077
MD5 hash: 2a3acbec7baefea2c2b0eb20ff253eed
humanhash: low-beer-four-island
File name:2a3acbec7baefea2c2b0eb20ff253eed
Download: download sample
Signature Cutwail
Create hunting rule
File size:189'952 bytes
First seen:2022-06-03 06:52:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cb379c000a7cf90a80518fa5bc4f4cb5 (2 x Smoke Loader, 1 x Cutwail, 1 x Loki)
ssdeep 1536:lzmWRottrUPg+oX/FhukfrMzy/ihDYGe3D/mVvwspq3D4ojorTpPpIzuknMbusKV:laQorQY/fukI2WDYGosv/83wPG6bu3F
Threatray 6 similar samples on MalwareBazaar
TLSH T16604BE2473A0C0B6F0B32A305476CE629AFBB83215B8D04B3BD4177A6F616D09B75767
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5c59da3ce0c1c850 (36 x Stop, 33 x Smoke Loader, 26 x RedLineStealer)
Reporter zbetcheckin
Tags:32 Cutwail exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
984
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2a3acbec7baefea2c2b0eb20ff253eed
Verdict:
Malicious activity
Analysis date:
2022-06-03 06:54:19 UTC
Tags:
trojan sinkhole
Link:
https://app.any.run/tasks/83401603-0165-4335-96a3-cc7ce2358ee5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276441/
Detection(s):
Win.Packed.Jaik-9950927-0
Create hunting rule

Win.Packed.Jaik-9951397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6299afd5961acffe5443fdd2/reports/ce1c4470-1104-4ccd-a126-68280f3a7b8b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cutwail
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62a5a21a-4245-4283-b4d2-79984938b3a4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1006120
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Send many emails (e-Mail Spam)
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 638612 Sample: Rxpb2zKOR3 Startdate: 03/06/2022 Architecture: WINDOWS Score: 100 61 hubbikes.com 2->61 63 vdoherty.com 2->63 65 494 other IPs or domains 2->65 105 Antivirus detection for URL or domain 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 Machine Learning detection for sample 2->109 111 Send many emails (e-Mail Spam) 2->111 8 Rxpb2zKOR3.exe 3 66 2->8         started        13 tibqanobatib.exe 48 2->13         started        15 tibqanobatib.exe 47 2->15         started        signatures3 113 System process connects to network (likely due to code injection or exploit) 61->113 115 Tries to resolve many domain names, but no domain seems valid 63->115 process4 dnsIp5 87 awfraser.com 8->87 89 www.valselit.com 193.70.68.254 OVHFR France 8->89 95 174 other IPs or domains 8->95 57 C:\Users\user\tibqanobatib.exe, PE32 8->57 dropped 59 C:\Users\...\tibqanobatib.exe:Zone.Identifier, ASCII 8->59 dropped 119 Drops PE files to the user root directory 8->119 121 Writes to foreign memory regions 8->121 123 Allocates memory in foreign processes 8->123 17 svchost.exe 8->17         started        20 svchost.exe 8->20         started        23 svchost.exe 8->23         started        25 svchost.exe 8->25         started        91 nolaoig.org 13->91 93 www.t-tre.com 13->93 97 31 other IPs or domains 13->97 125 Multi AV Scanner detection for dropped file 13->125 127 Machine Learning detection for dropped file 13->127 129 Injects a PE file into a foreign processes 13->129 27 svchost.exe 13->27         started        29 svchost.exe 13->29         started        31 svchost.exe 13->31         started        33 svchost.exe 13->33         started        35 svchost.exe 15->35         started        file6 131 System process connects to network (likely due to code injection or exploit) 91->131 signatures7 process8 dnsIp9 99 Injects a PE file into a foreign processes 17->99 37 svchost.exe 12 17->37         started        41 svchost.exe 3 12 17->41         started        43 svchost.exe 12 17->43         started        45 svchost.exe 17->45         started        67 mail.airmail.net 66.226.70.66 INFB2-ASUS United States 20->67 69 sidepath.com 20->69 71 2 other IPs or domains 20->71 101 System process connects to network (likely due to code injection or exploit) 20->101 49 4 other processes 20->49 47 svchost.exe 12 23->47         started        51 3 other processes 23->51 103 Creates a thread in another existing process (thread injection) 27->103 53 2 other processes 27->53 55 2 other processes 31->55 signatures10 process11 dnsIp12 79 70 other IPs or domains 37->79 117 System process connects to network (likely due to code injection or exploit) 37->117 81 104 other IPs or domains 41->81 73 dayvo.com 43->73 83 82 other IPs or domains 43->83 75 nekono.net 47->75 85 60 other IPs or domains 47->85 77 alexpope.biz 49->77 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 14:45:29 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfnd7bg6xv2idoeaafvhodbbdj4tqr7wdrzetg2hakyw7wlgnmua._file
Verdict:
malicious
Similar samples:
02fe1e05ca2f07215863e2a1fb3b5a00964ed07ffa2ddee45cf6ee8af10aff90
Cutwail
181e69353ba4190572b8ab171545452cf9ad4dac32c0c2c2c6716853fc604c88
Cutwail
3506cb5aede37423e0c1542075d889ce8884edcc9bd7031a7fe54211d43e36c1
Cutwail
5b3a8ff94b27ba20933e4850821591f20b6c1bf2d9141bb3870d81b8a457ed83
Cutwail
7a9938273e502427d127d1aced6f9fe7fd25c7fdffe5319788f1e0588280734b
Cutwail
9933468292efeb6b2c9d2c8e36bbe818aebe7e46eeb6d7e25a8299b4e90f3ab6
Cutwail
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata upx
Link:
https://tria.ge/reports/220603-hnl51agecq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
Unpacked files
SH256 hash:
2667c1ba9a3c1f4b69b0adc75c2ce242373823927b3e5c94d5cb670274c28c93
MD5 hash:
8dbe23493c7ca72a67185942a642a211
SHA1 hash:
aab74fa20f0c9b641755cfc45d3c3df62928b78c
Link:
https://www.unpac.me/results/20ef8f53-97dc-4198-8c10-a73d259e9b94/
SH256 hash:
b09b696f004f12700aeeb3a0b0cf51edfd929e28544e914864c594f8cab8230f
MD5 hash:
46c3f1b67361d87cd156691f84266d06
SHA1 hash:
72639db91282adaf93cfe1bb8f3cfdac35e11643
Detections:
win_pushdo_auto
Create hunting rule
Link:
https://www.unpac.me/results/20ef8f53-97dc-4198-8c10-a73d259e9b94/
Parent samples :
777cae39a76b463d30086fb1b826491e53b3277293a49c7bfc3ffbe568e420f5
adfcc71b9cb01a17514ad232717198d9a11b67009bffe59e50e79714c6118b01
017a551be1e7927b1ec9f6dbe3af83682424f449b73bf2fde61f26773a01d16b
fef56ad19ebb148fa9b561e111ef6d6049a4fd801e88f3944359f8537bd624cf
230a439a85a69876aa7444cf6f218009c88b021704411bd247567e961e62b243
181e69353ba4190572b8ab171545452cf9ad4dac32c0c2c2c6716853fc604c88
0adca2341c0ab6a5e4ae2677a50a05cf8a302052f083bf7b12117cc7e3c3b059
d506e86ce47aac97e41a8b49a5dc4c410a3d9a86721264077a5f47adf5abc26b
e067dd49b60cb082d0f0a78bbc6139c494f2c3cf0f157f7041c98c58c070fa12
3506cb5aede37423e0c1542075d889ce8884edcc9bd7031a7fe54211d43e36c1
377b6494504cb789a2ea6c43f1cec155d92b3af9ad4a18a1d833e553e0cc6a68
7a9938273e502427d127d1aced6f9fe7fd25c7fdffe5319788f1e0588280734b
9933468292efeb6b2c9d2c8e36bbe818aebe7e46eeb6d7e25a8299b4e90f3ab6
02fe1e05ca2f07215863e2a1fb3b5a00964ed07ffa2ddee45cf6ee8af10aff90
5b3a8ff94b27ba20933e4850821591f20b6c1bf2d9141bb3870d81b8a457ed83
095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28
dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e
8a859913b508241b9c2843bd988a5dc64795ee59c553013663d9b9d5c58589d8
SH256 hash:
095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28
MD5 hash:
2a3acbec7baefea2c2b0eb20ff253eed
SHA1 hash:
1b77f4b3443037620ed75804e422fa347d146077
Link:
https://www.unpac.me/results/20ef8f53-97dc-4198-8c10-a73d259e9b94/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/095a3f84debd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cutwail

Executable exe 095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2222966/
Cape
Cape
https://www.capesandbox.com/analysis/276441/

Comments


Avatar
zbet commented on 2022-06-03 06:52:26 UTC

url : hxxp://37.120.222.121/store/items/63.exe