MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 106192b8a521dcf90dad646e31067ce2d75731d682fd47c6568a4d0d5b2e37cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 106192b8a521dcf90dad646e31067ce2d75731d682fd47c6568a4d0d5b2e37cb
SHA3-384 hash: 348bd6a366ee2fbab1b7b37a8a220ff7767076ebf575069cd39cf4a6df03b3b9d5784bb837c940fb1e131d141323fceb
SHA1 hash: 4a12e5e47d6c536c1d0507469b74d1f00d3a3383
MD5 hash: ecf79e73e6fb52ecf16aeb6c5be30dd1
humanhash: wyoming-alaska-network-beryllium
File name:file.exe
Download: download sample
File size:142'336 bytes
First seen:2023-04-13 05:37:57 UTC
Last seen:2023-04-13 06:33:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e863e02eae3da12a6d4cb4073a73271e (1 x DCRat)
ssdeep 3072:7Joa2CTKg6BWRHoqtGm4GZ7b6RAaLD/TP4Dijcepm0dH2hfvn:K2oBOHo0tg/TEiA6fdHufvn
Threatray 9 similar samples on MalwareBazaar
TLSH T1EED32901BDCB95A1F0A525306091D7F5DE38E8726DB04A3BA2492A385D24F8CC5EDF7B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-13 05:40:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac6d740f-a4ee-4125-9eb2-422cc08861bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381947/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13917.24361.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77703/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware packed
Link:
https://www.filescan.io/uploads/6437953bd7442971e960de82/reports/7a55473a-28a0-4c60-b473-c1a32d69631f/overview
Verdict:
Malicious
Labled as:
Ser.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/106192b8a521dcf90dad646e31067ce2d75731d682fd47c6568a4d0d5b2e37cb
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aee41352-d514-4dd8-8e46-da0da8443e2c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213032
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845948 Sample: file.exe Startdate: 13/04/2023 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 6 file.exe 1 3 2->6         started        10 winboxupdate.exe 1 2->10         started        12 winboxupdate.exe 1 2->12         started        14 2 other processes 2->14 process3 file4 30 C:\Users\user\AppData\...\winboxupdate.exe, PE32 6->30 dropped 32 C:\Users\...\winboxupdate.exe:Zone.Identifier, ASCII 6->32 dropped 46 Uses cmd line tools excessively to alter registry or file data 6->46 48 Contains functionality to inject threads in other processes 6->48 50 Contains functionality to inject code into remote processes 6->50 16 attrib.exe 6->16         started        20 conhost.exe 6->20         started        52 Writes to foreign memory regions 10->52 54 Allocates memory in foreign processes 10->54 56 Creates a thread in another existing process (thread injection) 10->56 22 attrib.exe 10->22         started        24 conhost.exe 10->24         started        58 Injects a PE file into a foreign processes 12->58 26 conhost.exe 12->26         started        28 attrib.exe 12->28         started        60 Multi AV Scanner detection for dropped file 14->60 62 Machine Learning detection for dropped file 14->62 signatures5 process6 dnsIp7 34 89.238.170.250, 2227, 49699, 49700 M247GB United Kingdom 16->34 36 Found evasive API chain (may stop execution after checking mutex) 16->36 38 Found API chain indicative of sandbox detection 16->38 40 Tries to harvest and steal browser information (history, passwords, etc) 16->40 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/106192b8a521dcf90dad646e31067ce2d75731d682fd47c6568a4d0d5b2e37cb/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 03:27:30 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbqzfoffehopsdnnmrxdcbt44llvomowql6uprswrjgq2wzog7fq._file
Verdict:
malicious
Similar samples:
04da8f8e4a91cc205c1d93dcafbe8c78427f932fc777834f71f7e54946b8fa0e
19436fd438fa27785181288f8e75945be28469189de2b8f748ba17c3346bfa58
2784dec00079340b9b71f9adcf2b1aa710ee2f657c1999a99de70333070da53c
31ac76457a722b4ac51200a5753d18cd38574eb4ac493b4f09d5bc2d23e3490c
3ab4f041abd53fecc70c291ad0793bd4444f46737f11e1cc2ac299b4a7cb3530
a691e279bbc3870663eee9bce090e96f5359f01103489b3b3ccf2b4afc523e33
bf021a868b03fa52ae398181b986f44784c734daafb0aaca8aee6d810bf08b9b
dc37f437b526abcf8d7a19f6dddd7c776d664c6c35a6424d477bdd2c7ac0972f
ff79c54a78fe3d16dea2b1ec728c5a7978e36d8ff7bd16710575f79113ad4477
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230413-gbp6fshf57/
Behaviour
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Program crash
Adds Run key to start application
Unpacked files
SH256 hash:
191905005fefa13a9f8e07538584b62f7038aaf7544368c4f646dcbb7b596125
MD5 hash:
f78b87045ee4a42936bdd77d3376fe69
SHA1 hash:
f051f4bbd1065b4c2b1da2b9e48c5a543dae8fb5
Link:
https://www.unpac.me/results/77c97429-4428-4892-a840-da3e0276722b/
SH256 hash:
106192b8a521dcf90dad646e31067ce2d75731d682fd47c6568a4d0d5b2e37cb
MD5 hash:
ecf79e73e6fb52ecf16aeb6c5be30dd1
SHA1 hash:
4a12e5e47d6c536c1d0507469b74d1f00d3a3383
Link:
https://www.unpac.me/results/77c97429-4428-4892-a840-da3e0276722b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/106192b8a521/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/106192b8a521dcf90dad646e31067ce2d75731d682fd47c6568a4d0d5b2e37cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381947/

Comments