MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10c57150f54d66920e6dd383c996f77f27f5f34fc95f5b41d427be230b365f50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10c57150f54d66920e6dd383c996f77f27f5f34fc95f5b41d427be230b365f50
SHA3-384 hash: 2be345912dad3c8a35db37926e44532d8cf79289091f0794df052f418033bb1cd27d1d43a53ae5e8bbce3f19ef5c1a34
SHA1 hash: 7c281b3f1f1340db2a76ec34adb0a3d16f2789a7
MD5 hash: 6953d6e1a2d8df8e0d2e76263e8b3115
humanhash: red-two-twelve-helium
File name:SecuriteInfo.com.Win32.PWSX-gen.9919.21106
Download: download sample
Signature Adhubllka
Create hunting rule
File size:718'336 bytes
First seen:2022-12-01 17:31:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:s9DPzBVpAq4Y0lfi+jS++WrcvTNntefgE924MSIDfPA3J3c/zsNtyuped5rz:SVpAPq+oucvJUl924qPyREzsNt5gdlz
TLSH T179E412A977CD67E9E1BEC73205A2201052F5F46F9597E78E3F8E849C7A43744CB02A02
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:Adhubllka exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.9919.21106
Verdict:
Malicious activity
Analysis date:
2022-12-01 17:34:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66b6cfc8-02a9-4083-8861-78202127593c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341246/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.9919.21106.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Changing a file
Moving a recently created file
Сreating synchronization primitives
Modifying an executable file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6388e514579915b6b303dc91/reports/ddc71171-a1ac-47d0-9f29-0007f0f01809/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53de0ea8-ef4a-4094-8849-832259800f5b
Result
Threat name:
Cryptolocker, ObzCrypt
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1125626
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes a notice file (html or txt) to demand a ransom
Yara detected AntiVM3
Yara detected Cryptolocker ransomware
Yara detected ObzCrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10c57150f54d66920e6dd383c996f77f27f5f34fc95f5b41d427be230b365f50/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 17:32:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdcxcuhvjvtjedtn2ob4tfxxp4t7l42pzfpvwqoue67cgczwl5ia._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/221201-v4as5afc31/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bfe62dcf-619b-4e6a-868c-ae248e3e7eb5
Unpacked files
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
SH256 hash:
269a4d7b29b8e1883c505676dc03357f317f9214af0854f518d4778cfad1f7f5
MD5 hash:
6794e632ac61a87e6c53c7cf4086798a
SHA1 hash:
142dc4f2ea0dd132d9614f86b9bcda03c7d5cc77
Detections:
win_adhubllka_auto
Create hunting rule
win_adhubllka_a0
Create hunting rule
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
Parent samples :
edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6
10c57150f54d66920e6dd383c996f77f27f5f34fc95f5b41d427be230b365f50
SH256 hash:
fd3666b46c29f572bffe6b006573bd963a4f50230f92f18885cd8ec07435e457
MD5 hash:
e37969262b3650875fb7b20b2181ead2
SHA1 hash:
107cb400a8ec41d573efc51e1776676407da54c5
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
SH256 hash:
7d68b5f4936616d8b154b243b9ac3ff5648157f44497470bf572d954cf61fc65
MD5 hash:
88eb7cfe6ea5fe34b070ddb61b1d36aa
SHA1 hash:
fbc90dbdeb6d30de068d574c6cfc1f3bcc91a124
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
SH256 hash:
65d273cd1188c80de24ecd9f7da1726da44c36cc3615c13bb385f90ed7494ccc
MD5 hash:
115b07452f29ac45aa4aa108c1e20d4a
SHA1 hash:
d25c5db3504d394d22ee4b072c8c6f37c3c0cb73
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
SH256 hash:
b4573dff83262ba3d6d14b458170b50f807c979446761d61cfdc3cea179149a7
MD5 hash:
6d4af8c17b0689ccb82e3338ef30d509
SHA1 hash:
4653f9cbd487f813007321e5d742415d92560c09
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
SH256 hash:
646cfa95457933241da354f702a8650db8f148a4761138fa6cf4b1d7ab2222e2
MD5 hash:
0e2e5d4470928531a6d91df0a64b5500
SHA1 hash:
2d19099594018604ce9beef5aac591765ccdde56
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
SH256 hash:
b5877b8e898513e054fd6dce5140a117f6687d1264cbe2654a8d78f9ee54d4f0
MD5 hash:
05bff6be0b2f7c43fee3b08a8d9a81ca
SHA1 hash:
2a05a25e78ed57fe2581f5850eabafe75a5ae08d
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
SH256 hash:
21306098eb9d5dc4df05e83ae126defd729d8eb3ceed84a1ec5ca93d6581221a
MD5 hash:
5006b760903b1bef19e2a244b1f403b7
SHA1 hash:
1a880187179717aae840a30d116a30b11c37721e
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
SH256 hash:
10c57150f54d66920e6dd383c996f77f27f5f34fc95f5b41d427be230b365f50
MD5 hash:
6953d6e1a2d8df8e0d2e76263e8b3115
SHA1 hash:
7c281b3f1f1340db2a76ec34adb0a3d16f2789a7
Link:
https://www.unpac.me/results/eebeb28a-53f6-4156-81e5-79cd4c0b6658/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10c57150f54d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10c57150f54d66920e6dd383c996f77f27f5f34fc95f5b41d427be230b365f50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adhubllka

Executable exe 10c57150f54d66920e6dd383c996f77f27f5f34fc95f5b41d427be230b365f50

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2440838/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/341246/

Comments