MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49
SHA3-384 hash: fbf13d5ade239f0012ec858b20f79c8b2becb10beed26f0aac0a979cdcbd8104851b29bb74bc9ef5ceb77853e8df3540
SHA1 hash: 7cdd44d7705bd5d6c51e03645b0f563b04cb3ddb
MD5 hash: 2ee84cfcc3797afb0ca991abffab0e91
humanhash: leopard-purple-stairway-purple
File name:2ee84cfcc3797afb0ca991abffab0e91
Download: download sample
File size:3'491'348 bytes
First seen:2024-03-31 07:39:59 UTC
Last seen:2024-03-31 08:22:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 589be695d15ae485345af74a6a05fda6
ssdeep 49152:ABKTL8/aQ5rs+kbSINyRjZ9wY4m3YSiUFofvYRbQQErY+bwG7QtdBBwas+69C8DS:ABR/aQNkBNtm3TpofQtJ+bJ7+drnmD2v
TLSH T104F53358CDF5EA2FE411ECFD9280C8FD1F44C417CA2D93A57426999B0899882CBD8F96
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
412
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49.exe
Verdict:
Malicious activity
Analysis date:
2024-03-31 07:44:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d69d36cb-6fd9-4d13-843f-602002db6a6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/66091353582adaab043c1787/reports/54bc9ce8-2a6e-4178-a80c-c4144e0508af/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a4f05a8d-3f01-4562-8c18-90baeefe3261
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417970
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417970 Sample: t1995Cfuz2.exe Startdate: 31/03/2024 Architecture: WINDOWS Score: 100 41 kraykray69.ddns.net 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Machine Learning detection for sample 2->47 51 2 other signatures 2->51 9 t1995Cfuz2.exe 1 2->9         started        12 WinUpdater.exe 1 2->12         started        14 WinUpdater.exe 1 2->14         started        signatures3 49 Uses dynamic DNS services 41->49 process4 signatures5 53 Query firmware table information (likely to detect VMs) 9->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->55 57 Modifies the context of a thread in another process (thread injection) 9->57 16 t1995Cfuz2.exe 3 3 9->16         started        19 conhost.exe 9->19         started        59 Hides threads from debuggers 12->59 61 Injects a PE file into a foreign processes 12->61 63 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->63 21 WinUpdater.exe 12->21         started        23 conhost.exe 12->23         started        65 Found direct / indirect Syscall (likely to bypass EDR) 14->65 67 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->67 25 conhost.exe 14->25         started        27 WinUpdater.exe 14->27         started        process6 file7 37 C:\Users\user\AppData\...\WinUpdater.exe, PE32+ 16->37 dropped 29 WinUpdater.exe 1 16->29         started        process8 signatures9 69 Antivirus detection for dropped file 29->69 71 Multi AV Scanner detection for dropped file 29->71 73 Query firmware table information (likely to detect VMs) 29->73 75 8 other signatures 29->75 32 WinUpdater.exe 1 3 29->32         started        35 conhost.exe 29->35         started        process10 dnsIp11 39 kraykray69.ddns.net 109.154.86.159, 100 BT-UK-ASBTnetUKRegionalnetworkGB United Kingdom 32->39
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Suspicious
First seen:
2024-03-31 08:06:20 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ce5xv72iwwbkrohgojbelq43y5ca5umhiyzwlx56dnhlyxbk3req._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/240331-jhh2tsgb5t/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49
MD5 hash:
2ee84cfcc3797afb0ca991abffab0e91
SHA1 hash:
7cdd44d7705bd5d6c51e03645b0f563b04cb3ddb
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/40c5617a-ef38-47ba-a80c-a748972d71d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 113b7aff48b582a8b8e6724245c39bc7440ed187463365dfbe1b4ebc5c2adc49

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2797155/

Comments


Avatar
zbet commented on 2024-03-31 07:40:00 UTC

url : hxxp://185.196.10.233/fgghghg.exe