MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11b320bead835f38bc205fb5a99783f0a2a886fbf510a82e71159bc14bbe4163. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11b320bead835f38bc205fb5a99783f0a2a886fbf510a82e71159bc14bbe4163
SHA3-384 hash: ece90b78e995119d8ab5f32c063d32d89722eeca9106133b739eb9df7fb3b411916dce136c40e54d9acf4e63ffe14419
SHA1 hash: c53059bc0b532b39d07469f441c3942049f8a8c2
MD5 hash: 6c642adbc5047e5a5e698cbdc10041cf
humanhash: lake-eight-berlin-utah
File name:11b320bead835f38bc205fb5a99783f0a2a886fbf510a82e71159bc14bbe4163
Download: download sample
File size:13'589'864 bytes
First seen:2021-08-10 18:14:33 UTC
Last seen:2021-08-10 19:01:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 393216:KE95C1ymMG78D0008Oz871QSLO+Qa9+14Sj38Rh4eIu:Xz1O7XSLO29O4uhu
TLSH T1D4D63342A7C2CB92ECE20835B5668AF46C382CC9435074575F523E7BFA7136137A6E72
dhash icon 8e3169694949718e (3 x Stealc, 2 x Pikabot, 1 x RecordBreaker)
Reporter JAMESWT_WT
Tags:Bitdefender SRL exe SigFlip signed

Code Signing Certificate

Organisation:Bitdefender SRL
Issuer:DigiCert Assured ID Code Signing CA-1
Algorithm:sha1WithRSAEncryption
Valid from:2019-03-19T00:00:00Z
Valid to:2021-05-18T12:00:00Z
Serial number: 03330d8cef025a5623983a51ce0eb969
Thumbprint Algorithm:SHA256
Thumbprint: 2ba08d5bffdcc75c33cbc196b2411deb768405344dbf80ad5983976af3c4c875
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
11b320bead835f38bc205fb5a99783f0a2a886fbf510a82e71159bc14bbe4163
Verdict:
Malicious activity
Analysis date:
2021-08-10 18:16:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d047eb2f-9313-4d40-8cb5-ec3a5a65ffa6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.12081.7052.15935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Connection attempt
Sending a custom TCP request
Modifying a system executable file
Moving a file to the Program Files subdirectory
Moving a file to the %temp% subdirectory
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Sending a UDP request
Deleting a recently created file
Creating a file
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Creating a service
Launching a service
Creating a file in the Windows subdirectories
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/eea73dca-4513-4a60-a9a7-dfc5020f4519
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/830455
Signature
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462885 Sample: ARDTGzRRVa Startdate: 10/08/2021 Architecture: WINDOWS Score: 34 66 93.184.220.29 EDGECASTUS European Union 2->66 84 Multi AV Scanner detection for submitted file 2->84 86 Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines) 2->86 88 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 2->88 90 Queries memory information (via WMI often done to detect virtual machines) 2->90 10 ARDTGzRRVa.exe 22 2->10         started        13 ProductAgentService.exe 2->13         started        16 svchost.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 40 C:\Users\user\AppData\...\setuppackage.exe, PE32 10->40 dropped 42 C:\Users\user\AppData\...\agentpackage.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\Local\...\deploy.dll, PE32 10->44 dropped 48 2 other files (none is malicious) 10->48 dropped 20 agent_launcher.exe 3 10->20         started        78 192.229.220.142 EDGECASTUS United States 13->78 46 C:\Windows\Temp\bd_F7EF.tmp\pfwF7F0.tmp, PE32 13->46 dropped 80 20.54.110.249 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->80 82 192.168.2.1 unknown unknown 16->82 file6 process7 dnsIp8 68 205.185.216.10 HIGHWINDS3US United States 20->68 70 8.8.8.8 GOOGLEUS United States 20->70 23 bddeploy.exe 2 20->23         started        process9 process10 25 installer.exe 62 264 23->25         started        30 setuppackage.exe 45 23->30         started        dnsIp11 72 91.199.212.52 SECTIGOGB United Kingdom 25->72 74 34.120.243.77 GOOGLEUS United States 25->74 76 5 other IPs or domains 25->76 50 C:\Program Files\...\ProductAgentService.exe, PE32 25->50 dropped 52 C:\Program Files\...\bdsubwiz.ui, PE32 25->52 dropped 54 C:\Program Files\...\ProductAgentUI.ui, PE32 25->54 dropped 62 89 other files (none is malicious) 25->62 dropped 92 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 25->92 94 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->94 96 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->96 98 Queries memory information (via WMI often done to detect virtual machines) 25->98 32 ProductAgentService.exe 25->32         started        34 ProductAgentService.exe 25->34         started        36 ProductAgentService.exe 25->36         started        38 ProductAgentService.exe 25->38         started        56 C:\Users\user\AppData\Local\...\installer.exe, PE32 30->56 dropped 58 C:\Users\user\AppData\Local\...\unrar.dll, PE32 30->58 dropped 60 C:\Users\user\AppData\Local\...\sciter.dll, PE32 30->60 dropped 64 26 other files (none is malicious) 30->64 dropped file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11b320bead835f38bc205fb5a99783f0a2a886fbf510a82e71159bc14bbe4163/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-07 10:51:50 UTC
File Type:
PE (Exe)
Extracted files:
634
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/210810-m2s7cxdvye/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
28d5531ad3180a2f9191f89c1fde3348dffbb551a455f8c2b454dfaf231adfd7
MD5 hash:
71225696d617178f824869e790195677
SHA1 hash:
a1998ed87eb4b70fe4f342ff8fc0564ed4ff30a4
Link:
https://www.unpac.me/results/00155ec5-0d98-4237-a023-3a32354bf7b7/
SH256 hash:
1666f3b04905e42cb34b29279099697f11a371bd8b8fae81c4bc58f0b0970ed8
MD5 hash:
f7cf0943193bbf122fdfd5a36bf2ed27
SHA1 hash:
b82f99435f910933a0010bf737d1ade218dc0389
Link:
https://www.unpac.me/results/00155ec5-0d98-4237-a023-3a32354bf7b7/
SH256 hash:
f0458a3e8e4d725028e1d4a916f464137af567bd340a728d75b8d38550fe0783
MD5 hash:
74ff8cf86f2c553855368c66ce008017
SHA1 hash:
7a34696b5e7793b0d8445300c7ff0382ee989541
Link:
https://www.unpac.me/results/00155ec5-0d98-4237-a023-3a32354bf7b7/
SH256 hash:
a5ddf7a77b040be59c758d173cfbaf0efd5e599965faabec885ed568e2fe3f94
MD5 hash:
b7ad43d0989551982172ba182303d88e
SHA1 hash:
63cef9c893c74f17c234a046b2cbadf97da406df
Link:
https://www.unpac.me/results/00155ec5-0d98-4237-a023-3a32354bf7b7/
SH256 hash:
11b320bead835f38bc205fb5a99783f0a2a886fbf510a82e71159bc14bbe4163
MD5 hash:
6c642adbc5047e5a5e698cbdc10041cf
SHA1 hash:
c53059bc0b532b39d07469f441c3942049f8a8c2
Link:
https://www.unpac.me/results/00155ec5-0d98-4237-a023-3a32354bf7b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11b320bead835f38bc205fb5a99783f0a2a886fbf510a82e71159bc14bbe4163

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments