MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11e4843a483f2a083b7daf71446ff19442ea1a924f4550dab5f059ee5893357f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11e4843a483f2a083b7daf71446ff19442ea1a924f4550dab5f059ee5893357f
SHA3-384 hash: 62aef219a34f8e26199da799bf33977e38ca7d6a4817e31290c7ca11d9cc03fbc0a6ebc79f020547801a655ecd957023
SHA1 hash: b93eac052e7c4cbfae2f7794732a43b0da0f2d59
MD5 hash: 56ffe6d517eba59c3543bad66d269d09
humanhash: california-summer-nuts-kitten
File name:56ffe6d517eba59c3543bad66d269d09.exe
Download: download sample
File size:2'387'456 bytes
First seen:2022-08-13 06:06:55 UTC
Last seen:2022-08-13 06:39:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:fD8AfBW6pU/l8rqXTafJlCOAxROujDvxequE:fYMW6quqgsHjEq
TLSH T1ADB5BE59089C14BFE989F7F8C03A0F1E45F64691F2D5AA6E2DB1993D6221CF1F827C48
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e09a676060678ee0 (14 x AsyncRAT, 5 x ValleyRAT, 4 x Formbook)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
56ffe6d517eba59c3543bad66d269d09.exe
Verdict:
No threats detected
Analysis date:
2022-08-13 06:09:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/25748319-cccd-4438-a82c-6175bebc4759

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298328/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.449.31704.391.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.DownLoaderNET.449.1786.25964.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f73fdd080024921b70e46c/reports/6ff67105-94a4-468f-b057-2f6387210ac8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f8a3aa2-92ad-40e3-92bc-d9682b4d1047
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050875
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 683385 Sample: 9z2cM3yw6j.exe Startdate: 13/08/2022 Architecture: WINDOWS Score: 100 30 41.140.13.0.in-addr.arpa 2->30 36 Multi AV Scanner detection for domain / URL 2->36 38 Antivirus detection for URL or domain 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 7 other signatures 2->42 9 9z2cM3yw6j.exe 1 2->9         started        13 9z2cM3yw6j.exe 2->13         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\9z2cM3yw6j.exe.log, ASCII 9->26 dropped 44 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->46 48 Encrypted powershell cmdline option found 9->48 56 2 other signatures 9->56 15 9z2cM3yw6j.exe 4 9->15         started        50 Antivirus detection for dropped file 13->50 52 Multi AV Scanner detection for dropped file 13->52 54 Machine Learning detection for dropped file 13->54 19 9z2cM3yw6j.exe 2 13->19         started        signatures6 process7 dnsIp8 28 C:\Users\user\AppData\...\9z2cM3yw6j.exe, PE32+ 15->28 dropped 34 Encrypted powershell cmdline option found 15->34 22 powershell.exe 30 15->22         started        32 185.222.57.238, 49813, 49814, 49815 ROOTLAYERNETNL Netherlands 19->32 file9 signatures10 process11 process12 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11e4843a483f2a083b7daf71446ff19442ea1a924f4550dab5f059ee5893357f/
Threat name:
ByteCode-MSIL.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-08-07 14:15:40 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chsiiosih4vaqo35v5yui37rsrbougusj5cvbwvv6bm64wetgv7q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220813-gvbgeaeden/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
11e4843a483f2a083b7daf71446ff19442ea1a924f4550dab5f059ee5893357f
MD5 hash:
56ffe6d517eba59c3543bad66d269d09
SHA1 hash:
b93eac052e7c4cbfae2f7794732a43b0da0f2d59
Link:
https://www.unpac.me/results/b6dabb45-48b8-404a-a422-2996db613297/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11e4843a483f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/11e4843a483f2a083b7daf71446ff19442ea1a924f4550dab5f059ee5893357f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 11e4843a483f2a083b7daf71446ff19442ea1a924f4550dab5f059ee5893357f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272261/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/298328/

Comments