MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 134c23ec245a8e10995adfa594154b61bf94e1e5016cf5daeb2b8d594bb16448. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mallox


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 134c23ec245a8e10995adfa594154b61bf94e1e5016cf5daeb2b8d594bb16448
SHA3-384 hash: e7b175c1f979f3e3a78fdd94324c714a0c86496cfd5cf92d9b3d941ed75c8c44ac58eb3795c4cae7c0ef343adbfbbb4e
SHA1 hash: d94c8ec04b26231e30143e11d03ef3dc90b0af03
MD5 hash: f369250db766a9469a786daf30c43d97
humanhash: kentucky-batman-july-seven
File name:1.exe
Download: download sample
Signature Mallox
Create hunting rule
File size:37'888 bytes
First seen:2023-07-26 18:32:54 UTC
Last seen:2023-07-27 02:15:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 768:Sur9dUnBnvK4spMElEOdwVXYZ1DpgfmZi8DkbVh:Kpy4sAV0Dpgj8DkP
Threatray 2'366 similar samples on MalwareBazaar
TLSH T17C0318037F5DA5A0D6949B3FC9A794100773EA82F923CA1E784A236B1C137BADD5134B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0030007171003000 (1 x Mallox)
Reporter petrovic
Tags:exe Mallox Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
737
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://80.66.75.37/Zqbpytwp.exe
Verdict:
Malicious activity
Analysis date:
2023-07-26 18:07:13 UTC
Tags:
loader mallox ransomware evasion
Link:
https://app.any.run/tasks/4b92f214-9d34-4528-8ea3-12ea56d18d40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/434525/
Detection(s):
SecuriteInfo.com.Win32.KeyloggerX-gen.22699.30881.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% directory
Running batch commands
Creating a file in the %AppData% directory
Launching a process
Creating a file
Changing a file
Creating a file in the Program Files subdirectories
Creating a process with a hidden window
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Deleting volume shadow copies
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Encrypting user's files
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/134c23ec245a8e10995adfa594154b61bf94e1e5016cf5daeb2b8d594bb16448
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TargetCompany Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3096dc88-aa69-4912-85c0-5d69b58d86a5
Result
Threat name:
Targeted Ransomware, TrojanRansom
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280624
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Downloads files with wrong headers with respect to MIME Content-Type
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Opens network shares
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses bcdedit to modify the Windows boot settings
Uses cmd line tools excessively to alter registry or file data
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RansomwareGeneric
Yara detected Targeted Ransomware
Yara detected TrojanRansom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1280624 Sample: 1.exe Startdate: 26/07/2023 Architecture: WINDOWS Score: 100 65 whyers.io 2->65 67 api4.ipify.org 2->67 69 api.ipify.org 2->69 79 Snort IDS alert for network traffic 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Antivirus detection for URL or domain 2->83 85 12 other signatures 2->85 9 1.exe 16 7 2->9         started        14 Hvrodssun.exe 2->14         started        16 Hvrodssun.exe 2->16         started        signatures3 process4 dnsIp5 77 80.66.75.37, 49692, 49705, 49707 RISS-ASRU Russian Federation 9->77 59 C:\Users\user\AppData\Roaming\Hvrodssun.exe, PE32 9->59 dropped 61 C:\Users\...\Hvrodssun.exe:Zone.Identifier, ASCII 9->61 dropped 63 C:\Users\user\AppData\Local\...\1.exe.log, ASCII 9->63 dropped 97 Writes to foreign memory regions 9->97 99 Injects a PE file into a foreign processes 9->99 18 MSBuild.exe 3 528 9->18         started        23 cmd.exe 1 9->23         started        101 Antivirus detection for dropped file 14->101 103 Machine Learning detection for dropped file 14->103 file6 signatures7 process8 dnsIp9 71 whyers.io 172.67.191.103, 443, 49698, 49699 CLOUDFLARENETUS United States 18->71 73 192.168.2.1, 135, 274 unknown unknown 18->73 75 3 other IPs or domains 18->75 51 C:\Users\user\AppData\...\FILE RECOVERY.txt, data 18->51 dropped 53 C:\Users\user\AppData\...\FILE RECOVERY.txt, data 18->53 dropped 55 C:\Users\user\AppData\...\FILE RECOVERY.txt, data 18->55 dropped 57 8 other malicious files 18->57 dropped 87 May disable shadow drive data (uses vssadmin) 18->87 89 Creates files in the recycle bin to hide itself 18->89 91 May check the online IP address of the machine 18->91 95 4 other signatures 18->95 25 cmd.exe 18->25         started        27 cmd.exe 18->27         started        29 vssadmin.exe 18->29         started        31 cmd.exe 18->31         started        93 Uses cmd line tools excessively to alter registry or file data 23->93 33 conhost.exe 23->33         started        35 reg.exe 23->35         started        37 takeown.exe 23->37         started        39 54 other processes 23->39 file10 signatures11 process12 process13 41 conhost.exe 25->41         started        43 sc.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/134c23ec245a8e10995adfa594154b61bf94e1e5016cf5daeb2b8d594bb16448/
Threat name:
Win32.Ransomware.Targetcomp
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 15:56:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cngch3belkhbbgk236szifklmg7zjypfafwplwxlfogvss5rmrea._file
Verdict:
malicious
Similar samples:
134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0
Mallox
211809c137b352584707b7d3b254df7e9b80302615f758ff8060b535d8804945
Mallox
48e372ac62d22a5acca0020a79dfb233b120faf3d84471ff73ecfeec00395ca3
Mallox
4a269414d116334ba8837a573d824a3ff46c3b7d274b7b8e3c3ffd688a2e3729
Mallox
4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434
Mallox
7a1821ad2a4c29cdef49069233eb7cc933d9659d8fb8393f3316f3c954368744
Mallox
b3174f733fd844023c76b997e21311287dd47342db80a1ccd97deadb6f3dd85a
Mallox
d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5
Mallox
f8a98f6720565d1ac05e9c1342e5bd669f46afe61626172cf4a692dd40822294
Mallox
+ 2'356 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence ransomware
Link:
https://tria.ge/reports/230726-w665safh8y/
Behaviour
Interacts with shadow copies
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Modifies file permissions
Stops running service(s)
Deletes shadow copies
Renames multiple (2577) files with added filename extension
Renames multiple (3608) files with added filename extension
Unpacked files
SH256 hash:
134c23ec245a8e10995adfa594154b61bf94e1e5016cf5daeb2b8d594bb16448
MD5 hash:
f369250db766a9469a786daf30c43d97
SHA1 hash:
d94c8ec04b26231e30143e11d03ef3dc90b0af03
Link:
https://www.unpac.me/results/3cf1f45f-a99d-4f51-916c-f86e515ee0c5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/134c23ec245a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/134c23ec245a8e10995adfa594154b61bf94e1e5016cf5daeb2b8d594bb16448

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mallox

Executable exe 134c23ec245a8e10995adfa594154b61bf94e1e5016cf5daeb2b8d594bb16448

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/434525/
  
URLhaus
https://urlhaus.abuse.ch/url/2690658/
  
Delivery method
Distributed via web download

Comments