MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15277d4f13e407cf9044a963f97a27d81b3ea6ee4df85aa2443c7596f79bd2fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15277d4f13e407cf9044a963f97a27d81b3ea6ee4df85aa2443c7596f79bd2fc
SHA3-384 hash: adb783b03651e4808b1f09b62f4ef6e0fc50d2e9c73ee2cfdb3a93060bc5539ec6e50d2eeff0aa11a42ed62d56e38300
SHA1 hash: 47f54aa2682275845734a6663b57e14fae8adf09
MD5 hash: f09529be487a02ca6637cdafae71bbcd
humanhash: enemy-illinois-cardinal-tango
File name:file
Download: download sample
File size:7'377'654 bytes
First seen:2024-02-28 10:43:53 UTC
Last seen:2024-02-28 12:48:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 98304:GMt8k1h+HTKeI6Cv90r50KgY6fP/X4fDSkXlSAjTB3yehKJr3ZIriAgkRW79mO2M:GMtwueI19vKg4Sk1Sg5oxJhAB2Cwkt+
TLSH T10976335B5E9A1073F172F2F241A1A76BF39C204D91360B8B6235DF197C20A66CE7E742
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Bitsight
Tags:exe


Avatar
Bitsight
url: http://185.172.128.19/DigitalCloud.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
368
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478115/
Detection(s):
SecuriteInfo.com.PUA.Tool.Proxy.2579.7764.10667.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65df0e73c0d10a13926cc3dc/reports/f1d0e729-443a-41dc-9433-b27c83468563/overview
Verdict:
Malicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/15277d4f13e407cf9044a963f97a27d81b3ea6ee4df85aa2443c7596f79bd2fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TurtleVenom
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e8b1c0b-3190-4bfd-b6fc-64b17884ec52
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1400140
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Installs new ROOT certificates
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1400140 Sample: file.exe Startdate: 28/02/2024 Architecture: WINDOWS Score: 84 76 win-peer-pbm-ecs-lb-495161369.ca-central-1.elb.amazonaws.com 2->76 78 status.digitalpulsecloud.com 2->78 80 5 other IPs or domains 2->80 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 2 other signatures 2->98 11 file.exe 27 2->11         started        14 DigitalCloudUpdate.exe 2 2->14         started        signatures3 process4 dnsIp5 66 C:\Users\user\AppData\Local\...\siblog.dll, PE32 11->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\Sibuia.exe, PE32 11->70 dropped 74 3 other malicious files 11->74 dropped 17 Sibuia.exe 8 11->17         started        86 win-peer-pbm-ecs-lb-495161369.ca-central-1.elb.amazonaws.com 3.97.36.65, 443, 49708 AMAZON-02US United States 14->86 88 s3-w.us-east-1.amazonaws.com 52.216.24.156, 443, 49710 AMAZON-02US United States 14->88 72 C:\Users\user\...\DigitalCloudService.exe, PE32+ 14->72 dropped 21 DigitalCloudService.exe 14->21         started        24 tasklist.exe 1 14->24         started        file6 process7 dnsIp8 54 C:\ProgramData\sib\...\SibClr.dll, PE32 17->54 dropped 90 Multi AV Scanner detection for dropped file 17->90 26 DigitalCloud.exe 2 17->26         started        30 conhost.exe 17->30         started        82 api.rtbdigitalpulse.com 15.223.143.111, 443, 49713, 49725 AMAZON-02US United States 21->82 32 conhost.exe 24->32         started        file9 signatures10 process11 file12 64 C:\Users\user\AppData\...\DigitalCloud.tmp, PE32 26->64 dropped 106 Multi AV Scanner detection for dropped file 26->106 34 DigitalCloud.tmp 30 22 26->34         started        signatures13 process14 file15 56 C:\Users\user\AppData\...\unins000.exe (copy), PE32 34->56 dropped 58 C:\Users\user\AppData\...\is-OTO71.tmp, PE32+ 34->58 dropped 60 C:\Users\user\AppData\...\is-E4I3J.tmp, PE32+ 34->60 dropped 62 4 other files (3 malicious) 34->62 dropped 100 Multi AV Scanner detection for dropped file 34->100 102 Uses schtasks.exe or at.exe to add and modify task schedules 34->102 38 DigitalCloudService.exe 34->38         started        42 _setup64.tmp 1 34->42         started        44 schtasks.exe 1 34->44         started        46 schtasks.exe 1 34->46         started        signatures16 process17 dnsIp18 84 bapp.digitalpulsedata.com 15.156.162.186, 443, 49707 HP-INTERNET-ASUS United States 38->84 104 Installs new ROOT certificates 38->104 48 conhost.exe 42->48         started        50 conhost.exe 44->50         started        52 conhost.exe 46->52         started        signatures19 process20
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/15277d4f13e407cf9044a963f97a27d81b3ea6ee4df85aa2443c7596f79bd2fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15277d4f13e407cf9044a963f97a27d81b3ea6ee4df85aa2443c7596f79bd2fc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-28 10:44:06 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cutx2tyt4qd47ecevfr7s6rh3ant5jxojx4fvisehr2zn5432l6a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240228-mss7bshf72/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
3d8d31c6ce1f6f088fa5fa527573c7d19e459d49671c35014603d8ea5c12ef0d
MD5 hash:
5beafe1da5f154bb375a6774e0dcddff
SHA1 hash:
9e98174f07602f1e2fa817743ac5908e2622689f
Link:
https://www.unpac.me/results/982ac086-f24e-446a-973f-19e5b2215122/
SH256 hash:
de2d26c46e15dc74853bdff957b60e3969c7611e3d0984ee9e9e69263a22d1ea
MD5 hash:
1bf7c4cb7a0df5689d66f893bb2ad0b3
SHA1 hash:
7e97ddb9a16e8caf76f178e0bbc9844e8bb0aef9
Link:
https://www.unpac.me/results/982ac086-f24e-446a-973f-19e5b2215122/
SH256 hash:
d1df1ed88272bfb6b6a3b7eea2527f0b63f77d4f4e2c3a3b661604a7c7af0f49
MD5 hash:
6973b871202684c085a679f53f12b1dd
SHA1 hash:
b5bee9cc57fa0fb9cc1402e186464f4b47f57aa2
Link:
https://www.unpac.me/results/982ac086-f24e-446a-973f-19e5b2215122/
SH256 hash:
c71904c21ada8b0d3293070a74103d0cefcebfb2e016569aa13458bbb4113d18
MD5 hash:
00bcea5bc71d180324dc63d527553fa6
SHA1 hash:
5d71a430f7f1411a278e47f4bbebe66fa9c6e985
Link:
https://www.unpac.me/results/982ac086-f24e-446a-973f-19e5b2215122/
SH256 hash:
6ba63a3e2c0e6665f73b23bea748839346d03700b02852356cc7f01c61246bb6
MD5 hash:
c5aca9b1e3779f40b48cebdfe5a0b377
SHA1 hash:
021a94f7932ecc24c504c87e8f831026623ed759
Link:
https://www.unpac.me/results/982ac086-f24e-446a-973f-19e5b2215122/
SH256 hash:
24ceeded923c4501aef155910432b94b3f9e82e91675f0134256e72b56726242
MD5 hash:
2d41e12da60be8169542ad5791658b46
SHA1 hash:
0f022b621b0bd9978109595dcd4b14e9a0fe4671
Link:
https://www.unpac.me/results/982ac086-f24e-446a-973f-19e5b2215122/
SH256 hash:
af46655412c7d4f0df831b7006162dfb0a59bcca2ebae9ff9bfd2c18f2dd26fa
MD5 hash:
d188fe6745735173e4d1a21e2ca9b15e
SHA1 hash:
0480b8db4a77ca912c367a761722065977e1dde8
Detections:
INDICATOR_EXE_Packed_SilentInstallBuilder
Create hunting rule
Link:
https://www.unpac.me/results/982ac086-f24e-446a-973f-19e5b2215122/
SH256 hash:
15277d4f13e407cf9044a963f97a27d81b3ea6ee4df85aa2443c7596f79bd2fc
MD5 hash:
f09529be487a02ca6637cdafae71bbcd
SHA1 hash:
47f54aa2682275845734a6663b57e14fae8adf09
Link:
https://www.unpac.me/results/982ac086-f24e-446a-973f-19e5b2215122/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15277d4f13e407cf9044a963f97a27d81b3ea6ee4df85aa2443c7596f79bd2fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 15277d4f13e407cf9044a963f97a27d81b3ea6ee4df85aa2443c7596f79bd2fc

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2772150/
Cape
Cape
https://www.capesandbox.com/analysis/478115/

Comments