MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18a43fcc06880ac6a6beb2458e18333bc4dec989aa7dc484fb1c6eb9ac322b18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18a43fcc06880ac6a6beb2458e18333bc4dec989aa7dc484fb1c6eb9ac322b18
SHA3-384 hash: 6e1c1f25fe61e887eab2772b685bfe618cd49ed903326581adc420b22b2d4a2dda748f10ad52b5a37c0b03c7107b4435
SHA1 hash: 0ab5367817a301b32ae2328bb5111a35864c17be
MD5 hash: e4132b0e2e8a3e1f6760cdd273a68946
humanhash: august-kilo-sodium-nitrogen
File name:e4132b0e2e8a3e1f6760cdd273a68946.exe
Download: download sample
File size:866'718 bytes
First seen:2021-12-06 07:34:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:0Qnk3GDYKGcblwtX+t4Y8bmgFzfZgvguPEzcv/Lh6z0D+Xb5eQDbSrzjn0tMy:IAOcZwXYZ+fZOgFyiYsSrzTzy
TLSH T100050201BAC289B2E5731D33693E6B15697C7D201E25CA6FB3E8686DDE300919720F77
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e4132b0e2e8a3e1f6760cdd273a68946.exe
Verdict:
Malicious activity
Analysis date:
2021-12-06 07:44:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e28da7a-18ff-4382-806c-fb7d7b84cfd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211667/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Creating a process with a hidden window
Sending a custom TCP request
Launching a service
Launching a process
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1040/overview
Behaviour
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61adbd2d47ed217c01332be8/reports/b8edb189-a8f2-46ae-a331-6a6b3090c562/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8a34502-5d8a-4b51-bb0b-ade333364757
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902029
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via CMSTP
Sigma detected: Conti Backup Database
Sigma detected: Disable or Delete Windows Eventlog
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Sigma detected: PowerShell SAM Copy
Sigma detected: Suspicious PowerShell Invocations - Generic
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534508 Sample: uQTXE3DYD6.exe Startdate: 06/12/2021 Architecture: WINDOWS Score: 100 90 Sigma detected: Powershell adding suspicious path to exclusion list 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Yara detected UAC Bypass using CMSTP 2->94 96 9 other signatures 2->96 10 uQTXE3DYD6.exe 4 13 2->10         started        13 svchost.exe 2->13         started        16 ???????????????.exe 2->16         started        18 6 other processes 2->18 process3 file4 62 C:\Users\user\AppData\Local\...\labor.exe, PE32 10->62 dropped 64 C:\Users\user\AppData\Local\...\watches.vbs, ASCII 10->64 dropped 20 wscript.exe 1 10->20         started        100 Changes security center settings (notifications, updates, antivirus, firewall) 13->100 23 MpCmdRun.exe 13->23         started        66 C:\Windows\Temp\y5ln0m5m.inf, Windows 16->66 dropped 68 C:\Windows\Temp\h1szvsjc.inf, Windows 18->68 dropped 70 C:\Windows\Temp\5mgziosk.inf, Windows 18->70 dropped signatures5 process6 dnsIp7 80 192.168.2.1 unknown unknown 20->80 25 labor.exe 9 20->25         started        29 conhost.exe 23->29         started        process8 file9 58 C:\Users\user\AppData\...\endogenies.exe, PE32 25->58 dropped 98 Multi AV Scanner detection for dropped file 25->98 31 endogenies.exe 9 12 25->31         started        signatures10 process11 file12 72 C:\Windows\Resources\Themes\...\svchost.exe, PE32 31->72 dropped 74 C:\Users\user\AppData\...\???????????????.exe, PE32 31->74 dropped 76 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 31->76 dropped 78 da619e6f-0198-441e-9cd9-943b1c465ea0.exe, PE32 31->78 dropped 82 Creates autostart registry keys with suspicious names 31->82 84 Drops PE files to the startup folder 31->84 86 Creates an autostart registry key pointing to binary in C:\Windows 31->86 88 3 other signatures 31->88 35 AdvancedRun.exe 1 31->35         started        37 powershell.exe 31->37         started        39 powershell.exe 31->39         started        41 8 other processes 31->41 signatures13 process14 file15 44 AdvancedRun.exe 35->44         started        46 conhost.exe 37->46         started        48 conhost.exe 39->48         started        60 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 41->60 dropped 50 conhost.exe 41->50         started        52 conhost.exe 41->52         started        54 conhost.exe 41->54         started        56 4 other processes 41->56 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18a43fcc06880ac6a6beb2458e18333bc4dec989aa7dc484fb1c6eb9ac322b18/
Threat name:
Win32.Trojan.PShell
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 05:49:17 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/211206-jen4nsgch3/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
aa06c7e58462ffedd44c89bbf93c894cc0f5af0401a18331b6a695cc598faecc
MD5 hash:
499e60d62d1d85ba62f1606644c617dd
SHA1 hash:
a8ca8ab73021fe103c913beb0812ee2b84f2ba2a
Link:
https://www.unpac.me/results/816c783c-1fa7-4f1b-975f-ad24da45805d/
SH256 hash:
4bf744b5aaa4fe7744fea46b4e3b39359ca4724a85579abecdb662852acd7c22
MD5 hash:
9af1374fef18e1438f879e8cbeac8ed8
SHA1 hash:
2df24cc702882cc24fcb5b946dd110877dea36b7
Link:
https://www.unpac.me/results/816c783c-1fa7-4f1b-975f-ad24da45805d/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/816c783c-1fa7-4f1b-975f-ad24da45805d/
SH256 hash:
18a43fcc06880ac6a6beb2458e18333bc4dec989aa7dc484fb1c6eb9ac322b18
MD5 hash:
e4132b0e2e8a3e1f6760cdd273a68946
SHA1 hash:
0ab5367817a301b32ae2328bb5111a35864c17be
Link:
https://www.unpac.me/results/816c783c-1fa7-4f1b-975f-ad24da45805d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/18a43fcc0688/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18a43fcc06880ac6a6beb2458e18333bc4dec989aa7dc484fb1c6eb9ac322b18

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 18a43fcc06880ac6a6beb2458e18333bc4dec989aa7dc484fb1c6eb9ac322b18

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/211667/
  
URLhaus
https://urlhaus.abuse.ch/url/1709500/
  
Delivery method
Distributed via web download

Comments