MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18f56e715b634b3c0fbe3d4369f0cf0363d3a5315a3ae23cc2efb98b0e9aab69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18f56e715b634b3c0fbe3d4369f0cf0363d3a5315a3ae23cc2efb98b0e9aab69
SHA3-384 hash: 0645ae839b8e7c5c08a03d1022e3ecc82349d1b9b26f5319fa51133da953964942a6e615ad7547946bced5071dab3b2c
SHA1 hash: 11fb26d37e277269ebb6b8aaf50e4a653dce5c8c
MD5 hash: 019e1f95b1e28cd420364cbcd05fde0c
humanhash: rugby-nevada-nevada-floor
File name:019e1f95b1e28cd420364cbcd05fde0c
Download: download sample
File size:27'576 bytes
First seen:2021-10-28 17:27:06 UTC
Last seen:2021-10-28 21:02:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'472 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:xekc2D26R7pXha5eglsurxCbYLZlk3YFIyitI0VI0FGc1QzOQsmvGhgP:xJcMnacglHIbChXL0OQZ1QOmvGhq
Threatray 46 similar samples on MalwareBazaar
TLSH T1ABC24B3D8BD95233DC7A4F3684A14600BB74EA037853EF2F59CA914A49A334527F563E
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201013/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24537.21307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13a9b7cb-f709-452f-ac01-58ec43de774f
Result
Threat name:
Cryptolocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878779
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to detect sleep reduction / modifications
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Cryptolocker ransomware
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511213 Sample: fCARkQInjh Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 86 Multi AV Scanner detection for submitted file 2->86 88 Yara detected UAC Bypass using CMSTP 2->88 90 Yara detected Cryptolocker ransomware 2->90 92 8 other signatures 2->92 7 fCARkQInjh.exe 18 7 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 5 other processes 2->16 process3 dnsIp4 82 cdn.discordapp.com 162.159.134.233, 443, 49749, 49750 CLOUDFLARENETUS United States 7->82 74 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 7->74 dropped 76 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->76 dropped 78 C:\Users\user\AppData\...\fCARkQInjh.exe.log, ASCII 7->78 dropped 98 Creates autostart registry keys with suspicious names 7->98 100 Creates an autostart registry key pointing to binary in C:\Windows 7->100 102 Adds a directory exclusion to Windows Defender 7->102 104 Drops PE files with benign system names 7->104 18 fCARkQInjh.exe 128 330 7->18         started        22 powershell.exe 24 7->22         started        24 powershell.exe 25 7->24         started        26 powershell.exe 24 7->26         started        84 162.159.129.233, 443, 49755, 49756 CLOUDFLARENETUS United States 12->84 106 System process connects to network (likely due to code injection or exploit) 12->106 108 Drops executables to the windows directory (C:\Windows) and starts them 12->108 28 svchost.exe 12->28         started        34 3 other processes 12->34 80 C:\Users\user\AppData\...\svchost.exe.log, ASCII 14->80 dropped 110 Writes many files with high entropy 14->110 112 Contains functionality to detect sleep reduction / modifications 14->112 30 svchost.exe 14->30         started        32 powershell.exe 14->32         started        36 2 other processes 14->36 file5 signatures6 process7 file8 56 M:\Recovery\WindowsRE\Winre.wim.MME (copy), data 18->56 dropped 68 23 other malicious files 18->68 dropped 94 Drops executable to a common third party application directory 18->94 96 Infects executable files (exe, dll, sys, html) 18->96 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        58 C:\Users\user\AppData\Local\...\ms.pak, data 28->58 dropped 60 C:\Users\user\AppData\Local\...\mr.pak, data 28->60 dropped 70 16 other malicious files 28->70 dropped 62 C:\Users\user\AppData\Local\...\youtube.crx, data 30->62 dropped 64 C:\Users\user\AppData\Local\...\gmail.crx, data 30->64 dropped 66 C:\Users\user\AppData\Local\...\drive.crx, data 30->66 dropped 72 10 other malicious files 30->72 dropped 44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        54 conhost.exe 36->54         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18f56e715b634b3c0fbe3d4369f0cf0363d3a5315a3ae23cc2efb98b0e9aab69/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 17:28:04 UTC
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
32016cf36c5e99a6c8fba8fd4ffad8b5f301cac55439ae73fec5db799ac341ab
368800079ca773a707d437855a41fa422f7337f3a9f36aff4f974301dd801089
403467afe0bd11eff13afa45c47e3562e7be3aba3cb7ce9d6019bd7232fc7917
488706b8e34f0d64a9023adb6a2570b9983fd741f0306b17aa2737793c86b0bf
8ecd99368b83efde6f0d0d538e135394c5aec47faf430e86c5d9449eb0c9f770
a9257e5bd1e9577b49632c9909fabe988eaa84d5a85fe7ff3279e57c52eeacfa
bd30704f52f0e08aae6df420255dc69f36f50eb7bf11e6aae22bd167b3ed905c
cda57d12ed16414f52bfcfe2f3234d0fa5eb259aa20a59568cf040f6958047eb
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/211028-v1z9lscaa8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Windows security modification
Windows security bypass
Unpacked files
SH256 hash:
18f56e715b634b3c0fbe3d4369f0cf0363d3a5315a3ae23cc2efb98b0e9aab69
MD5 hash:
019e1f95b1e28cd420364cbcd05fde0c
SHA1 hash:
11fb26d37e277269ebb6b8aaf50e4a653dce5c8c
Link:
https://www.unpac.me/results/ed98e1db-b370-4c73-96cf-7b66a9af1402/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/18f56e715b634b3c0fbe3d4369f0cf0363d3a5315a3ae23cc2efb98b0e9aab69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 18f56e715b634b3c0fbe3d4369f0cf0363d3a5315a3ae23cc2efb98b0e9aab69

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1723992/
Cape
Cape
https://www.capesandbox.com/analysis/201013/

Comments


Avatar
zbet commented on 2021-10-28 17:27:07 UTC

url : hxxp://191.252.142.137/~dirtbike/loja/101.exe