MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HatefWiper


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0
SHA3-384 hash: 6952ad4926fd8fcd113c1a4062ee923478cc2d68207a3c492b0e40b5957f10834fcb8babfe73a7453f53921259acdd76
SHA1 hash: cdfa4966d7a859b09a411f0d90efbf822b2d6671
MD5 hash: 22e9135a650cd674eb330cbb4a7329c3
humanhash: finch-sixteen-leopard-kentucky
File name:19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0.pdf
Download: download sample
Signature HatefWiper
Create hunting rule
File size:148'450 bytes
First seen:2024-07-21 16:37:08 UTC
Last seen:2024-07-26 17:05:27 UTC
File type: pdf
MIME type:application/pdf
ssdeep 3072:HacAmbHTYPFB/2o2evTO5VC/hdb3x8Z5pNjEBvgGoh9ZDROe:HacAmbHIvO7C5db3yZ5pNjE0rZDUe
TLSH T1E9E3F1238C5C5ECFC16587C07F1B3CAD655AB606A9C910E0706ECBCF5761E5298A2A4F
Reporter smica83
Tags:crowdstrike CrowdstrikeMalware fake HatefWiper pdf

Intelligence

File Origin
# of uploads :
2
# of downloads :
418
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.12674.257.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669d396b2f6eaff4b90f12ce
Tags:
n/a
Result
Verdict:
Malicious
File Type:
PDF File
Link:
https://app.docguard.net/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
action lolbin shell32
Link:
https://www.filescan.io/uploads/669d396d7b9add553ed8fa4a/reports/e5003b18-fe54-4be7-8c09-d1779d385d6e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0
Gathering data
Result
Verdict:
MALICIOUS
Details
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Result
Threat name:
Hatef Wiper
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1477613
Signature
AI detected suspicious PDF
Downloads suspicious files via Chrome
Drops PE files with a suspicious file extension
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Search for Antivirus process
Suspicious execution chain found
Writes to foreign memory regions
Yara detected Hatef Wiper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477613 Sample: ZUlr0Vm0Zt.pdf Startdate: 21/07/2024 Architecture: WINDOWS Score: 100 73 icanhazip.com 2->73 75 XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuT 2->75 91 Yara detected Hatef Wiper 2->91 93 Sigma detected: Search for Antivirus process 2->93 95 Downloads suspicious files via Chrome 2->95 97 3 other signatures 2->97 12 chrome.exe 16 2->12         started        16 Acrobat.exe 20 68 2->16         started        signatures3 process4 dnsIp5 83 192.168.2.6, 443, 49704, 49706 unknown unknown 12->83 85 239.255.255.250 unknown Reserved 12->85 71 C:\Users\user\Downloads\update.zip (copy), Zip 12->71 dropped 18 unarchiver.exe 4 12->18         started        20 chrome.exe 12->20         started        23 AcroCEF.exe 106 16->23         started        file6 process7 dnsIp8 25 cmd.exe 1 18->25         started        28 7za.exe 4 18->28         started        77 www.google.com 142.250.185.164, 443, 49737, 49750 GOOGLEUS United States 20->77 79 link.storjshare.io 136.0.77.2, 443, 49729 EGIHOSTINGUS United States 20->79 31 AcroCEF.exe 2 23->31         started        process9 file10 101 Drops PE files with a suspicious file extension 25->101 33 CrowdStrike.exe 41 25->33         started        37 conhost.exe 25->37         started        67 C:\Users\user\AppData\...\CrowdStrike.exe, PE32 28->67 dropped 39 conhost.exe 28->39         started        signatures11 process12 file13 59 C:\Users\user\AppData\Local\Temp\Job, DOS 33->59 dropped 87 Multi AV Scanner detection for dropped file 33->87 89 Found stalling execution ending in API Sleep call 33->89 41 cmd.exe 33->41         started        signatures14 process15 file16 65 C:\Users\user\AppData\Local\...\Champion.pif, PE32 41->65 dropped 44 Champion.pif 41->44         started        48 conhost.exe 41->48         started        50 tasklist.exe 41->50         started        52 7 other processes 41->52 process17 file18 69 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 44->69 dropped 103 Writes to foreign memory regions 44->103 105 Injects a PE file into a foreign processes 44->105 54 RegAsm.exe 44->54         started        signatures19 process20 dnsIp21 81 icanhazip.com 104.16.185.241, 49754, 80 CLOUDFLARENETUS United States 54->81 61 C:\Users\user\...\ListOpenedFileDrv_32.sys, PE32 54->61 dropped 63 C:\Users\user\AppData\...\OpenFileFinder.dll, PE32 54->63 dropped 99 Sample is not signed and drops a device driver 54->99 file22 signatures23
Score:
4%
Verdict:
Benign
File Type:
PDF
Link:
https://malprob.io/report/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0/
Threat name:
Document-PDF.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-07-20 22:25:42 UTC
File Type:
Document
Extracted files:
12
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=deab3vcb4ubdhv7qvxnu7tkaljykypk6geh7ecztdvxrukoggtya._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CrowdStrike
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://x.com/osipov_ar/status/1815052677040005179?t=YpWIvQLjaHLaEgaoQZTozg&s=19

Comments