MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bba4e037532af6aa204171b9022d6d5de22aaa248f3199a9c15802fced787f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkWatchman

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	1bba4e037532af6aa204171b9022d6d5de22aaa248f3199a9c15802fced787f2
SHA3-384 hash:	9822ed861d2868e888773fa604959dae3a738b4f35f006f988b13d38e283adea6362735dc70965d737ee0964626b36e1
SHA1 hash:	bfada7e8b98fc2b0a15824ee7cf18beca5c41182
MD5 hash:	a79adc37a723dd89014f01158a19cecc
humanhash:	jupiter-bulldog-social-florida
File name:	a79adc37a723dd89014f01158a19cecc.exe
Download:	download sample
Signature	DarkWatchman Create hunting rule
File size:	299'597 bytes
First seen:	2022-01-31 04:12:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (872 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	6144:5OYGXaPNxdgSdcq2pVZPOJHAbKVOk/hVwZd:lGqN/XdctpVtklOkpVwZd
Threatray	1'413 similar samples on MalwareBazaar
TLSH	T18C54BF03B6C18872D7732A3E5939A7156D3D79201FA4DA1FB3E8496DDE31C806634BA3
File icon (PE):
dhash icon	82a2a2a2a2a2a28a (1 x DarkWatchman)
Reporter	abuse_ch
Tags:	DarkWatchman exe

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a79adc37a723dd89014f01158a19cecc.exe

Verdict:

Malicious activity

Analysis date:

2022-01-31 04:28:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6fc33994-ac75-4a71-a6b0-9c469d46f7fd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228260/

Detection(s):

SecuriteInfo.com.PUA.Tool.BtcMine.2110.19075.28917.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Modifying an executable file

Creating a file

Moving a file to the %temp% directory

DNS request

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Sending an HTTP GET request

Moving of the original file

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5559/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware overlay packed replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe

Link:

https://www.filescan.io/uploads/61f761d0d7fd65ae55fa531c/reports/1fed1f16-a244-44b5-ac8f-cbe69a3e979b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ee46de2-702e-420e-ad92-57e4e4e4b9a5

Result

Threat name:

DarkWatchman

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930511

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bba4e037532af6aa204171b9022d6d5de22aaa248f3199a9c15802fced787f2/

Threat name:

Win32.Trojan.Hyena

Status:

Malicious

First seen:

2022-01-27 09:50:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 43 (41.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=do5e4a3vgkxwviqec4nzaiww2xpcfkvcjdzrtgu4cwac7twxq7za._file

Verdict:

malicious

Label(s):

ryuk

DarkWatchman

4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417

DarkWatchman

59dde91666a7dfcb1d2c8ad1f5e4a8ed7ede43b084ac1c13be4be00a0342afee

DarkWatchman

61ee3bd82bed03dd0f3fb9bc9b76b7da972a90d3c12c8e4d5e967440a2f04c00

DarkWatchman

b63239750d318dd30d49256b14c3d82841b562fb1bdabd8ba93f85c18e6edade

DarkWatchman

c4a61b581890f575ba0586cf6d7d7d3e0c7603ca40915833d6746326685282b7

DarkWatchman

ce06efe2c18c75da9d9535b4328677f4136a3f04ea666d037bf55dce7c9b7c57

DarkWatchman

e8681efd888395026e420acffe3df7b45e990d0a917aec3f09c741d4d8ccfba6

DarkWatchman

+ 1'403 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware spyware stealer

Link:

https://tria.ge/reports/220131-es4dasfdh3/

Behaviour

Interacts with shadow copies

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Deletes itself

Reads user/profile data of web browsers

Blocklisted process makes network request

Deletes shadow copies

Process spawned unexpected child process

Unpacked files

SH256 hash:

1bba4e037532af6aa204171b9022d6d5de22aaa248f3199a9c15802fced787f2

MD5 hash:

a79adc37a723dd89014f01158a19cecc

SHA1 hash:

bfada7e8b98fc2b0a15824ee7cf18beca5c41182

Link:

https://www.unpac.me/results/e3eeb2ee-ecab-46b5-aa7f-1528b1d6f724/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1bba4e037532af6aa204171b9022d6d5de22aaa248f3199a9c15802fced787f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/228260/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample