MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c702e234542e2bb53e45211cc3ae4426a5088de9510dae58a9ff8b7a65e294f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AnyDesk

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	1c702e234542e2bb53e45211cc3ae4426a5088de9510dae58a9ff8b7a65e294f
SHA3-384 hash:	35641ce7ad206aab77be22423f401409c0e492c3f9a6a394bcb490c647fc473f027790bd2a6e08b8a54191ba52772d95
SHA1 hash:	f9aefd3d984cdb4866c110f08407f1989eff7fb6
MD5 hash:	64d3b02073aa813c69cf0ca52182fa37
humanhash:	enemy-one-summer-shade
File name:	AnyDesk.exe
Download:	download sample
Signature	AnyDesk Create hunting rule
File size:	3'743'464 bytes
First seen:	2021-05-30 21:14:36 UTC
Last seen:	2021-05-30 21:37:45 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	49152:/4zJlO9Tddc2cC6ohU+5Ja0EbMYp0PHJ3zgROYbhnUvOVhYoST8RQXoYz+lJI:8+dYaHUeJabdipTchUvEhZSiKpKI
Threatray	4 similar samples on MalwareBazaar
TLSH	200633E5F30591D3E390DD327ADB7B717B1448FBB02843C2C679550BE284F99B1AA1A1
Reporter	ActorExpose
Tags:	AnyDesk exe philandro Software GmbH signed

Code Signing Certificate

Organisation:	philandro Software GmbH
Issuer:	DigiCert SHA2 Assured ID Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2018-10-24T00:00:00Z
Valid to:	2022-01-05T12:00:00Z
Serial number:	03e9eb4dff67d4f9a554a422d5ed86f3
Intelligence:	7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	7cf9ec56f8db42db83d8c7693e86093e983aa70957a7f7f2508b940758b4e842
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

AnyDesk (1).exe

Verdict:

Suspicious activity

Analysis date:

2021-05-11 21:11:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e870dde2-301c-4857-84d8-1b9ec27a8b32

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/163279/

Detection(s):

SecuriteInfo.com..18062.12229.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Creating a window

Changing a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a file

Sending an HTTP POST request

Sending a UDP request

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

54 / 100

Link:

https://www.joesandbox.com/analysis/687804

Signature

Detected unpacking (changes PE section rights)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c702e234542e2bb53e45211cc3ae4426a5088de9510dae58a9ff8b7a65e294f/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dryc4i2filrlwu7ekii4yoxeijvfbcg6suinvzmkt74lpjs6ffhq._file

Verdict:

unknown

AnyDesk

4e14841c96a09f5850d1cf5fcb3526714c22d7174e3f75c8a309d8db36ecef93

AnyDesk

62cdf6d69798ae88f69de36a3dfa43295c2c0f14722a9f7227d7caf4a256224b

AnyDesk

868183d6e80d3a977ea679492ad7c869469d39504d2f4bc29b4a599577093fcd

AnyDesk

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210530-mhmxt2jxt2/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/1c702e234542e2bb53e45211cc3ae4426a5088de9510dae58a9ff8b7a65e294f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	buerloader_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	INDICATOR_KB_CERT_03e9eb4dff67d4f9a554a422d5ed86f3 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/163279/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample