MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363
SHA3-384 hash:	97a8feaa8bf6cc4744e2b3768178b50966d2f1be0df48085dad33bc6d9e1eab08c099285af3fc5db38bf212912299093
SHA1 hash:	42862aee66e154d33e3ae41580e3dcd724f977ed
MD5 hash:	bdec62e72e9023c396c9e394c872f602
humanhash:	north-winner-connecticut-black
File name:	open.exe
Download:	download sample
File size:	1'781'452 bytes
First seen:	2023-12-20 19:18:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep	24576:SBkVdlYAW0140sP7T1bgp2gD7TU/XCrul1k4XTU6RLUg4dneI1NTfzntHSGbsDls:2svPwqfiEeC4I6RLUg4dnRvztHWDBr8
TLSH	T172852313B6D0C0B2D2721A339679DB21EA7D7C501B75CAEF5790196CEE212C29B347A3
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	adm1n_usa32
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

315

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468673/

Detection(s):

Win.Packed.Babar-10012967-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

Changing a file

Modifies multiple files

Reading critical registry keys

Sending a custom TCP request

Modifying an executable file

Moving a file to the %temp% directory

Creating a file in the %temp% directory

Moving a file to the %AppData% subdirectory

Creating a file in the %AppData% subdirectories

Stealing user critical data

Creating a file in the mass storage device

Encrypting user's files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm control expand greyware installer lolbin lolbin overlay packed packed quickheal replace setupapi sfx shdocvw shell32 stealer

Link:

https://www.filescan.io/uploads/65833e28b4e856b7282155cc/reports/09ba89fa-a362-45d6-b03e-95e8fdf93993/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3effa8bd-ba7e-427c-a142-ac8eb1f5c9fd

Result

Threat name:

n/a

Detection:

malicious

Classification:

rans.evad.spre

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1365241

Signature

Contains functionality to prevent local Windows debugging

Infects executable files (exe, dll, sys, html)

Multi AV Scanner detection for submitted file

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363/

Threat name:

Win32.Ransomware.Livelocked

Status:

Malicious

First seen:

2023-12-19 22:01:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 37 (29.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dzcnqf4xz5gb7azwogrzkkbmadmqmz6yeigx6hdp5424kaawcnrq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware spyware stealer

Link:

https://tria.ge/reports/231220-x1hexaeack/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Renames multiple (717) files with added filename extension

Unpacked files

SH256 hash:

1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363

MD5 hash:

bdec62e72e9023c396c9e394c872f602

SHA1 hash:

42862aee66e154d33e3ae41580e3dcd724f977ed

Link:

https://www.unpac.me/results/8d1e3d5a-2a79-4ff0-bddb-17197a7e66c2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1e44d81797cf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Joe Sandbox

https://www.hybrid-analysis.com/sample/1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363

Cape

https://www.capesandbox.com/analysis/468673/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample