MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d
SHA3-384 hash: edaa37201fb05a882d81cf4ad640691820e8a68601c17b6c1985962e38c7006296e6d1815e13db879c5ebf635659b6d0
SHA1 hash: a3e08ca002b4046da36c1d05f079db9ccba567ff
MD5 hash: 8a0e3e9d2d00b456539face1b95f5e49
humanhash: three-lake-maine-october
File name:8a0e3e9d2d00b456539face1b95f5e49
Download: download sample
File size:9'184'276 bytes
First seen:2022-04-20 13:00:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 196608:k1E3uOIPaV+mW+8w7802hv0ZFoj7J0U53jSXINWe/jgz:XVma6+8Ku0bwJ0U5zIIFji
Threatray 12'360 similar samples on MalwareBazaar
TLSH T15696334A2631A528C3DA3F30AEA7C37326764C1FD5223D4A259AFDEF71674C4E825319
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon acd2d4d0b2b0ac00
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265149/
Detection(s):
SecuriteInfo.com.Variant.Jaik.47481.3009.12726.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62600415eab80a7a6c4ab4e5/reports/e6d8542b-f396-4dc4-96fe-a54e8b0e4a14/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4dda736-64f0-41fc-8f47-f502f04c7029
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/979612
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2022-04-17 01:28:00 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
398cb27e45b7edad5322cbf38a9c39510bb9d8b3267b6d88d9cb1c53c575a6bb
415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8
480427092e1dbc18897a159dac8d98cfad92fb3eb2a16b90d75e0b5f75ba4568
52705396f93e5bf55c8f89fb3ff29bd0836ea1429c6d8f104d713448ca6a03a0
66c2d16720a324ba29f89aeabfeac44cceb594fae97684f6b903bec8b82fbf49
+ 12'350 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/220420-p87e1abgd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/6aab15db-6305-435e-8efc-3383bd9d1787/
SH256 hash:
1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d
MD5 hash:
8a0e3e9d2d00b456539face1b95f5e49
SHA1 hash:
a3e08ca002b4046da36c1d05f079db9ccba567ff
Link:
https://www.unpac.me/results/6aab15db-6305-435e-8efc-3383bd9d1787/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/265149/

Comments


Avatar
zbet commented on 2022-04-20 13:00:56 UTC

url : hxxps://api.brutal-hax.net/Loader/BHLoader.exe