MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715
SHA3-384 hash: cba356d01ce6b28d0604b2b3646ebca33e9245c58de139fe04f376fa3880e1fd31edd89880f94abd4c2de3dcf9ca8cb7
SHA1 hash: 0f9c320d7da1ca1e72e0bf97e32ce9c4cd7b8f6a
MD5 hash: 860c75c9a9ccf966c422e197f4c60c1e
humanhash: ink-mike-xray-august
File name:860c75c9a9ccf966c422e197f4c60c1e
Download: download sample
File size:4'878'649 bytes
First seen:2023-08-05 19:36:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UborBmaDgt3HzjZ9UUg1+6c5XsvoThzsYy6+63WDxR/NaH9wvzVtvRcQlhB4P:UE1mco3HXUUg1+/moH9GS9wvxZRcQqP
Threatray 2'089 similar samples on MalwareBazaar
TLSH T177363382BE8267B2C5B41E39142D592426397D601F1CDAABA3E0616DCB710D1FB31FB7
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://yello9erylanguage.gromovananii199.repl.co/4XXR.exe
Verdict:
Malicious activity
Analysis date:
2023-08-05 21:50:08 UTC
Tags:
loader
Link:
https://app.any.run/tasks/61463e53-9d16-41fd-b0ac-a66c9d092962

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440843/
Detection(s):
Win.Packed.Tedy-10005655-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching the process to change the firewall settings
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin lolbin netsh overlay packed packed powershell replace setupapi shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/64cea4dfdaa9db50533d493e/reports/fa6981f6-608f-4ff3-b5dd-1a39fe7af590/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bac2282a-7553-477c-a7f0-3d9c9ba9fd89
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1286503
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops PE files to the startup folder
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1286503 Sample: 87Qox4CVrW.exe Startdate: 05/08/2023 Architecture: WINDOWS Score: 100 110 Multi AV Scanner detection for domain / URL 2->110 112 Antivirus detection for URL or domain 2->112 114 Antivirus detection for dropped file 2->114 116 6 other signatures 2->116 11 87Qox4CVrW.exe 14 2->11         started        14 cmd.exe 2->14         started        17 cmd.exe 2->17         started        19 powershell.exe 2->19         started        process3 file4 82 C:\Users\user\AppData\Local\Temp\7z.exe, PE32 11->82 dropped 84 C:\Users\user\AppData\Local\Temp\7z.dll, PE32 11->84 dropped 86 C:\Users\user\AppData\Local\Temp\C3.bat, ASCII 11->86 dropped 21 cmd.exe 3 2 11->21         started        144 Uses powercfg.exe to modify the power settings 14->144 146 Modifies power options to not sleep / hibernate 14->146 24 conhost.exe 14->24         started        26 powercfg.exe 14->26         started        28 powercfg.exe 14->28         started        36 2 other processes 14->36 30 conhost.exe 17->30         started        32 choice.exe 17->32         started        34 conhost.exe 19->34         started        signatures5 process6 signatures7 118 Suspicious powershell command line found 21->118 120 Wscript starts Powershell (via cmd or directly) 21->120 122 Drops PE files to the startup folder 21->122 124 Adds a directory exclusion to Windows Defender 21->124 38 wscript.exe 1 21->38         started        41 conhost.exe 21->41         started        process8 signatures9 128 Wscript starts Powershell (via cmd or directly) 38->128 43 cmd.exe 2 38->43         started        process10 file11 88 C:\ProgramData\Microsoft\Windows\...\box.exe, PE32+ 43->88 dropped 138 Suspicious powershell command line found 43->138 140 Wscript starts Powershell (via cmd or directly) 43->140 142 Adds a directory exclusion to Windows Defender 43->142 47 4.exe 43->47         started        51 powershell.exe 7 43->51         started        53 7z.exe 3 43->53         started        55 6 other processes 43->55 signatures12 process13 file14 90 C:\Users\user\AppData\...\stpaozikwwwl.tmp, PE32+ 47->90 dropped 92 C:\Users\user\AppData\Local\Temp\box.exe, PE32+ 47->92 dropped 98 Multi AV Scanner detection for dropped file 47->98 100 Writes to foreign memory regions 47->100 102 Modifies the context of a thread in another process (thread injection) 47->102 108 2 other signatures 47->108 57 dialer.exe 47->57         started        104 Uses netsh to modify the Windows network and firewall settings 51->104 106 Modifies the windows firewall 51->106 94 C:\Users\user\AppData\Local\Temp\4.exe, PE32+ 53->94 dropped 61 cmd.exe 55->61         started        63 cmd.exe 55->63         started        65 netsh.exe 3 55->65         started        67 2 other processes 55->67 signatures15 process16 dnsIp17 96 192.168.2.1 unknown unknown 57->96 130 Injects code into the Windows Explorer (explorer.exe) 57->130 132 Contains functionality to inject code into remote processes 57->132 134 Writes to foreign memory regions 57->134 136 4 other signatures 57->136 69 lsass.exe 57->69 injected 72 winlogon.exe 57->72 injected 74 svchost.exe 57->74 injected 80 21 other processes 57->80 76 WMIC.exe 61->76         started        78 WMIC.exe 63->78         started        signatures18 process19 signatures20 126 Writes to foreign memory regions 69->126
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-04 19:33:07 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3tgb3reamhtx3zwjfnlf5d4pic4s6loxlkbaxtet4xv3yue64kq._file
Verdict:
malicious
Similar samples:
19aedf2b14d90e4cf5df0a8d533b1b9024ffa46ed56434ddc5d0ebcaec2487e9
5318af28d1b77df7a83165a90420fa200405c632e870423ff68fc1285fa3a233
54c7a21de074152b11a9aefb278508706176189c322c08fc2e56fec1a7f9169b
73387abd4f9966ec875dd96feb2f8ea23743564ec817c11e4d311588a8a424b1
9259cfad718da3fc0fa0a80013b5817ca4263ecdd3f1763f38baaa29b18b594e
e5ec05d1f59933949c166e82457c251e49146bb42bc4b9017a9fc625c6a13dff
ecd60313ba990f1300b37db4064977e83f109fdf93a728cf434106c1b5b5a2d5
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
fbeedd4502c93c093a8aaaa4a5e0609713cbecd10d15291741b3fa6e5f174581
+ 2'079 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/230805-ybs1saea62/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
UPX packed file
Modifies Windows Firewall
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
a4eeee012a976d83e07453fb69792742586cba3218675679953121b135329f77
MD5 hash:
b13d315eed54d24a06051019629bb521
SHA1 hash:
49e73a9952a1d06347d92b4f91c8233d827611f0
Link:
https://www.unpac.me/results/fc5fc7ae-a1ab-4296-b2e1-8e0c12ab7823/
SH256 hash:
1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715
MD5 hash:
860c75c9a9ccf966c422e197f4c60c1e
SHA1 hash:
0f9c320d7da1ca1e72e0bf97e32ce9c4cd7b8f6a
Link:
https://www.unpac.me/results/fc5fc7ae-a1ab-4296-b2e1-8e0c12ab7823/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ee660ee2403/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2699533/
Cape
Cape
https://www.capesandbox.com/analysis/440843/

Comments


Avatar
zbet commented on 2023-08-05 19:36:49 UTC

url : hxxps://yello9erylanguage.gromovananii199.repl.co/4XXR.exe