MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20155168e7c61f9da621df7b3abc70bb71032fb68b30e4357ecaa377e5faa81f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	20155168e7c61f9da621df7b3abc70bb71032fb68b30e4357ecaa377e5faa81f
SHA3-384 hash:	aa2aba8e514df84b483fc127c41f9752c942e9ec09a045b18596037d049b7429a383ed9afdbf3faf01ffa2002be0c7d0
SHA1 hash:	31cdcbefeb21de768214eea44bb22d76fb00dac5
MD5 hash:	495898e8c6fd72defa11061f617f24b4
humanhash:	pip-jupiter-maine-six
File name:	495898e8c6fd72defa11061f617f24b4.exe
Download:	download sample
File size:	279'040 bytes
First seen:	2022-12-12 15:24:38 UTC
Last seen:	2022-12-12 16:37:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	50d8a4762b09f148cecbce7073cf1ef4
ssdeep	6144:Ru7JEh1P2eC3htmA6oir1jLzA4tmXgOU9Oi:Ru6hJEYA6TrFvei
TLSH	T1DD547BCCB4DA84B9C4324D3ECCF679DC5768AB600A745B1EA77C0B381AB015D66926E3
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

495898e8c6fd72defa11061f617f24b4.exe

Verdict:

Malicious activity

Analysis date:

2022-12-12 15:26:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ce20f277-1fe0-49dc-9da3-acbd9e452d6e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345504/

Detection(s):

SecuriteInfo.com.Variant.Ser.Fragtor.820.24190.13783.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Downloading the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed rat shell32.dll

Link:

https://www.filescan.io/uploads/639747d09a505ad9423f378c/reports/71b7949c-a2d7-4532-a228-055460f9c483/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27b312d4-44aa-4b49-aeaf-dbe7db79147d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1132769

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Download and Execute IEX

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20155168e7c61f9da621df7b3abc70bb71032fb68b30e4357ecaa377e5faa81f/

Threat name:

Win32.Downloader.PsDownload

Status:

Malicious

First seen:

2022-12-08 18:38:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eakvc2hhyypz3jrb355tvpdqxnyqgl5wrmyoinl6zkrxpzp2vapq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/221212-stmc3abf88/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Deletes itself

Blocklisted process makes network request

Malware Config

Dropper Extraction:

https://alternativohortolandia.com.br/wp-content/config_20.ps1

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6548f1f3-1447-4b21-9f50-5a876c8d5c01

Unpacked files

SH256 hash:

20155168e7c61f9da621df7b3abc70bb71032fb68b30e4357ecaa377e5faa81f

MD5 hash:

495898e8c6fd72defa11061f617f24b4

SHA1 hash:

31cdcbefeb21de768214eea44bb22d76fb00dac5

Link:

https://www.unpac.me/results/66cd4d44-0538-4a11-ab93-1f506a1d4187/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20155168e7c61f9da621df7b3abc70bb71032fb68b30e4357ecaa377e5faa81f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 20155168e7c61f9da621df7b3abc70bb71032fb68b30e4357ecaa377e5faa81f

(this sample)

Cape

https://www.capesandbox.com/analysis/345504/

URLhaus

https://urlhaus.abuse.ch/url/2454943/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample