MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21be3e6673249b8ab22552083dd46bbb6908a6c4e1ea0a745484ed3a3d95480b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21be3e6673249b8ab22552083dd46bbb6908a6c4e1ea0a745484ed3a3d95480b
SHA3-384 hash: 2f8dc9fb0c5c0bdf5754acc9be8a34a4b490529eeb35e3e7c4cf56504d1fec9e9c50b2a88002a4e1d81342fdc883b37d
SHA1 hash: 580857278af9f486cec0b71625dd46e3c0175509
MD5 hash: 1456bf2f4e225a2932bd4cfb57938a11
humanhash: maine-white-lamp-vermont
File name:pwnw3.exe
Download: download sample
File size:122'330 bytes
First seen:2023-08-18 21:09:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f52595896f185a4d100120bb769ccf4
ssdeep 1536:GOdJoRQzyymOS029Lks3Mi75/O1EEahfUO0R:5udzwShtcR
Threatray 1'431 similar samples on MalwareBazaar
TLSH T1A8C318D7ABC59DA7DA11073588FA4319333AF7E02B878B171D20A5350E637D0BEC694A
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter ULTRAFRAUD
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pwnw3.exe
Verdict:
Malicious activity
Analysis date:
2023-08-18 21:11:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59572774-8bd6-4676-92f6-3cec805e745d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443553/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader35.2012.20282.1168.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Сreating synchronization primitives
DNS request
Downloading the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/103204/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/21be3e6673249b8ab22552083dd46bbb6908a6c4e1ea0a745484ed3a3d95480b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pafish
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dfc4f67e-23a8-4bc7-97b7-72bf242f0dda
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1293638
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Download and Execute IEX
Snort IDS alert for network traffic
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1293638 Sample: pwnw3.exe Startdate: 18/08/2023 Architecture: WINDOWS Score: 72 18 Snort IDS alert for network traffic 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Sigma detected: Powershell Download and Execute IEX 2->22 24 Yara detected Powershell download and execute 2->24 7 pwnw3.exe 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 powershell.exe 14 15 9->11         started        14 conhost.exe 9->14         started        dnsIp6 16 vms.h4ck0ps.cc 103.145.13.69, 49720, 80 SQUITTER-NETWORKSNL unknown 11->16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21be3e6673249b8ab22552083dd46bbb6908a6c4e1ea0a745484ed3a3d95480b/
Threat name:
Win64.Downloader.Gendwnurl
Create hunting rule
Status:
Malicious
First seen:
2023-08-18 21:10:07 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eg7d4zttesnyvmrfkied3vdlxnuqrjwe4hvau5cuqtwtupmvjafq._file
Verdict:
unknown
Similar samples:
04fb545df05912be1228df1958e6e60ffbc745ce3377162117b0ee59bb18a6b2
2b651d2032c30cd22ccaa07268faf17c2822094a4cd0823c914a7c66663ea951
39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d
41648630b8dbcbb7eaade9a0b4b07c92ce25785cefe6f77b502f8705a7861517
5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030
8413dd146625dc09556e13564f315de5fac738fdd753791982f9657a9553ed2a
d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c
d872c348222d1ea3ce3dcadb1cb1f0837b9bff7dcf8ff915117b4038c71a7981
e244f4b3b1614865dcd266ca2e057a1d7aa2a09c87bc1feb823fb1ac858f4fa2
f52db36593133648786002411f0fe9cde78c3fab4bbb30a628a97e17238b6b87
+ 1'421 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230818-zz1wzaea25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://vms.h4ck0ps.cc/powershell_attack.txt%20
Unpacked files
SH256 hash:
21be3e6673249b8ab22552083dd46bbb6908a6c4e1ea0a745484ed3a3d95480b
MD5 hash:
1456bf2f4e225a2932bd4cfb57938a11
SHA1 hash:
580857278af9f486cec0b71625dd46e3c0175509
Link:
https://www.unpac.me/results/6ffeb16b-2949-43ec-8d48-16d1c7b00357/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21be3e6673249b8ab22552083dd46bbb6908a6c4e1ea0a745484ed3a3d95480b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PowerShell_IEX_Download_Combo
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects strings found in sample from CN group repo leak in October 2018
Reference:https://twitter.com/JaromirHorejsi/status/1047084277920411648
Rule name:SUSP_PowerShell_IEX_Download_Combo_RID33EB
Create hunting rule
Author:Florian Roth
Description:Detects strings found in sample from CN group repo leak in October 2018
Reference:https://twitter.com/JaromirHorejsi/status/1047084277920411648

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/443553/

Comments