MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21ee3d0969be5a06e723ef34ebdc4f2688aded1fcfaa787c320a48d528165dd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	21ee3d0969be5a06e723ef34ebdc4f2688aded1fcfaa787c320a48d528165dd5
SHA3-384 hash:	2a2dc8242c15aa70002a9b7e5b3b704da803bb359e5371eebe06e0874b7acfa0b6454a55f661422c4851b13a1bd5e38e
SHA1 hash:	fb5c3c6250b25eba6d4ec971cfe49b1ab1eb5266
MD5 hash:	e81cb1a3fc80d819687a9e185d69a0f9
humanhash:	kentucky-failed-queen-beer
File name:	Awe.pdf.com
Download:	download sample
File size:	287'888 bytes
First seen:	2023-02-23 05:59:10 UTC
Last seen:	2023-02-23 07:28:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep	6144:CQLFhRR0ni87GH121RcickK/EIAd7WubzyooUhWnkmfigs7C:/FjRei8K1MNKMIAMubWooUfqigsG
Threatray	1'524 similar samples on MalwareBazaar
TLSH	T12F5412743061D473DFA24FF0403AA56E9BF9832518A5338777A01BE97D23383896A3E5
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	6cecccdcd4d0e8f0 (4 x AveMariaRAT, 1 x Smoke Loader, 1 x GuLoader)
Reporter	Anonymous
Tags:	exe signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-07-19T05:25:41Z
Valid to:	2025-07-18T05:25:41Z
Serial number:	31da9437ec8ffe2375a7850ac5969aab8bdbf325
Thumbprint Algorithm:	SHA256
Thumbprint:	3b2532548e3d961711330677d35c727e3dd4e0bdf9e64f2c420ac381fcbef3f1
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

E81CB1A3FC80D819687A9E185D69A0F9

Verdict:

Malicious activity

Analysis date:

2023-02-23 05:53:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e48f51b7-f84b-41c2-9658-b7924d44b36a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369173/

Detection(s):

SecuriteInfo.com.Heur.31050.3603.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Сreating synchronization primitives

Creating a file

Delayed reading of the file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

buer overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63f700e45741abdfaa9f164c/reports/5ebcb5eb-aba3-4fac-a828-d4c763a05f10/overview

Verdict:

Suspicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/21ee3d0969be5a06e723ef34ebdc4f2688aded1fcfaa787c320a48d528165dd5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a8ec0668-0c6b-4271-9f7a-fb76740d852a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1181090

Signature

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21ee3d0969be5a06e723ef34ebdc4f2688aded1fcfaa787c320a48d528165dd5/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-02-23 06:00:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

6 of 25 (24.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ehxd2cljxznanzzd542oxxcpe2ek33i7z6vhq7bsbjenkkawlxkq._file

Verdict:

unknown

29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318

42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204

4600a50935f86662f97f8fb6aa937ba8118ecedf578b62acb5eefe5cd0ac51fa

4d688c6baec0d972c248f7747f18dc385e67a0fb2b1a5deb70f324b16220780d

657a84ee835cf7d47f30fa352ab511e15ec8235bf7876f4264cf9885e10aee57

d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1

de13d60ef30879b02888995ddc375ce14c78fdb9d74cbb766eeed9e8b6927e4d

edb9be523929b3b4f6b3cb5d700bd7bfd4baf125fb19efd05bede6fd20648b24

f66d9c77d511503d6d7621198c1054650339a3e4ee49601d87e073e26905676b

+ 1'514 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/230223-gqbavaeh73/

Behaviour

Enumerates physical storage devices

Drops file in Windows directory

Drops file in System32 directory

Checks installed software on the system

Loads dropped DLL

Unpacked files

SH256 hash:

ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

MD5 hash:

0063d48afe5a0cdc02833145667b6641

SHA1 hash:

e7eb614805d183ecb1127c62decb1a6be1b4f7a8

Link:

https://www.unpac.me/results/e217e85e-d157-49f7-a2c6-f8bc20646688/

Parent samples :

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

SH256 hash:

21ee3d0969be5a06e723ef34ebdc4f2688aded1fcfaa787c320a48d528165dd5

MD5 hash:

e81cb1a3fc80d819687a9e185d69a0f9

SHA1 hash:

fb5c3c6250b25eba6d4ec971cfe49b1ab1eb5266

Link:

https://www.unpac.me/results/e217e85e-d157-49f7-a2c6-f8bc20646688/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/21ee3d0969be5a06e723ef34ebdc4f2688aded1fcfaa787c320a48d528165dd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/369173/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample