MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22048ab00c4f91d43315938bb794a37a7a2b57f6da1895eb66e6c4a75412c37b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22048ab00c4f91d43315938bb794a37a7a2b57f6da1895eb66e6c4a75412c37b
SHA3-384 hash: 28d077162b78e23f16edd761c689af31e0f7d4c2b359da5c22f9d59e11cf027dd42f7e521fdd012fd85384dc2f9f682b
SHA1 hash: b81b99af0c0393b30487946a873c8f982dec4301
MD5 hash: 1a50df3a388ce5778e33c2d994edeb7d
humanhash: bravo-shade-four-butter
File name:Six.exe
Download: download sample
File size:1'460'224 bytes
First seen:2021-04-08 12:46:15 UTC
Last seen:2021-04-08 14:03:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:7T6W3fsLCoaY7xrBHVVEgX26/7YyhjMOR6KYTUl+rtQk:7T6W3faCoaY7xRVVEgX26/7YyF9R6JTl
Threatray 1'446 similar samples on MalwareBazaar
TLSH 73658E26279C8074D1BB93788AD6D687E7F234814B72CBDF41664A1E1F237B0466DF22
Reporter JAMESWT_WT
Tags:greataccesstoserver.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133200/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Bsymem.gen.974.23379.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/670173
Signature
.NET source code contains potential unpacker
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384031 Sample: Six.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 68 71 www.google.ch 2->71 73 www.gearbest.com 2->73 75 41 other IPs or domains 2->75 129 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->129 131 Multi AV Scanner detection for submitted file 2->131 133 .NET source code contains potential unpacker 2->133 10 Six.exe 14 11 2->10         started        signatures3 process4 dnsIp5 103 greataccesstoserver.com 159.89.4.33, 49700, 80 DIGITALOCEAN-ASNUS United States 10->103 105 digitalassets.ams3.digitaloceanspaces.com 5.101.110.225, 443, 49701 DIGITALOCEAN-ASNUS Netherlands 10->105 61 C:\Users\user\AppData\Local\...\Six.exe.log, Unknown 10->61 dropped 135 Detected unpacking (overwrites its own PE header) 10->135 15 multitimer.exe 15 19 10->15         started        18 setups.exe 2 10->18         started        file6 signatures7 process8 dnsIp9 107 new.multitimer.fun 104.248.226.77, 443, 49703 DIGITALOCEAN-ASNUS United States 15->107 109 catser.inappapiurl.com 138.197.53.157, 443, 49702, 49704 DIGITALOCEAN-ASNUS United States 15->109 111 5 other IPs or domains 15->111 21 iexplore.exe 15->21         started        24 iexplore.exe 15->24         started        26 iexplore.exe 15->26         started        59 C:\Users\user\AppData\Local\...\setups.tmp, PE32 18->59 dropped 28 setups.tmp 6 26 18->28         started        file10 process11 dnsIp12 91 www.gearbest.com 21->91 93 ma.logsss.com 21->93 101 2 other IPs or domains 21->101 31 iexplore.exe 21->31         started        34 iexplore.exe 21->34         started        36 iexplore.exe 21->36         started        44 5 other processes 21->44 95 www.gearbest.com 24->95 97 v2.zopim.com 24->97 99 catser.inappapiurl.com 24->99 38 iexplore.exe 24->38         started        40 iexplore.exe 24->40         started        46 3 other processes 24->46 63 C:\Users\user\AppData\Local\...\psvince.dll, PE32 28->63 dropped 65 C:\Users\user\AppData\...\itdownload.dll, PE32 28->65 dropped 67 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 28->67 dropped 69 2 other files (none is malicious) 28->69 dropped 42 iexplore.exe 6 118 28->42         started        48 3 other processes 28->48 file13 process14 dnsIp15 113 31 other IPs or domains 31->113 115 8 other IPs or domains 34->115 117 8 other IPs or domains 36->117 119 26 other IPs or domains 38->119 121 20 other IPs or domains 40->121 123 2 other IPs or domains 42->123 50 iexplore.exe 42->50         started        53 iexplore.exe 42->53         started        55 iexplore.exe 42->55         started        57 7 other processes 42->57 125 31 other IPs or domains 44->125 127 25 other IPs or domains 46->127 process16 dnsIp17 83 5 other IPs or domains 50->83 77 spdc-global.pbp.gysm.yahoodns.net 212.82.100.181, 443, 49790, 49791 YAHOO-IRDGB United Kingdom 53->77 79 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49760, 49761 YAHOO-DEBDE United Kingdom 53->79 85 45 other IPs or domains 53->85 81 mt.tryd.pro 198.143.165.222, 443, 49846, 49847 SINGLEHOP-LLCUS United States 55->81 87 11 other IPs or domains 55->87 89 85 other IPs or domains 57->89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22048ab00c4f91d43315938bb794a37a7a2b57f6da1895eb66e6c4a75412c37b/
Threat name:
ByteCode-MSIL.Adware.CSDIMonetize
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 12:42:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
10 of 29 (34.48%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
17c1d72767fb09f83c78e95a4e3f0bc7ed2db219774cc1e55b0391e2604a8362
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16
576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09
757de1bfe2ba8c069cad8938b02383d54fbc1ed0823ca0f8374c34ae12ee0ce8
7cece5ca77b93ef7c41219923e3c080c99bffcca2141cde0acc72dc17daa6211
7dcc941cc14464f8ade39e87ef427d4a5cd2734348c1c98c387d905aea91bf7b
a47e971bd76da39e18307424c6bfacd9aed830139cb2822f942d97223467e601
aaadcd4bc5084939375b355830fa646c3f2a066a670369b70f8b3be5da81ad44
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
+ 1'436 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210408-f1x5747rvx/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
22048ab00c4f91d43315938bb794a37a7a2b57f6da1895eb66e6c4a75412c37b
MD5 hash:
1a50df3a388ce5778e33c2d994edeb7d
SHA1 hash:
b81b99af0c0393b30487946a873c8f982dec4301
Link:
https://www.unpac.me/results/af184526-5687-4168-8085-01a8c99b5a69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/22048ab00c4f91d43315938bb794a37a7a2b57f6da1895eb66e6c4a75412c37b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 22048ab00c4f91d43315938bb794a37a7a2b57f6da1895eb66e6c4a75412c37b

(this sample)

  
X
https://twitter.com/jstrosch/status/1379994923286466565?s=20
  
URLhaus
https://urlhaus.abuse.ch/url/1104390/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133200/

Comments