MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22dd8611d03e9f4cfb6e55ad748bc0fd1fb7377f5f39b26c843069a3dcf5b947. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22dd8611d03e9f4cfb6e55ad748bc0fd1fb7377f5f39b26c843069a3dcf5b947
SHA3-384 hash: 9385c865a0ef0fe1a73c0fdb4673d9cc652ce5726256177105c3e25e8e67858e76a6397194357b3da6612640030cced2
SHA1 hash: 6af498b309e0572b8e8cd762035e831d8949fa3b
MD5 hash: f9403f5b6853a153df2c4ba4c6e36dbb
humanhash: golf-pip-hamper-oven
File name:f9403f5b6853a153df2c4ba4c6e36dbb.exe
Download: download sample
File size:4'514'304 bytes
First seen:2021-07-29 16:24:16 UTC
Last seen:2021-07-29 16:49:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:kA/PGAQXPjYkOnkCZ2NekFoOQp0MOil+gAC0iSOiZINsbLuJUCKIWdKLthOQ+SE8:5GrXkkQE5Up0Vi7rvsu7Vq9eRtclw3
Threatray 59 similar samples on MalwareBazaar
TLSH T11E26339D7342B6CFC95BD4328D481C74AB40A43B1B0BDA4BD4D36AEE991E8C7CE541B2
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f9403f5b6853a153df2c4ba4c6e36dbb.exe
Verdict:
No threats detected
Analysis date:
2021-07-29 16:27:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9b1593e-eb8e-421f-81a3-f40fd7140065

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175111/
Detection(s):
SecuriteInfo.com.PWS-FCXEF9403F5B6853.7554.31059.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30a13697-7356-41c8-978a-c5bc0aca83a3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824010
Signature
Adds a new user with administrator rights
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456430 Sample: kU3AzvRm27.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 92 Antivirus detection for dropped file 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 6 other signatures 2->98 11 kU3AzvRm27.exe 3 2->11         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 4 other processes 2->19 process3 file4 88 C:\Users\user\AppData\...\kU3AzvRm27.exe.log, ASCII 11->88 dropped 116 Writes to foreign memory regions 11->116 118 Allocates memory in foreign processes 11->118 120 Modifies the context of a thread in another process (thread injection) 11->120 122 Injects a PE file into a foreign processes 11->122 21 vbc.exe 4 11->21         started        124 Adds a new user with administrator rights 15->124 24 conhost.exe 15->24         started        26 net.exe 15->26         started        28 net.exe 17->28         started        30 conhost.exe 17->30         started        32 net.exe 19->32         started        34 net.exe 19->34         started        36 net.exe 19->36         started        38 3 other processes 19->38 signatures5 process6 signatures7 104 Bypasses PowerShell execution policy 21->104 106 Queries memory information (via WMI often done to detect virtual machines) 21->106 40 powershell.exe 47 21->40         started        44 net1.exe 28->44         started        46 net1.exe 32->46         started        48 net1.exe 34->48         started        50 net1.exe 36->50         started        process8 file9 82 C:\Windows\Branding\mediasvc.png, PE32+ 40->82 dropped 84 C:\Windows\Branding\mediasrv.png, PE32+ 40->84 dropped 86 C:\Users\user\AppData\...\pqcjdzrk.cmdline, UTF-8 40->86 dropped 108 Uses cmd line tools excessively to alter registry or file data 40->108 110 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 40->110 112 Adds a new user with administrator rights 40->112 114 Powershell drops PE file 40->114 52 cmd.exe 40->52         started        55 reg.exe 40->55         started        57 cmd.exe 40->57         started        59 8 other processes 40->59 signatures10 process11 file12 100 Adds a new user with administrator rights 52->100 62 cmd.exe 52->62         started        102 Creates a Windows Service pointing to an executable in C:\Windows 55->102 64 cmd.exe 57->64         started        90 C:\Users\user\AppData\Local\...\pqcjdzrk.dll, PE32 59->90 dropped 66 cvtres.exe 59->66         started        68 conhost.exe 59->68         started        70 conhost.exe 59->70         started        72 2 other processes 59->72 signatures13 process14 process15 74 net.exe 62->74         started        76 net.exe 64->76         started        process16 78 net1.exe 74->78         started        80 net1.exe 76->80         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22dd8611d03e9f4cfb6e55ad748bc0fd1fb7377f5f39b26c843069a3dcf5b947/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 16:25:07 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1b2c17c6e0deefb9a66c9e165f247e1677f2ee2454735717a3c3de6b51d5a28a
2142824c415eb4f05facc471942840e5065aa41b322f36dac198d30d00e8b6fc
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
b4a92bcb6f677bbf9ede6ad7b290f83bc27592fefae0a8b3c6bf8026ff3327ee
cfdb155368f72aed83e715260f1dd63922a25ce4e6d558941f94cb4a06357994
d9ec3c5cf92b5b3aa1d59949cf1eafb9c695d35ce9872215ba8b189d40c66823
eb02c967fb3feaf5504a78de8a7e0513c2c4e52ddf2243bfbcb10e83954baaad
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/210729-9sa8bcs1es/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Core1 .NET packer
Unpacked files
SH256 hash:
22dd8611d03e9f4cfb6e55ad748bc0fd1fb7377f5f39b26c843069a3dcf5b947
MD5 hash:
f9403f5b6853a153df2c4ba4c6e36dbb
SHA1 hash:
6af498b309e0572b8e8cd762035e831d8949fa3b
Link:
https://www.unpac.me/results/a6f6e1e3-f868-4610-84e2-37551c696bb1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22dd8611d03e9f4cfb6e55ad748bc0fd1fb7377f5f39b26c843069a3dcf5b947

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 22dd8611d03e9f4cfb6e55ad748bc0fd1fb7377f5f39b26c843069a3dcf5b947

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/175111/
  
URLhaus
https://urlhaus.abuse.ch/url/1480064/
  
Delivery method
Distributed via web download

Comments