MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 240ed9d0ec651922abf24d244966dc99c5ae7ab0727e1df686e8e2ee02da75ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Virut


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 240ed9d0ec651922abf24d244966dc99c5ae7ab0727e1df686e8e2ee02da75ce
SHA3-384 hash: 33ea1c8dc8cf0732ee8704a6dda36c6c5caa649d188c9339e37cd6f2b5fcc12ae596807af1435e71a94a251e157dfa2e
SHA1 hash: 64f36c18aab087464996af8d6a798411cddbdbb6
MD5 hash: 45fe66bd9b6a643b606c5667fb859435
humanhash: monkey-harry-fish-alabama
File name:hack telegram.exe
Download: download sample
Signature Worm.Virut
Create hunting rule
File size:575'299 bytes
First seen:2025-01-23 15:46:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'855 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 12288:/dMMfUNsOMRCTw379j+R19xO5NtWSoG3ct7ITYjYNWgNoxR3A:/CM2sOMMw37lSnxOHbcdxYNWgiHw
TLSH T155C4121356E67EA4C2F822702B3717C1D354CF81602AEABDA9D63896457E6037B13BCD
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 414545c0d4c05503 (37 x njrat, 3 x AsyncRAT, 1 x RedLineStealer)
Reporter MrMalware
Tags:exe Worm.Virut

Intelligence

File Origin
# of uploads :
1
# of downloads :
490
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hack telegram.exe
Verdict:
Malicious activity
Analysis date:
2023-08-31 18:58:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0cf8b996-57a3-41d9-989e-7a1ddc6e5f52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Agent-572947
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679265bbb5602ee8cdb0379c
Tags:
emotet virut
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing the Windows explorer settings
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
krypt obfuscated overlay packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6792647970cf772b4cf5bdf7/reports/c4374d37-e7a3-4f40-98a9-da4d07546283/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/240ed9d0ec651922abf24d244966dc99c5ae7ab0727e1df686e8e2ee02da75ce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f54b2938-8c21-40a1-8420-0f5848dd32c6
Result
Threat name:
Virut
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1597749
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Disable Task Manager(disabletaskmgr)
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to evade debugger and weak emulator (self modifying code)
Writes to foreign memory regions
Yara detected Virut
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/240ed9d0ec651922abf24d244966dc99c5ae7ab0727e1df686e8e2ee02da75ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/240ed9d0ec651922abf24d244966dc99c5ae7ab0727e1df686e8e2ee02da75ce/
Threat name:
ByteCode-MSIL.Trojan.Skeeyah
Create hunting rule
Status:
Malicious
First seen:
2016-10-04 10:20:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqhntuhmmumsfk7sjuseszw4thc246vqoj7b35ug5dro4aw2oxha._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/250123-s76zmavjfz/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Modifies WinLogon
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Modifies firewall policy service
Verdict:
Malicious
Tags:
Win.Trojan.Agent-572947
YARA:
n/a
Link:
https://app.threat.zone/submission/c9942379-9dfd-40fc-acf9-50d696d20d74
Unpacked files
SH256 hash:
ffa84b593acbbf9ccff5f58e54da356626dbdb4fae957f2623f505323875507f
MD5 hash:
57d17d60a3a8b093800320b3cb8c4492
SHA1 hash:
af952929224b06c566d052c5883f141a6023e0de
Link:
https://www.unpac.me/results/2e9d3d17-674a-4b02-aae2-28cbd708a462/
SH256 hash:
240ed9d0ec651922abf24d244966dc99c5ae7ab0727e1df686e8e2ee02da75ce
MD5 hash:
45fe66bd9b6a643b606c5667fb859435
SHA1 hash:
64f36c18aab087464996af8d6a798411cddbdbb6
Link:
https://www.unpac.me/results/2e9d3d17-674a-4b02-aae2-28cbd708a462/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/240ed9d0ec651922abf24d244966dc99c5ae7ab0727e1df686e8e2ee02da75ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments