MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 265cb456cf5a09ad82380cb98118fb9255a9c9407085677d597abd828a5f4b11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	265cb456cf5a09ad82380cb98118fb9255a9c9407085677d597abd828a5f4b11
SHA3-384 hash:	47b5351b4f2ce0816dd0491339587322fbebff2bc2806fa16066ef109c1b6a2df30c4cf4d06ed34419b7ac811d829496
SHA1 hash:	43c111534475720f5e38ff8bddf29e4072fd9021
MD5 hash:	c4d026c7057b9b9fcde18d85fb486b4b
humanhash:	oven-zulu-nevada-moon
File name:	c4d026c7057b9b9fcde18d85fb486b4b.exe
Download:	download sample
File size:	432'128 bytes
First seen:	2023-08-07 15:42:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1c4fb1586de2649012792d8327d69979
ssdeep	6144:bWEtgBxJxw6m33royaUkGmwigYVgRCmyb47TT+YK+YoI:q4gxTm3UBU8gYMfTGo
Threatray	159 similar samples on MalwareBazaar
TLSH	T1BF940507A6DC3CDAC4B25238A77B47C1D72DFC4513A1C6AF02E40166AE7F5927A26BD0
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	f0968ee8aae8e8b2 (9 x Urelas, 5 x HermeticWiper, 4 x Starcat)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c4d026c7057b9b9fcde18d85fb486b4b.exe

Verdict:

Suspicious activity

Analysis date:

2023-08-07 15:43:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b6295096-a151-46b5-a7a3-c9c73fbfc72e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/441126/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Creating a file in the Windows directory

Creating a file

Enabling autorun for a service

Enabling autorun by creating a file

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/265cb456cf5a09ad82380cb98118fb9255a9c9407085677d597abd828a5f4b11

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7a0cdace-0a4c-4c2b-adee-ca3b2dde790b

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1287242

Signature

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking mutex)

Uses the Telegram API (likely for C&C communication)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/265cb456cf5a09ad82380cb98118fb9255a9c9407085677d597abd828a5f4b11/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ezolivwplie23arybs4ycgh3sjk2tskaoccwo7kzpk6yfcs7jmiq._file

Verdict:

unknown

34437641a6b16fcbc6a726c0eabcebf0e9abccb3a878aee2d0a7797c0dd4eae9

36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2

3838e7c40562f66dd304227e311eeb51dd9c2981a4e5c54da4789e6fcbb06f5d

3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0

7e481ee40af6227bc65f7334cffa28ef661ab49cb800ce383aed1cec82515ae5

97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6

ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f

+ 149 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230807-s5w2msfh39/

Behaviour

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

265cb456cf5a09ad82380cb98118fb9255a9c9407085677d597abd828a5f4b11

MD5 hash:

c4d026c7057b9b9fcde18d85fb486b4b

SHA1 hash:

43c111534475720f5e38ff8bddf29e4072fd9021

Link:

https://www.unpac.me/results/d5f18d85-dbc7-40e1-9f14-d7551a91571d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/265cb456cf5a09ad82380cb98118fb9255a9c9407085677d597abd828a5f4b11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/441126/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample