MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735
SHA3-384 hash: f64797c09fbfd012e114a069f0ae4af6919088e084a5e57d8c1bdb2fc5b6ff610cf5546c3c3f7d1e8955edc75a9fec54
SHA1 hash: dfb28cd1750b0a8998cb7ca5b3dcab1ee31d2dd1
MD5 hash: a004013371075add8b8f30259e48b9bc
humanhash: tennis-lithium-wolfram-orange
File name:a004013371075add8b8f30259e48b9bc
Download: download sample
File size:440'832 bytes
First seen:2021-12-31 15:58:46 UTC
Last seen:2021-12-31 19:01:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a6b3cf5795afe59db3114ae7499f37a0
ssdeep 3072:rcynG+VL2wL/re7AXaEoXN77J2a/IlEVAw97KYzlzu4hgYhN73ONqVXZLXrAepL5:JG69yEoXf2/Er7KCl3rnd+nBW
Threatray 201 similar samples on MalwareBazaar
TLSH T18194C5E623D0A854D0324139DAA28E32A77EFF6C876D95E712C11545DA0BAD17C32F2F
File icon (PE):PE icon
dhash icon 55d01737b2dab2b2
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a004013371075add8b8f30259e48b9bc
Verdict:
No threats detected
Analysis date:
2021-12-31 16:01:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/53a76e82-1b01-4299-b565-f912d7b4378f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216951/
Detection(s):
SecuriteInfo.com.Variant.Ulise.138745.17536.14237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
DNS request
Creating a process from a recently created file
Creating a window
Using the Windows Management Instrumentation requests
Searching for the window
Creating a process with a hidden window
Creating a file
Forced system process termination
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3579/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
LanguageCheck
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61cf28c94ab5c44cbf58fb91/reports/2713cb1d-303f-4c84-9501-0e927822642a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d948b795-4622-4901-9641-f99e98aaa311
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914339
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Encrypted powershell cmdline option found
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses cmd line tools excessively to alter registry or file data
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546817 Sample: MGYq1sRx0B Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 79 Antivirus detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 .NET source code references suspicious native API functions 2->83 85 6 other signatures 2->85 12 MGYq1sRx0B.exe 1 2->12         started        15 cmd.exe 2->15         started        17 rdpdr.sys 2->17         started        process3 signatures4 97 Encrypted powershell cmdline option found 12->97 19 powershell.exe 14 23 12->19         started        24 conhost.exe 12->24         started        26 conhost.exe 15->26         started        28 net.exe 15->28         started        process5 dnsIp6 77 45.61.137.172, 49723, 80 AS40676US United States 19->77 71 C:\Users\user\AppData\Local\Temp\start.vbs, Little-endian 19->71 dropped 89 Uses cmd line tools excessively to alter registry or file data 19->89 91 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 19->91 93 Powershell drops PE file 19->93 30 wscript.exe 1 19->30         started        file7 signatures8 process9 signatures10 99 Wscript starts Powershell (via cmd or directly) 30->99 101 Bypasses PowerShell execution policy 30->101 103 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 30->103 33 powershell.exe 51 30->33         started        process11 file12 67 C:\Windows\Branding\mediasvc.png, PE32+ 33->67 dropped 69 C:\Windows\Branding\mediasrv.png, PE32+ 33->69 dropped 87 Uses cmd line tools excessively to alter registry or file data 33->87 37 reg.exe 33->37         started        40 cmd.exe 33->40         started        42 cmd.exe 33->42         started        44 9 other processes 33->44 signatures13 process14 file15 95 Creates a Windows Service pointing to an executable in C:\Windows 37->95 47 cmd.exe 40->47         started        49 cmd.exe 42->49         started        73 C:\Users\user\AppData\Local\...\p2rrm2mz.dll, PE32 44->73 dropped 75 C:\Users\user\AppData\Local\...\f1fedlm2.dll, PE32 44->75 dropped 51 cvtres.exe 44->51         started        53 cvtres.exe 44->53         started        55 conhost.exe 44->55         started        57 3 other processes 44->57 signatures16 process17 process18 59 net.exe 47->59         started        61 net.exe 49->61         started        process19 63 net1.exe 59->63         started        65 net1.exe 61->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735/
Threat name:
Win64.Trojan.Ulise
Create hunting rule
Status:
Malicious
First seen:
2021-12-31 15:59:09 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
043d74057370b18ec933764ae5c0fa80be90af1d41761c0a2f34f9d8c56542e5
255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5
58514fa7288607858aae17799ded4bb96d5f9b78733ad1ca2cece597d5516d44
5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133
9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724
efa22ab0015899c95aa6582cc90314de8d4cf2f52d3267eba50482b75d060ac5
ff257a7b22badf7948f21dd5dfaf008dd72895aa63bc6a1c5838cbe26036bbe7
+ 191 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211231-te3l6shae7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Unpacked files
SH256 hash:
273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735
MD5 hash:
a004013371075add8b8f30259e48b9bc
SHA1 hash:
dfb28cd1750b0a8998cb7ca5b3dcab1ee31d2dd1
Link:
https://www.unpac.me/results/d6640d50-6f2a-4204-9b24-4f9b1bb014b4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/273ad5a2b3f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1939016/
Cape
Cape
https://www.capesandbox.com/analysis/216951/

Comments


Avatar
zbet commented on 2021-12-31 15:58:48 UTC

url : hxxp://45.144.225.57/USA/vudsieos500us.exe