MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b69b50bcff621d3f3878cd38f266cd2c9af5378176243169387d800dd134a8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b69b50bcff621d3f3878cd38f266cd2c9af5378176243169387d800dd134a8b
SHA3-384 hash: d37cdb73d17fc421c0a9a2875a2c9e6185e56c011a3938cf6b97f12ea29dcb4129263f740bffb69a25cdf00c8bc3c9e2
SHA1 hash: 16a58797cfd78bd1880e5f612c9b88a7467e3aad
MD5 hash: 957866143ac60907937282a5dc529340
humanhash: earth-eighteen-july-seventeen
File name:virussign.com_957866143ac60907937282a5dc529340
Download: download sample
File size:262'993 bytes
First seen:2022-07-15 17:02:20 UTC
Last seen:2024-07-24 12:36:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d90989f29f36dacd92090770e1f3b9e
ssdeep 6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6x:Plf5j6zCNa0xeE3mw
Threatray 5 similar samples on MalwareBazaar
TLSH T1344413C2A6D95AA6FCC619772A27DFC41B95FE3119C609117A04B17F09F7381AE23323
TrID 35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0e4a2aaa4b8a888 (10 x DarkWatchman, 5 x SnakeKeylogger, 5 x Formbook)
Reporter KdssSupport
Tags:exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
virussign.com_957866143ac60907937282a5dc529340
Verdict:
Suspicious activity
Analysis date:
2022-07-16 02:02:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d41480f3-f9e2-421b-a24c-6a3199bc251c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/290355/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Generic-42
Create hunting rule

Win.Worm.Autorun-794
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the Windows directory
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Moving a file to the Program Files subdirectory
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing the Windows explorer settings to hide files extension
Blocking a possibility to launch for cmd.exe command interpreter
Blocking the Windows File Protection
Enabling autorun
Blocking the Windows Security Center notifications
Blocking the System Restore
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling a "Do not show hidden files" option
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62d19e2c3ec0b068997be54f/reports/24667078-5c8b-4008-a861-1432674fc167/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1033383
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes autostart functionality of drives
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Disables the Windows registry editor (regedit)
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 665877 Sample: 4b975kbTqK.com_957866143ac6... Startdate: 16/07/2022 Architecture: WINDOWS Score: 96 39 Antivirus detection for dropped file 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->43 45 Multi AV Scanner detection for submitted file 2->45 7 4b975kbTqK.exe 11 9 2->7         started        process3 file4 23 C:\Windows\SysWOW64\tntcwhwy.exe, PE32 7->23 dropped 25 C:\Windows\SysWOW64\mxgguwoalkjpizb.exe, PE32 7->25 dropped 27 C:\Windows\SysWOW64\heqitnrulr.exe, PE32 7->27 dropped 29 5 other malicious files 7->29 dropped 47 Drops executables to the windows directory (C:\Windows) and starts them 7->47 11 heqitnrulr.exe 12 1 7->11         started        14 tntcwhwy.exe 4 7->14         started        17 gqelpjcbmirak.exe 7->17         started        19 2 other processes 7->19 signatures5 process6 file7 49 Antivirus detection for dropped file 11->49 51 Changes security center settings (notifications, updates, antivirus, firewall) 11->51 53 Changes autostart functionality of drives 11->53 55 4 other signatures 11->55 21 tntcwhwy.exe 11->21         started        31 C:\Program Files (x86)\...\Test2.doc.exe, PE32 14->31 dropped 33 C:\Program Files (x86)\...\Test.doc.exe, PE32 14->33 dropped 35 C:\...\Test2.doc.exe:Zone.Identifier, ASCII 14->35 dropped 37 C:\...\Test.doc.exe:Zone.Identifier, ASCII 14->37 dropped signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b69b50bcff621d3f3878cd38f266cd2c9af5378176243169387d800dd134a8b/
Threat name:
Win32.Trojan.Dorv
Create hunting rule
Status:
Malicious
First seen:
2022-06-25 07:28:54 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnu3kc6p6yq5h44hrtjy6jtm2le26u3yc5regfutq7mabxitjkfq._file
Verdict:
malicious
Similar samples:
1dbaf4ef51f0be9f5630472bbac96788e2b18e500a0bd40084ad3a21557d438a
40658c01ceae863527a537006f788fa5459cde7d636669713a41778898c901d5
49444feec95481546d0376dfbb73e3bdf91159798996811c5b63384cdbd387f1
7b7245d707b747e2b341a8b1b990ffa477ef156a435ccad9aaf5b90ffa8505d7
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/220715-vkpg6scgd4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Modifies WinLogon
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Disables RegEdit via registry modification
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Windows security bypass
Unpacked files
SH256 hash:
2b69b50bcff621d3f3878cd38f266cd2c9af5378176243169387d800dd134a8b
MD5 hash:
957866143ac60907937282a5dc529340
SHA1 hash:
16a58797cfd78bd1880e5f612c9b88a7467e3aad
Link:
https://www.unpac.me/results/9d91a768-68ee-4eb6-86db-926b76299791/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b69b50bcff621d3f3878cd38f266cd2c9af5378176243169387d800dd134a8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2b69b50bcff621d3f3878cd38f266cd2c9af5378176243169387d800dd134a8b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/290355/

Comments