MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d38b3e2d84638d146a476b7798635569f4f8c0841166a44b628260180d10ecd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d38b3e2d84638d146a476b7798635569f4f8c0841166a44b628260180d10ecd
SHA3-384 hash: 7b0a4a4d45a40452e5d164ed4b1723b706b141f9e701aad385abbad2d97710b87e4104ab805801ad56baf8fe7b058c43
SHA1 hash: d0b725553e5b0b8b875ffba92584f0cc25d18821
MD5 hash: 6900182a87854487f80569e112037417
humanhash: diet-salami-crazy-comet
File name:6900182a87854487f80569e112037417.exe
Download: download sample
File size:4'358'656 bytes
First seen:2022-03-14 19:08:37 UTC
Last seen:2022-04-20 10:20:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 511cff895609a1cf1f0a80aeee92ffc8 (3 x ZeuS, 2 x CryptBot)
ssdeep 98304:dxZndFgYMJrfOFLrzOQu5k0+QpjyGPOaEBM4h:XZdyRKLOp5k/QpjDPOaEBM
Threatray 9'971 similar samples on MalwareBazaar
TLSH T107163362F552BAB8E33405B4630B42533A36A636E7F5E1327ADF22754D8263F47C5B08
File icon (PE):PE icon
dhash icon b270f8c4e4b4e4c0 (2 x ZeuS, 2 x CryptBot, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250399/
Detection(s):
SecuriteInfo.com.Variant.Zusy.416597.31167.30974.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
autoit packed
Link:
https://www.filescan.io/uploads/622f92d8dfdfa8501c9f8757/reports/c15c0c40-a896-4ccf-8109-3dc476ef5843/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zeus
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9cc76e9-83a4-4a05-b626-c089f175b634
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956460
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 588945 Sample: Fu2c3sEMqJ.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 5 other signatures 2->49 7 Fu2c3sEMqJ.exe 1 22 2->7         started        11 Dekkoce.exe 2->11         started        process3 dnsIp4 41 sapyjn12.top 5.188.89.119, 49788, 80 PINDC-ASRU Russian Federation 7->41 51 Query firmware table information (likely to detect VMs) 7->51 53 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->53 55 Tries to harvest and steal browser information (history, passwords, etc) 7->55 57 2 other signatures 7->57 13 cmd.exe 2 7->13         started        16 cmd.exe 2 7->16         started        18 cmd.exe 2 7->18         started        20 5 other processes 7->20 signatures5 process6 signatures7 59 Tries to harvest and steal browser information (history, passwords, etc) 13->59 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        61 Uses schtasks.exe or at.exe to add and modify task schedules 20->61 28 expand.exe 9 20->28         started        31 conhost.exe 20->31         started        33 conhost.exe 20->33         started        35 4 other processes 20->35 process8 file9 37 C:\Users\user\AppData\...\Dekkoce.exe (copy), PE32 28->37 dropped 39 C:\...\265d7f0c9705ea48978e5cb22c84f269.tmp, PE32 28->39 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d38b3e2d84638d146a476b7798635569f4f8c0841166a44b628260180d10ecd/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 19:09:17 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
22 of 42 (52.38%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1ea344df676e38129a21b994a29ba66cc814348ae6bb99bd068b4c5cc51e27b0
34d14ab08b41d288019d4966b337e5ee13d07cdb652dabf51834bac44c0052f8
5232589e3096a9f29234f1927955c884e544b6177d027658bac201a64a63ce25
74da2e5d659f93e151c0c79b2a09691299689ac406c7c5d04d7cfeac79ee7a13
acda9ae5a6c865eb3291e1bb7cc41e6b0f86a12e180c984a2f4fcb302505021b
b1e542752d5c1a59c5efa28cd63de4235b394bdd700c3e3fb6daf71e10de7d72
d565f4380b4f2d25673f08df8e88d331e0daf7946a73c83e8d1630e2b347ddf9
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
f8462784c938c32e326abdba379d8944c9600f34ad85737efd6e7866d0bedff8
fda35cece63310cf205317722754efa6773e9faa0b787dcc7dadf46a7da10383
+ 9'961 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220314-xtsmasbce7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
a8963f73faa0107ec530098960d6e9308b25a6b1fe0cfefc3e64c1ef7ac6bd35
MD5 hash:
61d826c4ff4849f0bfc91fee14f9a1db
SHA1 hash:
e59f5e774491843a69becb69ed377ecd8c8ecf37
Link:
https://www.unpac.me/results/1d1e5ae5-2746-4f4c-b885-7b12349bad6b/
SH256 hash:
2d38b3e2d84638d146a476b7798635569f4f8c0841166a44b628260180d10ecd
MD5 hash:
6900182a87854487f80569e112037417
SHA1 hash:
d0b725553e5b0b8b875ffba92584f0cc25d18821
Link:
https://www.unpac.me/results/1d1e5ae5-2746-4f4c-b885-7b12349bad6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/2d38b3e2d84638d146a476b7798635569f4f8c0841166a44b628260180d10ecd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2d38b3e2d84638d146a476b7798635569f4f8c0841166a44b628260180d10ecd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2086285/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/250399/

Comments