MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d5407433a0d0a90d5ea37643701e5526a6d1e5cc1d1a35bd290a55913302901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d5407433a0d0a90d5ea37643701e5526a6d1e5cc1d1a35bd290a55913302901
SHA3-384 hash: 581b7fdb8bdefe2aa29df71072bd1d3ae9049649a5351e6dd0d047772ae402592a152721d0d2ebad54b4168bfa72433c
SHA1 hash: cef3e77aa705cf6b4e295c9c852a559889404a19
MD5 hash: a0bc1018301f353dc99fdb2c973dbbeb
humanhash: mockingbird-victor-pasta-quebec
File name:a0bc1018301f353dc99fdb2c973dbbeb
Download: download sample
File size:1'396'770 bytes
First seen:2022-01-08 12:19:34 UTC
Last seen:2022-01-08 13:32:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7dd6fa75115d9909f747434e40fff68 (173 x RedLineStealer, 10 x DCRat, 1 x CoinMiner.XMRig)
ssdeep 24576:bEV6zCdkXp0oNKqScU6mA/jWcu1f/t2tzIvoGLtFMYWYkEaHNYK3pB1/:bEV4CdZgOAr/u92EoGLtV1NaT
Threatray 10'333 similar samples on MalwareBazaar
TLSH T1EC55239322DDBC51D33618B0B7370AC5DB2E9E0A4A95D51F5AE10E91F63C0277E6BB80
File icon (PE):PE icon
dhash icon 414555c0d4d44503 (15 x njrat, 14 x BlackNET, 8 x Lucifer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a0bc1018301f353dc99fdb2c973dbbeb
Verdict:
Malicious activity
Analysis date:
2022-01-08 12:23:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4763f1b2-ee98-4fd5-8fc1-e05a0cf13350

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217815/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d9817a02e388f9fdb64841/reports/c7229ce6-124d-45fe-8237-f2c841c70631/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82d9259b-9328-4ba2-96c7-e743cb811a1b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917131
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d5407433a0d0a90d5ea37643701e5526a6d1e5cc1d1a35bd290a55913302901/
Threat name:
ByteCode-MSIL.Infostealer.Anagra
Create hunting rule
Status:
Malicious
First seen:
2022-01-04 18:59:24 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
27 of 43 (62.79%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
4bf2c570bdaa5ff9badaa1e6659c7c62fd65d5c1b1edaa26ed10282fefc92e9d
5af14eed5da9b6c6341581bd9e989db2f8fce94452463afebc4581ab07d37f11
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
ca5bd676278cfa46a1630e6d98cf4651a3a3b0a7a11fe0e0ca727be261e04e94
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
d432be6fd56140d4e9d3d207020c464277e729fea06bd1c3ef6adb491a772957
+ 10'323 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/220108-phr8dsdab8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/8f6f959e-87d4-44ff-bedf-0802cc550715/
SH256 hash:
5fb6d78a005855a735c538d79004ccaf042622431fdba5047539f1a6e05f704e
MD5 hash:
a31b2af1ec483b292571ee5ae2a7f1e4
SHA1 hash:
38103d01af73ca2a94c571cd442704fd2bbeb6ec
Link:
https://www.unpac.me/results/8f6f959e-87d4-44ff-bedf-0802cc550715/
SH256 hash:
2d5407433a0d0a90d5ea37643701e5526a6d1e5cc1d1a35bd290a55913302901
MD5 hash:
a0bc1018301f353dc99fdb2c973dbbeb
SHA1 hash:
cef3e77aa705cf6b4e295c9c852a559889404a19
Link:
https://www.unpac.me/results/8f6f959e-87d4-44ff-bedf-0802cc550715/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2d5407433a0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d5407433a0d0a90d5ea37643701e5526a6d1e5cc1d1a35bd290a55913302901

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2d5407433a0d0a90d5ea37643701e5526a6d1e5cc1d1a35bd290a55913302901

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217815/
  
URLhaus
https://urlhaus.abuse.ch/url/1957592/

Comments


Avatar
zbet commented on 2022-01-08 12:19:35 UTC

url : hxxp://squidgame.to/ma.exe