MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e0f2a82868cc31985e9b8c022f852919033c666382aaa3026c456b9c449db3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e0f2a82868cc31985e9b8c022f852919033c666382aaa3026c456b9c449db3d
SHA3-384 hash: d3b215b8d4e46ea3d6163d83380d5ed410b965df17d478c4f233c1b802801ab2cfddd6342237d56d28317a5b6315c2ea
SHA1 hash: b3be3c2a7455d89cfec2fdbaf93a9f8ebcf4a406
MD5 hash: dd6c66d5250437db33b821f5d2c90aa2
humanhash: happy-august-minnesota-iowa
File name:Cheto Updated.exe
Download: download sample
File size:5'017'600 bytes
First seen:2023-03-20 18:27:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 84bb1ac192dd1d591766b467b12ade64 (8 x CoinMiner, 5 x DCRat, 2 x RedLineStealer)
ssdeep 98304:Kmz0W3de75qz67ThdyKBj/rhLdaH+Cn5S4YztVm5BppzAaWMr:dzz3detq23hIKBzVxGA4Y3sBTzWMr
Threatray 54 similar samples on MalwareBazaar
TLSH T1DC36337C2CE00EE5C9B28EFE71842061E73D21568997646F67E4682F684CCEB8F0B557
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.4% (.EXE) Win32 Executable (generic) (4505/5/1)
11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
11.4% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 004cc6c8d8fc38c8
Reporter tech_skeech
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cheto Updated.exe
Verdict:
Malicious activity
Analysis date:
2022-11-19 17:07:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d6fdc9e3-00e3-4a37-bb2c-f5dd76bc036b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375992/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file in the Program Files subdirectories
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat enigma njrat packed shell32.dll
Link:
https://www.filescan.io/uploads/6418a5b4c60b3295f52c2483/reports/7268b16d-9458-4a0c-a13d-2ceb89ab321b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2e0f2a82868cc31985e9b8c022f852919033c666382aaa3026c456b9c449db3d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/189644dc-2fd1-4370-bdd9-060cce9c1ae9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1197994
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check for running processes (XOR)
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Found hidden mapped module (file has been removed from disk)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830894 Sample: Cheto_Updated.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 50 Antivirus detection for dropped file 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 6 other signatures 2->56 6 Cheto_Updated.exe 3 2->6         started        10 Updater.exe 2->10         started        12 cmd.exe 1 2->12         started        14 10 other processes 2->14 process3 file4 38 C:\Users\user\AppData\Roaming\conhost_8.exe, PE32+ 6->38 dropped 40 C:\Users\user\AppData\...\Cheto Updated.exe, PE32+ 6->40 dropped 58 Detected unpacking (changes PE section rights) 6->58 60 Hides threads from debuggers 6->60 16 conhost_8.exe 3 6->16         started        20 Cheto Updated.exe 6->20         started        42 C:\Windows\Temp\zriucnjh.tmp, PE32+ 10->42 dropped 62 Writes to foreign memory regions 10->62 64 Modifies the context of a thread in another process (thread injection) 10->64 66 Adds a directory exclusion to Windows Defender 10->66 68 Maps a DLL or memory area into another process 10->68 22 conhost.exe 10->22         started        70 Uses cmd line tools excessively to alter registry or file data 12->70 72 Uses powercfg.exe to modify the power settings 12->72 74 Modifies power options to not sleep / hibernate 12->74 24 reg.exe 1 12->24         started        26 reg.exe 1 12->26         started        28 reg.exe 1 12->28         started        32 8 other processes 12->32 76 Creates files in the system32 config directory 14->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 14->78 30 conhost.exe 14->30         started        34 27 other processes 14->34 signatures5 process6 file7 36 C:\Program Files\Realtek\...\Updater.exe, PE32+ 16->36 dropped 44 Antivirus detection for dropped file 16->44 46 Multi AV Scanner detection for dropped file 16->46 48 Adds a directory exclusion to Windows Defender 16->48 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e0f2a82868cc31985e9b8c022f852919033c666382aaa3026c456b9c449db3d/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2022-11-03 00:06:51 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
27 of 39 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyhsvaugrtbrtbpjxdacf6cssgidhrtghavkumbgyrlltrcj3m6q._file
Verdict:
malicious
Similar samples:
4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab
5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093
7812b5f5fd710358255d8847f61729386cb982c55beb12a77e240d3377aaeafb
89a342bb20ad895c86665599e40ecd591b2993f5a1b343768dbb7af038aebd31
9a938f47030e9b34dcee96382fae40ed2f980299e1ced3a04c19c859b24ae40c
ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1
dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597
ffa4485b730b662d6c9e65a4e6b8687c3037838f582839821eefae481c327baf
+ 44 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/230320-w4b7maeh32/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Stops running service(s)
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
2e0f2a82868cc31985e9b8c022f852919033c666382aaa3026c456b9c449db3d
MD5 hash:
dd6c66d5250437db33b821f5d2c90aa2
SHA1 hash:
b3be3c2a7455d89cfec2fdbaf93a9f8ebcf4a406
Link:
https://www.unpac.me/results/20297855-dc51-4568-8e34-4d3ba0f1a2ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e0f2a82868c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e0f2a82868cc31985e9b8c022f852919033c666382aaa3026c456b9c449db3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2e0f2a82868cc31985e9b8c022f852919033c666382aaa3026c456b9c449db3d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/375992/

Comments