MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e33646af11edd6a72cf40878321b75e9bb15d7c0036e2f5e85328d93ad59624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	2e33646af11edd6a72cf40878321b75e9bb15d7c0036e2f5e85328d93ad59624
SHA3-384 hash:	4cf4f7e5900b4a14e95597feddcf6e78528a59659bf07f31ae8884bc7528da37e3b523957a13ecc3a8320bf82fd74b95
SHA1 hash:	2e0b53beec038f8a08cdf5ea37f27baa89572172
MD5 hash:	bea508661d4d647e0315d4d57ab51e55
humanhash:	football-delaware-colorado-blossom
File name:	bea508661d4d647e0315d4d57ab51e55.exe
Download:	download sample
File size:	392'704 bytes
First seen:	2022-01-31 04:06:18 UTC
Last seen:	2022-01-31 06:17:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	96d23ad043aec44e0f09eac5da748b9e
ssdeep	6144:S9eAYvz6jW9z0EqDgNczWxMp+nKjCtUdNzu0c17nPLWE42GrZTCx:S4AsqDI8WxC+KjQUPu0c1rLWE4l4
Threatray	12 similar samples on MalwareBazaar
TLSH	T18C84F114C123584BFAF50FBAA4EFA5904490D71E8CE19ABFD3B21EF9F266419BC27051
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bea508661d4d647e0315d4d57ab51e55.exe

Verdict:

No threats detected

Analysis date:

2022-01-31 04:12:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/536f3505-a631-4caa-90a2-cf7d75db728b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228252/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.38797639.31293.26385.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

DNS request

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5554/overview

Behaviour

MalwareBazaar

CPUID_Instruction

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug

Link:

https://www.filescan.io/uploads/61f76069d7fd65ae55fa4c23/reports/6f93812b-e881-47b8-86a9-31a9ba5725e3/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cb203489-c7d1-45de-87d9-67bfc4e544fe

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/930517

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e33646af11edd6a72cf40878321b75e9bb15d7c0036e2f5e85328d93ad59624/

Threat name:

Win32.Trojan.Khalesi

Status:

Malicious

First seen:

2022-01-29 17:34:17 UTC

File Type:

PE (Exe)

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Verdict:

malicious

0d2f32ffdd04533ce4fe143bc4027af30e4c32288ddd849dd4ccb3153dde43e1

0e404aeb6c6fb5360901415bc80221dcd9c11ba2208edce84be331303ed4b9f8

3aebe23f4762a2b9990460fb4c4ab71a43890a44882fb6e8ac41a45433c337ad

4210b05312e9a06b4a75a26a056383e848d33250d2de4ea61f5d2e1352f5eabc

806991a2798d80583e6667ff51b4a3898cc3a40f18a1d009c9029d28d309e54b

a89ff87aa9106309d6b08c1f39b157d2d5d020231a53c7cde84996df49b2b8f0

b055a943d1304210434ea8e7a0ceefd39f65384b1da71ad565d88d41f4858013

ed1b45598a2a00407f9c28dca2548310b337781035a1bbc5600d5c531aad0ef5

fa60e517ee864bed74a9cdf0dc41efe86190a442df1ffda8b4f59f9890f0c22a

+ 2 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220131-epntfafdc9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

59cfdfcc586bc430f73ac85c1383950ed6c81430d49e801e32c4b868ce6dd77b

MD5 hash:

dd3fb3416b8e11a8a0dd86ab48b9c046

SHA1 hash:

6a73020ceef33868fba7e40c6165200337a0c475

Link:

https://www.unpac.me/results/0f7d1fec-c562-4ad2-9129-48dee815b549/

SH256 hash:

2e33646af11edd6a72cf40878321b75e9bb15d7c0036e2f5e85328d93ad59624

MD5 hash:

bea508661d4d647e0315d4d57ab51e55

SHA1 hash:

2e0b53beec038f8a08cdf5ea37f27baa89572172

Link:

https://www.unpac.me/results/0f7d1fec-c562-4ad2-9129-48dee815b549/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.40

Link:

https://yomi.yoroi.company/submissions/2e33646af11edd6a72cf40878321b75e9bb15d7c0036e2f5e85328d93ad59624

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/228252/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample