MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8
SHA3-384 hash: 6ac23a0fbd75d355661c19137e051e4bf10905927334c757a6da6d9e7825abe79327aed31d180c908bce40c104400fd8
SHA1 hash: 31adf1873277d5c64f1533a257de3f4fd67d6ad8
MD5 hash: 22e35bea6a2653c8393db13a83b0cf97
humanhash: wolfram-neptune-blue-rugby
File name:file
Download: download sample
File size:67'072 bytes
First seen:2024-04-26 11:22:10 UTC
Last seen:2024-06-24 09:22:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:sk9ZzquzrUThATah2OeHenNO3ByiGbhwkapILOHn3cU+:sk9ZZri2aRnN2ctf
TLSH T11863C03A856A79FFFED80EFD48262B514DBC6142421D562EA8CCA03F7B791584D46B30
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:exe


Avatar
Bitsight
url: https://vk.com/doc5294803_668998749?hash=jpzRjRp4XjUuq6pm7wJRJLcc9A5fxja4fUN0y7zVgw8&dl=xwJfCiff01ZFmZ3TZU5A8wLF6n11neLYx3wpqZUBOJw&api=1&no_preview=1#cap

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8.exe
Verdict:
Malicious activity
Analysis date:
2024-04-26 11:25:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/10a00cf9-583b-41a6-88fe-61c3fece2bfa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Changing a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/662b8e9831969e154425c7b8/reports/a3ceb7f4-b80b-45d3-9969-fd89e0c19f2e/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ab9cea4b-863a-41b6-a7cf-c3aeaa285ec9
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1432105
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432105 Sample: file.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 64 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Machine Learning detection for sample 2->52 7 msedge.exe 118 618 2->7         started        10 file.exe 9 2->10         started        process3 signatures4 54 Maps a DLL or memory area into another process 7->54 12 msedge.exe 7->12         started        15 identity_helper.exe 7->15         started        17 identity_helper.exe 7->17         started        25 3 other processes 7->25 19 chrome.exe 2 10->19         started        21 msedge.exe 10 10->21         started        23 WerFault.exe 19 16 10->23         started        process5 dnsIp6 38 bzib.nelreports.net 12->38 40 sb.scorecardresearch.com 18.173.166.42, 443, 49736 MIT-GATEWAYSUS United States 12->40 46 17 other IPs or domains 12->46 42 192.168.2.6, 443, 49698, 49703 unknown unknown 19->42 44 239.255.255.250 unknown Reserved 19->44 27 chrome.exe 19->27         started        30 msedge.exe 21->30         started        process7 dnsIp8 32 xot.traxa41.net 27->32 34 addons.i7con.net 23.106.238.238, 443, 49746, 49752 LEASEWEB-USA-SFO-12US United Kingdom 27->34 36 www.google.com 142.250.217.196, 443, 49703, 49704 GOOGLEUS United States 27->36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-04-25 20:38:41 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2fpgmnnxhgumgc24x3zqikxez7phrxeztozimrg5znozbcv7lua._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240426-ng5awsfd27/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8
MD5 hash:
22e35bea6a2653c8393db13a83b0cf97
SHA1 hash:
31adf1873277d5c64f1533a257de3f4fd67d6ad8
Link:
https://www.unpac.me/results/e85efa3d-9ab3-4728-9d97-8e6e1fd02fc3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments