MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 306d6bd23ada083d65c640baab9ef36eca957d155c055deb38c4f912421ad4ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 306d6bd23ada083d65c640baab9ef36eca957d155c055deb38c4f912421ad4ce
SHA3-384 hash: 7d41e0ea798c445a048c5d59f092b17d3e3e4240d53160dbbd79349f8496d969017387ca5cf46f1f9f27c1a2cb55fc4d
SHA1 hash: 43c2e6e75de89d764611fcc5a505066abc6546a5
MD5 hash: bafd23730360a9472f6ef48ec5282d0c
humanhash: delaware-washington-table-golf
File name:days-and-tenoke-x28tleLRE4kk.exe
Download: download sample
File size:5'491'800 bytes
First seen:2023-08-22 20:01:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e92b45c54aa05ec107d5ef90662e6b33 (363 x GCleaner, 38 x Socks5Systemz, 3 x Backdoor.TeamViewer)
ssdeep 98304:FibYe0pZw8uqrRqLgD5ks6X3T0+0ke/bqk+KS/n5zENJYTW3jds2dHa4IXTO48kk:cMDigRi3TVZS+j/O0TW3J5HadOr
Threatray 792 similar samples on MalwareBazaar
TLSH T18D463359DBD05833EA0783B06D88412841EEFBAD2B6FE7902E8447DC6CEF995528D317
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter smica83
Tags:exe HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
days-and-tenoke-x28tleLRE4kk.exe
Verdict:
Malicious activity
Analysis date:
2023-08-22 20:03:53 UTC
Tags:
adware DownloadAssistant
Link:
https://app.any.run/tasks/29f5a70b-8789-4c81-bae8-00778ffcebb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444227/
Detection(s):
PUA.Win.Packer.Overlay-1
Create hunting rule

SecuriteInfo.com.Downloader.Generic7.ITV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Modifying a system file
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108334/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64e5143ac5baea601a2915d1/reports/4b6e2691-b564-49e2-82aa-74f6cdfb36e0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/306d6bd23ada083d65c640baab9ef36eca957d155c055deb38c4f912421ad4ce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f702901b-bccb-485c-b710-2ae69fd64b9a
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1295478
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1295478 Sample: days-and-tenoke-x28tleLRE4kk.exe Startdate: 22/08/2023 Architecture: WINDOWS Score: 72 54 Multi AV Scanner detection for submitted file 2->54 56 Detected unpacking (changes PE section rights) 2->56 58 Detected unpacking (overwrites its own PE header) 2->58 60 Machine Learning detection for dropped file 2->60 8 days-and-tenoke-x28tleLRE4kk.exe 2 2->8         started        process3 file4 42 C:\Users\user\AppData\Local\...\is-HLFI8.tmp, PE32 8->42 dropped 11 is-HLFI8.tmp 12 87 8->11         started        process5 file6 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->44 dropped 46 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->46 dropped 48 C:\...\unins000.exe (copy), PE32 11->48 dropped 50 39 other files (26 malicious) 11->50 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 11->62 15 SubtitleExtractor.exe 11->15         started        18 SubtitleExtractor.exe 1 11->18         started        20 net.exe 1 11->20         started        22 2 other processes 11->22 signatures7 process8 dnsIp9 52 millionjobs.works 172.67.186.89, 49735, 49738, 80 CLOUDFLARENETUS United States 15->52 24 WerFault.exe 15->24         started        40 7 other processes 15->40 26 WerFault.exe 9 18->26         started        28 WerFault.exe 20 9 18->28         started        30 WerFault.exe 9 18->30         started        32 conhost.exe 20->32         started        34 net1.exe 1 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 22->38         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/306d6bd23ada083d65c640baab9ef36eca957d155c055deb38c4f912421ad4ce/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-22 20:02:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
8 of 23 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbwwxur23ied2zogic5kxhxtn3fjk7ivlqcv32zyyt4reqq22tha._file
Verdict:
malicious
Similar samples:
708d6fa8d0f5cb40efb1f7bd168cdc52737d99e3fdd17d6cb9d14dfc8da59deb
751bac1e9305d5ee6fa68f8e1c9cc23775062207c92fd5bf595a09ceea1aa2a0
8ed637482a01e981c9cb40a2cfb9e33b46a14339e128191359b2844de410b3d8
9208e906eeb23ee392919954cc64260ccb3e57160fb720a13524821c4e09f5e2
9258e73ead7e385de4fb9b51981c7f6cfe643b949483702a54454cb20d39a36a
9acefbb6638612b03847da2c1652e3a1aae9d677b22f5c5d0e43022d8d08c6bb
e5447818976ad7af2ae55ccee4baab64d2a76ce8bcd43654ca8361dc19c91ad4
+ 782 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230822-yr4gfsfb75/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
fbe34d38d29932cabe261eb5b1d114922eb0119417a7dff139775c4deaaa91bc
MD5 hash:
d4e6f5a87000d37564a5d1eead71e18a
SHA1 hash:
4c0339312b3be7d800ff01bb66481eb43a351aec
Link:
https://www.unpac.me/results/52980d32-2a8c-43fb-a484-9e5745f23d10/
SH256 hash:
00c0dcc750a77639d8e6ecd4457bfb8972a1e93727996c0812080ad3d6ff4c50
MD5 hash:
2890a078fc25f65bcaf5b9f5b8d665cb
SHA1 hash:
3ffb52bbca04d61fe383a5a4c294ea82e09d32b0
Link:
https://www.unpac.me/results/52980d32-2a8c-43fb-a484-9e5745f23d10/
SH256 hash:
d3cbbb178a391e5c1b91cb8d5a1e6191a2e94641eb2c72039329d2167550f41f
MD5 hash:
e62bfce161700cf395de859fa9cd8c76
SHA1 hash:
ee07d617b96e9b214c5b6517f1a42451a93a7734
Link:
https://www.unpac.me/results/52980d32-2a8c-43fb-a484-9e5745f23d10/
SH256 hash:
4ee18c513b3eaf4842c338314b4c3faf976aa17802e29a0edd46776444199497
MD5 hash:
8f6a06c5a5d83117fcaa0c236ef90782
SHA1 hash:
1ae82cb9835ea7328826eae5f99989dfa0620647
Link:
https://www.unpac.me/results/52980d32-2a8c-43fb-a484-9e5745f23d10/
SH256 hash:
306d6bd23ada083d65c640baab9ef36eca957d155c055deb38c4f912421ad4ce
MD5 hash:
bafd23730360a9472f6ef48ec5282d0c
SHA1 hash:
43c2e6e75de89d764611fcc5a505066abc6546a5
Link:
https://www.unpac.me/results/52980d32-2a8c-43fb-a484-9e5745f23d10/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/306d6bd23ada/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/306d6bd23ada083d65c640baab9ef36eca957d155c055deb38c4f912421ad4ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444227/

Comments