MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30979d6192d60158768f4bf3955399bf3289592403b4899fe7fe5de57d6e664a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30979d6192d60158768f4bf3955399bf3289592403b4899fe7fe5de57d6e664a
SHA3-384 hash: babe12880ee647d5c3619f18c75db8b4dc06aa0ad2e1fe63447aec350c0aec87f3d0836969ab5824568d585a8b492587
SHA1 hash: 6b20007f61a51fb719d27dc9c5d99e8a8a8066f2
MD5 hash: 34fcdc06ca43251810ea456d364e386b
humanhash: fish-october-island-north
File name:quietmoth (2).exe
Download: download sample
File size:904'192 bytes
First seen:2022-08-03 06:19:55 UTC
Last seen:2022-08-03 07:05:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c3af21bbc005d7817532ba12b695386b
ssdeep 12288:rovsVlhFS1WtJP0q6YSZ7V9fVmKSH1iSka:EEVlhF8WzPvSZB9K
Threatray 2'169 similar samples on MalwareBazaar
TLSH T1AC15191BF76344EDC67AC17086679372BA70F82546316A3E2F55CB312F21E605A2EB34
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
quietmoth (2).exe
Verdict:
No threats detected
Analysis date:
2022-08-03 06:58:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bfc4bced-180d-409c-9d34-5b3d1ce7eecc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296076/
Detection(s):
SecuriteInfo.com.Variant.Tedy.180003.6877.3789.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Сreating synchronization primitives
Searching for the window
Sending a custom TCP request
Downloading the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/62ea13d89ca9b9bfcbe6981b/reports/344fdad5-c30b-417f-a863-e21a1f2f28be/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/74e23e66-6f1b-467b-9811-971c8c628fc6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1045392
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Download and Execute IEX
Suspicious powershell command line found
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30979d6192d60158768f4bf3955399bf3289592403b4899fe7fe5de57d6e664a/
Threat name:
Win64.Trojan.Rozena
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 02:58:16 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gclz2yms2yavq5upjpzzku4zx4ziswjeao2ith7h7zo6k7lomzfa._file
Verdict:
malicious
Similar samples:
2e0aa995df9b6a99e37601b1d7dea6fb85f6c7130980a8c2a275370efb6f0236
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
5850d3b23060abb351ae9dafecfe7c19c9e890004f4c14f8ee7d164838fc356b
5e37ccb3f0327957d04963703bdc9e31a121da9d44ef83abcbb388165e76d5db
6cfd239899f3900e6eaa1c1b2a11ddb8b082ee224fb1014bdc9baadb61611135
b8c1ef5da202475f7113c36a014ebeda72a235c4ed16b2ba0244ee95c6e44053
ce07b1122ef0305ce0dd1588394295073545df0b5a91c63f6ab6eaf5b7f74091
ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589
de85e7754cdb6c18d93f074d58406b4b4e91466cb53e82f962535452ebc2b9d9
ec76ecb58f5ec6d02f2b125102c9fe613891582a7607535a39e1b598cbfc5622
+ 2'159 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220803-g3rtcsfhf5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://78.85.17.88:8443/reverse.ps1
Unpacked files
SH256 hash:
30979d6192d60158768f4bf3955399bf3289592403b4899fe7fe5de57d6e664a
MD5 hash:
34fcdc06ca43251810ea456d364e386b
SHA1 hash:
6b20007f61a51fb719d27dc9c5d99e8a8a8066f2
Link:
https://www.unpac.me/results/c3817fea-391a-4c7b-a518-df0d3d3165fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30979d6192d60158768f4bf3955399bf3289592403b4899fe7fe5de57d6e664a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296076/

Comments