MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 311f57a006abd7d319bec7dec2b591280a573a039223a48f62ba95da028857a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 311f57a006abd7d319bec7dec2b591280a573a039223a48f62ba95da028857a2
SHA3-384 hash: 0c365507ab4f3b1a64527575c98a964d7d0172f5bf8dcc299f8884479b8c0c4d4eba5fdf3145f4d172072921fb41571f
SHA1 hash: 579287991e41cc9be05d928a44dff09069bf4e0d
MD5 hash: c385d359140d34dbfd9c8b0fd61630cf
humanhash: kentucky-kentucky-zebra-uranus
File name:file
Download: download sample
File size:880'228 bytes
First seen:2022-09-02 10:06:17 UTC
Last seen:2022-09-05 11:43:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 38fffbc0c02ae24edfcd7355bf79545f (3 x XFilesStealer)
ssdeep 24576:+FhLUhqbxfByBC3aNGRiCjbO8YMvJl5sGJeLS:+FeqbxucRiCjbO87oLS
TLSH T1CC15F159B3F940F9E577D538C9924617E2B57C021760CBAF23A1865E2F233D09E3A722
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc743379129_647586319?hash=va4Xae9UC8QhcjMTTJHZ5OrkgkcZDw9b4CuvzX4n6D8&dl=G42DGMZXHEYTEOI:1662111481:3EUf0VGPLi8aFpPjwvB3zW9DbciVZi3dHSJ6AFQL6Ts&api=1&no_preview=1#aa14

Intelligence

File Origin
# of uploads :
33
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-09-02 10:08:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/27b3e611-551f-45fa-a1c3-6535201f4d93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307375/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61691706.12912.25516.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the system32 subdirectories
Creating a file
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36377/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6311d606a7450371f69bbb29/reports/99df9c52-93db-42bb-9a5e-620ba6dca808/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/15c2d867-4388-4248-92bd-d4d9ead1ba86
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1063936
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 696462 Sample: file.exe Startdate: 02/09/2022 Architecture: WINDOWS Score: 48 22 Multi AV Scanner detection for submitted file 2->22 8 file.exe 11 2->8         started        process3 file4 18 C:\Users\user\AppData\Local\...\System.exe, PE32+ 8->18 dropped 11 System.exe 4 8->11         started        process5 process6 13 cmd.exe 2 11->13         started        file7 20 C:\Users\user\AppData\Local\...\Danub.exe, PE32+ 13->20 dropped 16 conhost.exe 13->16         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/311f57a006abd7d319bec7dec2b591280a573a039223a48f62ba95da028857a2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gepvpiagvpl5ggn6y7pmfnmrfaffooqdsir2jd3cxkk5uauik6ra._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220902-l5mdwacbbk/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
311f57a006abd7d319bec7dec2b591280a573a039223a48f62ba95da028857a2
MD5 hash:
c385d359140d34dbfd9c8b0fd61630cf
SHA1 hash:
579287991e41cc9be05d928a44dff09069bf4e0d
Link:
https://www.unpac.me/results/4fb3ff42-09db-42a7-8cb7-8bad651d63c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/311f57a006abd7d319bec7dec2b591280a573a039223a48f62ba95da028857a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/307375/

Comments