MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
SHA3-384 hash:	69f85339fb5629c802019da23ddde71e24cbe4ec05d3e5ff348210e1076a1977369d4cc68e9a25d28a9e1f5f49a76296
SHA1 hash:	047b845b1fe47b819de4b31ade6e504aa0288e06
MD5 hash:	9b57e42650ac3801c41097a7a67c8797
humanhash:	monkey-december-angel-zebra
File name:	file
Download:	download sample
File size:	391'168 bytes
First seen:	2022-09-15 23:23:38 UTC
Last seen:	2022-09-18 18:36:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6ff4f960cdca9799b658777401117540 (2 x Smoke Loader, 1 x RedLineStealer)
ssdeep	6144:TFZHZNNCrw07qW5WzNSrcYlbl6w2EWVb2G03gNcryi2KTjig:h/N8rwgqW5aLYlbEBoGdTbKTj
Threatray	5 similar samples on MalwareBazaar
TLSH	T1C384D010BBA0D035F1B752F4497A9399F53E7EA05B2494CB62D526EE27346E0EC3138B
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	c8d8c8c8e0e4a099 (57 x Smoke Loader, 55 x Amadey, 20 x RedLineStealer)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from http://79.110.62.91/files/Uni.exe

Intelligence

File Origin

# of uploads :

312

# of downloads :

348

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Uni.exe

Verdict:

Malicious activity

Analysis date:

2022-09-15 17:05:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e597af3c-df57-47d7-97ba-1d3767ad4e98

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/310363/

Detection(s):

Win.Packed.Crypterx-9954995-0

Win.Packed.Bandook-9958944-1

Win.Malware.Crypterx-9968570-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the system32 subdirectories

Creating a file

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/37763/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6323b48eba7b8113dd672758/reports/7b594e38-387e-41bc-b57c-7ec14f264bd0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWalker Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/009b73ba-113f-452b-a2c8-71c6ee952a88

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1071305

Signature

Contain functionality to detect virtual machines

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-09-14 06:33:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 41 (68.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gixyxgcwol7ekiqr4euzukidpptjvg2gp2fizxfnakx5ba26dxxa._file

Verdict:

malicious

3baba04d7c86acef6772ecdd809b501c9606bff18b097487ec626b40a8635a5c

e3680602deb66e1196bcffe531cdeeab32663efc62c5e16178a0f9f4df745007

fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220915-3dphlaece3/

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a6936549-2d85-4310-866c-ee1dd5d554cc

Unpacked files

SH256 hash:

5259eb7c326c0c5cf6163814bc0fa9a9510fc759f81f7b9c41ac2dcee56a1731

MD5 hash:

ce56f43f93e792ebe7e724e0f1ab7f34

SHA1 hash:

ad2ada75f560c49853eb514c46bf8154cc8f5886

Link:

https://www.unpac.me/results/a40f3d06-952e-4c7e-b0f0-725470ec0e3c/

SH256 hash:

92d915e191cab4f76a6c094e86a9e979c63c60a923ce42c0b1a5886426680d0f

MD5 hash:

254fe64b8bcbeaf561e135fad218aa10

SHA1 hash:

9ae836ecfe7abb21a97ebfbfec4ebb11a99da8e7

Link:

https://www.unpac.me/results/a40f3d06-952e-4c7e-b0f0-725470ec0e3c/

SH256 hash:

ceb192ff08bda7b4cb12d2f55806be2e5038e0701a8304dc210e9348a4d50b34

MD5 hash:

2b1c72b8354a9ce3204548c7cb0fc24e

SHA1 hash:

7790b7ade96afde27a5c1887394891932b5780e6

Link:

https://www.unpac.me/results/a40f3d06-952e-4c7e-b0f0-725470ec0e3c/

SH256 hash:

322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee

MD5 hash:

9b57e42650ac3801c41097a7a67c8797

SHA1 hash:

047b845b1fe47b819de4b31ade6e504aa0288e06

Link:

https://www.unpac.me/results/a40f3d06-952e-4c7e-b0f0-725470ec0e3c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2296678/

Cape

https://www.capesandbox.com/analysis/310363/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample