MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32956b679b4a3dd3b5d73731e06721e350ff3e50af4c0824e070e74e871a16cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	32956b679b4a3dd3b5d73731e06721e350ff3e50af4c0824e070e74e871a16cd
SHA3-384 hash:	07dfb25218994b06abb193970e6ebef600e1c6f2ab2c1f819963fcbbf5c071f1bedb3d2cc689e1c84d8f4db23e9c545e
SHA1 hash:	b26ecd64f777cdd0572a3d6921a4a5f9369a6f7a
MD5 hash:	22e6a09be5562b4034c57281eacbf15e
humanhash:	mountain-carolina-autumn-magazine
File name:	22e6a09be5562b4034c57281eacbf15e.exe
Download:	download sample
File size:	1'658'220 bytes
First seen:	2022-11-26 10:33:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:IAOcZwXYLxygGry9n3e5whKqBgvYc6uxUoNg1BGMb6ac2uWYj97mCzy:mesPe3xhxgv9SHBGMGacp/zy
Threatray	2'645 similar samples on MalwareBazaar
TLSH	T1C4752312BAD288B2D47218315934BB656D7D7C201F25DBBBB3E47E6CCA305E0A524B73
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

22e6a09be5562b4034c57281eacbf15e.exe

Verdict:

Malicious activity

Analysis date:

2022-11-26 10:35:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4a292129-b78d-4f53-86cf-3b79036b4680

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/338751/

Detection(s):

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit greyware overlay packed qakbot qbot setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/6381eb9c5be128ac718ef36b/reports/11ae8c5e-22ae-4244-b751-182003f3da16/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/98224995-7bd8-4443-9747-f61988a66aa3

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1121564

Signature

Antivirus detection for dropped file

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/32956b679b4a3dd3b5d73731e06721e350ff3e50af4c0824e070e74e871a16cd/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-11-26 05:59:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gkkwwz43ji65hnoxg4y6azzb4nip6psqv5gaqjhaodtu5by2c3gq._file

Verdict:

malicious

623d9a74747fe5ff5e72eb70d6ba2d2906eab55b5db50d796728e6d7ab492c79

aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750

b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc

ba921e5bd4687eec051d4e646756bb2930ec900abf061b94761d6944f906afba

c3b54b1b12f48682ca31c77c5783db4c235268c52fcf11f2f7a3ee0364c9f8df

d18bad61d44b6c780686eb1592d212226f69a0a0b39dc9d67d00de32efc52115

db63c8d62b31662d3195d0b095eb93ddc03eee721a651bad767f4110e3e06601

fed743ba97ee8b48a3925816de1b2665d2a73bbf3bc75083fb9ade2855afc0ce

+ 2'635 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221126-ml4dqaaa28/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/781a481b-9feb-4dff-a434-fb73c69bbc7f

Unpacked files

SH256 hash:

cc30b94b8b7b297183348a795e6a5a03b0662738ee207fb4c81f45c874ae0e5c

MD5 hash:

a077bb3db07a8f68f99eb8e28110f086

SHA1 hash:

60da9dd22b420114e73b7b0418dd6d581f469ee2

Link:

https://www.unpac.me/results/2525bd1f-7bb0-4323-ae02-f352f8c4e8a8/

SH256 hash:

8be9afa2253d00d61929ea067742de4eeb0b815cc0e4df601d46fd22c50c5110

MD5 hash:

a3b325a2950f64b26dbab3e6ac68d9db

SHA1 hash:

e0e192c62c43471c60d8544d4b4ae8bfbb5ccbae

Link:

https://www.unpac.me/results/2525bd1f-7bb0-4323-ae02-f352f8c4e8a8/

SH256 hash:

32956b679b4a3dd3b5d73731e06721e350ff3e50af4c0824e070e74e871a16cd

MD5 hash:

22e6a09be5562b4034c57281eacbf15e

SHA1 hash:

b26ecd64f777cdd0572a3d6921a4a5f9369a6f7a

Link:

https://www.unpac.me/results/2525bd1f-7bb0-4323-ae02-f352f8c4e8a8/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/32956b679b4a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/32956b679b4a3dd3b5d73731e06721e350ff3e50af4c0824e070e74e871a16cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 32956b679b4a3dd3b5d73731e06721e350ff3e50af4c0824e070e74e871a16cd

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2432932/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2405501/

URLhaus

https://urlhaus.abuse.ch/url/2414601/

Cape

https://www.capesandbox.com/analysis/338751/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample