MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35932eeee29750e11e5f50f5600fc9711c5cfce787edc77a7c9b1d09f7ebca2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35932eeee29750e11e5f50f5600fc9711c5cfce787edc77a7c9b1d09f7ebca2d
SHA3-384 hash: ad17e86d75c2c06f980aaf4c8fb7aff4b3934566ff5c5f08a167e3798b42eb7b636d6e8e55add86b4c2d8c38749595b5
SHA1 hash: 0d81f9c482df69335585802e96c4ca1f302aa735
MD5 hash: 6e3032465ebb908691af047b9a146f38
humanhash: ohio-diet-mirror-arizona
File name:35932eeee29750e11e5f50f5600fc9711c5cfce787edc77a7c9b1d09f7ebca2d
Download: download sample
File size:486'400 bytes
First seen:2020-11-15 23:18:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 647b2d25b4821905b4195ff7a6455b54 (5 x DarkComet)
ssdeep 6144:UxhGOBT+HzsZJbEtQ2vcs77JC763yUtA6MIb7GcFS/T04U/iJ+QtavKa+FAK6b9e:BloZZEOZYVCPauTr4vcS5LEwkVT
Threatray 9 similar samples on MalwareBazaar
TLSH 1AA4234B99FE088AC455F2B21ABB8A730A34DD4B4D90C1871FA7FE8C9D724558610F2F
Reporter seifreed

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Moving a recently created file
Searching for the window
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536930
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317565 Sample: Hag4TPW3Ue Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for domain / URL 2->65 67 Antivirus detection for dropped file 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 5 other signatures 2->71 8 Hag4TPW3Ue.exe 1 6 2->8         started        12 Synaptics.exe 2 2->12         started        15 EXCEL.EXE 8 10 2->15         started        process3 dnsIp4 47 C:\Users\user\...\._cache_Hag4TPW3Ue.exe, PE32 8->47 dropped 49 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->49 dropped 51 C:\ProgramData\Synaptics\RCX1CAC.tmp, PE32 8->51 dropped 53 C:\...\Synaptics.exe:Zone.Identifier, ASCII 8->53 dropped 83 Antivirus detection for dropped file 8->83 85 Machine Learning detection for dropped file 8->85 17 Synaptics.exe 35 8->17         started        22 ._cache_Hag4TPW3Ue.exe 8->22         started        63 192.168.2.1 unknown unknown 12->63 55 C:\ProgramData\...\._cache_Synaptics.exe, PE32 12->55 dropped 24 ._cache_Synaptics.exe 12->24         started        file5 signatures6 process7 dnsIp8 57 xred.site50.net 153.92.0.100, 49732, 49733, 80 AWEXUS Germany 17->57 59 googlehosted.l.googleusercontent.com 216.58.208.129, 443, 49716, 49717 GOOGLEUS United States 17->59 61 10 other IPs or domains 17->61 39 C:\Users\user\Documents\IPKGELNTQY\~$cache1, PE32 17->39 dropped 41 C:\Users\user\Desktop\Hag4TPW3Ue.exe, PE32 17->41 dropped 43 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 17->43 dropped 45 3 other malicious files 17->45 dropped 73 Antivirus detection for dropped file 17->73 75 Multi AV Scanner detection for dropped file 17->75 77 Drops PE files to the document folder of the user 17->77 79 Contains functionality to detect sleep reduction / modifications 17->79 26 ._cache_Synaptics.exe 17->26         started        29 WerFault.exe 17->29         started        31 WerFault.exe 17->31         started        81 Machine Learning detection for dropped file 22->81 33 WerFault.exe 20 9 22->33         started        35 WerFault.exe 24->35         started        file9 signatures10 process11 signatures12 87 Antivirus detection for dropped file 26->87 89 Multi AV Scanner detection for dropped file 26->89 91 Machine Learning detection for dropped file 26->91 37 WerFault.exe 17 9 26->37         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35932eeee29750e11e5f50f5600fc9711c5cfce787edc77a7c9b1d09f7ebca2d/
Threat name:
Win32.Backdoor.GrayBird
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:22:03 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
07cdb4b2878090bfe4819f0619b872c5fcee4922cff4008688bf19578e80c076
1a64802e01d94712cb6daf8339296b78cf0a7a81251e80937d01d975b31938dc
252ed32b4eaa2631fd004cb2124b6fd02a76f729a78ca51354cef21dd69f8cb5
422761ce807ba569d378b3130493e84a531d310d1ed8e0559d6313fdf91cd5b0
4a398178279e2a5f10d642314a3d091872797ea1746f37a3771eaf85a5f764e3
664b7a3c0a0f414b711f0b0f632669de0dac794fd029cb13f3b292717d3c7196
d8d750910aac8726d8cb50476b6a5b6635e6d8ce3ecd02d562c637269d1a1088
eaf4c919002576a1aa5c7729d2f953d8c0fcc2c4d34b3597ec15c207ef026e05
fe19c0cd68bc2cf6045a8a0585ec0ed3f520d4093032f6a05759b8c408b5cce3
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201115-6vappeg75s/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Program crash
Adds Run key to start application
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
UPX packed file
ServiceHost packer
Unpacked files
SH256 hash:
35932eeee29750e11e5f50f5600fc9711c5cfce787edc77a7c9b1d09f7ebca2d
MD5 hash:
6e3032465ebb908691af047b9a146f38
SHA1 hash:
0d81f9c482df69335585802e96c4ca1f302aa735
Link:
https://www.unpac.me/results/912085b3-09ee-415a-9381-e7d39d1d7c81/
SH256 hash:
fcd00a159a08bc653c791cf67ab41d78034d86f308d8883dbb0700df7072c2d7
MD5 hash:
6cd7f02729dc3f42c1f4aade75bd01a9
SHA1 hash:
476a482a5fd606221e0c384fcb34590d876c8bbb
Link:
https://www.unpac.me/results/912085b3-09ee-415a-9381-e7d39d1d7c81/
SH256 hash:
a755b53a5d330e510e5351445e04d0b60a7156a27e7a45e6347ed8b57697f4a4
MD5 hash:
29e38d3827596365efcc0e74703bd381
SHA1 hash:
148712b6d7d55647fecea1e06a0d48e3c6e4dab8
Link:
https://www.unpac.me/results/912085b3-09ee-415a-9381-e7d39d1d7c81/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/912085b3-09ee-415a-9381-e7d39d1d7c81/
SH256 hash:
ded773780f4e41c2e4afce73070f84fffc4174959acd2ed2a30e0e70225e6793
MD5 hash:
a16b56cac81a010cde16db424e2c65fd
SHA1 hash:
f968bc81181f131efc2d4461b21a630048d747c4
Link:
https://www.unpac.me/results/912085b3-09ee-415a-9381-e7d39d1d7c81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35932eeee29750e11e5f50f5600fc9711c5cfce787edc77a7c9b1d09f7ebca2d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments