MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35972ee59b320666b4a57606c57aaba684d63633e32b28950a7ba6a76462f521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	35972ee59b320666b4a57606c57aaba684d63633e32b28950a7ba6a76462f521
SHA3-384 hash:	eb7791f233cb1dedab4410e6dabfc6906e58f2d063f87dfbb54b416bd501aede3ab0c5ff561fe860253dc5ef52e56661
SHA1 hash:	15cd1757c28d13240668b0a84cb539909faad654
MD5 hash:	f4b8841b3d34b24b95c882aec95ebba9
humanhash:	nuts-stairway-carpet-ohio
File name:	Order.scr
Download:	download sample
File size:	2'549'248 bytes
First seen:	2023-02-10 07:09:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:t+ivKEdaMEGUWHrektUSNKJ0RKHsL4lJvJR:
Threatray	2'343 similar samples on MalwareBazaar
TLSH	T112C518B4A4BB85DAE40FCAC01ABCFDE5067271F3CDD108A4536D76444F3BEA8AE0554A
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	lowmal3
Tags:	exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

199

Origin country :

DE

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

Order.scr

Verdict:

Malicious activity

Analysis date:

2023-02-10 07:12:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c1225738-b97a-4e12-9467-e4a001d93977

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/363229/

ClamAV Detected

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Suspicious

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Running batch commands

Using the Windows Management Instrumentation requests

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

remcos

Link:

https://www.filescan.io/uploads/63e5edce459bcf4604005553/reports/3f5a86c2-b29d-45a3-9d81-b6c486d83925/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/35972ee59b320666b4a57606c57aaba684d63633e32b28950a7ba6a76462f521

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8b9c97a2-272f-48c4-8f8c-b3efb1e03817

Joe Sandbox malicious

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1170928

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Encrypted powershell cmdline option found

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35972ee59b320666b4a57606c57aaba684d63633e32b28950a7ba6a76462f521/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Scarsi

Threat name:

ByteCode-MSIL.Trojan.Scarsi

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-02-09 00:33:12 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

1

AV detection:

19 of 26 (73.08%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gwls5zm3gidgnnffoydmk6vlu2cnmnrt4mvsrfikpotkozdc6uqq._file

Threatray malicious

Verdict:

malicious

Similar samples:

243649be893511b111872619c1710fd84d6a75db38bf63dcb2193544f7cd5ff7

305e9aa2df19b77ad92b897543e803b5dea0c851b37cf8c9b4e2206282343946

94dcd9eb97aa7ef0957f20728ef38d1b95c9fc6f16c1467c752e019046ea882b

a67d4cdb218d6e7106b4efef10d24fdd69025b556df74549921e3d4156201084

b5d3b92d36198035df9370027e3e1e269f9757c4006a1b4eda2dd5575caa4d24

d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36

dfa4b25bb9a1534192d30dc3f10acd6a72c21a36bfaecae14c5d7a22dff88fd5

e876ad440761c60b772b110b7e6f08c4e156ebdb17d78c55aa4594edc65ff78a

+ 2'333 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/230210-hzdm1ahb23/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

UnpacMe

Unpacked files

SH256 hash:

35972ee59b320666b4a57606c57aaba684d63633e32b28950a7ba6a76462f521

MD5 hash:

f4b8841b3d34b24b95c882aec95ebba9

SHA1 hash:

15cd1757c28d13240668b0a84cb539909faad654

Link:

https://www.unpac.me/results/0f3c3a34-9fed-45a6-b0c8-70d2ebf73b46/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/35972ee59b320666b4a57606c57aaba684d63633e32b28950a7ba6a76462f521

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 35972ee59b320666b4a57606c57aaba684d63633e32b28950a7ba6a76462f521

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/363229/