MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35acc5c3d6caa14ca1b818c59d3b7831513bce46f83e1d6ba60a041bf7fed6fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35acc5c3d6caa14ca1b818c59d3b7831513bce46f83e1d6ba60a041bf7fed6fc
SHA3-384 hash: 49dc18e557b9e65abd8d28addbcd54a351cbdd527d7f35c4f5398b85cc40c580c939a7f6db66702d4f5781be3d2ef8f3
SHA1 hash: 8fb5d8f092aa8df3bc9c3eb6136edf0d92692bf7
MD5 hash: 94803590943afe3ca0b89f7f9d3a1cca
humanhash: jupiter-comet-gee-mockingbird
File name:94803590943afe3ca0b89f7f9d3a1cca.exe
Download: download sample
File size:3'714'048 bytes
First seen:2021-03-13 08:33:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:Rviz/27qWGq/TzuqCDl2Ptao7j4cXu50JNC:Rviq75/Tzufi+uNC
Threatray 23 similar samples on MalwareBazaar
TLSH 22063343E6DC002BE470137028FE23D71AA5BC7152789B4AB18F759F485A4B176B2FE6
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
94803590943afe3ca0b89f7f9d3a1cca.exe
Verdict:
Malicious activity
Analysis date:
2021-03-13 08:34:16 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/beaf3720-99cf-4c82-bb94-1bcf36967dc4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124075/
Detection(s):
Win.Malware.Generic-6895514-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a window
Delayed reading of the file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
DNS request
Launching a process
Sending a UDP request
Searching for the window
Deleting a recently created file
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/638526
Signature
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Found C&C like URL pattern
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368240 Sample: eGqE1Nz31K.exe Startdate: 13/03/2021 Architecture: WINDOWS Score: 88 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Found C&C like URL pattern 2->68 70 3 other signatures 2->70 9 eGqE1Nz31K.exe 1 13 2->9         started        12 svchost.exe 13 2->12         started        16 svchost.exe 2->16         started        18 11 other processes 2->18 process3 dnsIp4 48 C:\Users\user\AppData\Local\Temp\...\CDS.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\Local\...\lua51.dll, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 9->52 dropped 20 CDS.exe 3 9->20         started        56 kaif-tut.com 12->56 74 System process connects to network (likely due to code injection or exploit) 12->74 23 conhost.exe 12->23         started        76 Changes security center settings (notifications, updates, antivirus, firewall) 16->76 25 MpCmdRun.exe 16->25         started        58 kaif-tut.com 18->58 60 127.0.0.1 unknown unknown 18->60 62 192.168.2.1 unknown unknown 18->62 27 conhost.exe 18->27         started        file5 signatures6 process7 file8 46 C:\Users\user\AppData\Local\...\crypted.exe, PE32 20->46 dropped 29 crypted.exe 3 20->29         started        32 conhost.exe 25->32         started        process9 signatures10 78 Machine Learning detection for dropped file 29->78 34 svchost.exe 13 29->34         started        38 cmd.exe 1 29->38         started        40 conhost.exe 29->40         started        process11 dnsIp12 54 kaif-tut.com 92.63.192.98, 49715, 49720, 49721 ITDELUXE-ASRU Russian Federation 34->54 72 System process connects to network (likely due to code injection or exploit) 34->72 42 conhost.exe 38->42         started        44 reg.exe 1 1 38->44         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35acc5c3d6caa14ca1b818c59d3b7831513bce46f83e1d6ba60a041bf7fed6fc/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-03-13 00:03:35 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1f02d06a14d5e83c297271a24f9dad9f28d25e387bc65784077ddc27165290b5
250cfc3bf5271e6a5cdd6ebe240865bf2f960c877590b679c878181b42f85341
548c375182f63e134625ec757d001e42051be39bf22f4065932ba53557825312
ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6
b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b
b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
be3acd23cffe0baa73da9501728b70240077320fe57f729e46111e06ef67f2ef
cfb6b2b831592f1ebd43929977ae4963f8c2b3b2472214c82c3c3c1513a6b54f
e6d116df698f773a9c343dc5d8d123f904eb4c318177ac595a0b3063359cf402
fc0ffda44e2748b424639a1592356cc209abf6045a8d6a069f5f562ea1f31763
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210313-yxrnas1zqj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
3c1306a82536173b4ea4aebd2c5c3e47db9923cb6f01a2b79da1bb97f88b0d47
MD5 hash:
a46724d852a3bc0aaa90a164c2200224
SHA1 hash:
a2cc9709fef5ad26013a1262b77ef99fc9bc4cd3
Link:
https://www.unpac.me/results/3f67dc8f-a4d2-4ea7-bd98-f2f9cf5e6d19/
SH256 hash:
7fc99c7600b2ec52adba45a94249e0acd07e22bee99bb325127267fe5b863b53
MD5 hash:
b5c532185727e2257cd7092f52ce5569
SHA1 hash:
b243172885990323699909df5d37db00ef6f128f
Link:
https://www.unpac.me/results/3f67dc8f-a4d2-4ea7-bd98-f2f9cf5e6d19/
SH256 hash:
2178899e5d102adc205d8c79c6b62f2f58ee048fa8e30c5ede48bbbf2c91ddf6
MD5 hash:
b9009506959389fbd7fd4cb60cc56a09
SHA1 hash:
7b56cbd6a9cfd3b55487424e5e36910cd652dafd
Link:
https://www.unpac.me/results/3f67dc8f-a4d2-4ea7-bd98-f2f9cf5e6d19/
SH256 hash:
35acc5c3d6caa14ca1b818c59d3b7831513bce46f83e1d6ba60a041bf7fed6fc
MD5 hash:
94803590943afe3ca0b89f7f9d3a1cca
SHA1 hash:
8fb5d8f092aa8df3bc9c3eb6136edf0d92692bf7
Link:
https://www.unpac.me/results/3f67dc8f-a4d2-4ea7-bd98-f2f9cf5e6d19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35acc5c3d6caa14ca1b818c59d3b7831513bce46f83e1d6ba60a041bf7fed6fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 35acc5c3d6caa14ca1b818c59d3b7831513bce46f83e1d6ba60a041bf7fed6fc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1063208/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124075/

Comments