MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a2bf257d6c6ecb246abd6e50163f126ea4683ffaca7d20fbd861ddfa3dfe0a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a2bf257d6c6ecb246abd6e50163f126ea4683ffaca7d20fbd861ddfa3dfe0a5
SHA3-384 hash: 90d0e51e0d60ab702cde6ba68f609060826cb175d012145d61c7d909e57ad3bc7e45fef06bfb060b02a8142c7d2d5e63
SHA1 hash: adf9dd03fad70cd2493889c97814b1e7090604f6
MD5 hash: 0e2a4765d5e77ea83afaaf74b4ebee61
humanhash: wyoming-johnny-apart-saturn
File name:0e2a4765d5e77ea83afaaf74b4ebee61.exe
Download: download sample
File size:3'240'960 bytes
First seen:2023-05-08 08:37:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ecfbe6e42943fae92c4582752c63b2b
ssdeep 98304:kSJF1MQUm126K6cmRMiypcBIdZAqsZ4Ex:kg1MHRbzmmFndZAqsZ4M
TLSH T1B6E522A434F87563FA0878700B2B5EF768F1B9B325084C17DB9E34AB426DF69F025166
TrID 54.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4505/5/1)
3.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0e2a4765d5e77ea83afaaf74b4ebee61.exe
Verdict:
Malicious activity
Analysis date:
2023-05-08 08:44:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc59dc84-c9a2-4a7a-8b1a-3604bfdf1835

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387476/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1317155.7890.27101.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug greyware packed
Link:
https://www.filescan.io/uploads/6458b4ed36a9691aaede2a5e/reports/5c57e308-bfd8-4db2-be98-2d39fb0f2ccd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3a2bf257d6c6ecb246abd6e50163f126ea4683ffaca7d20fbd861ddfa3dfe0a5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/02299eb3-e93e-465d-9f35-28aba9d258df
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1228110
Signature
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Creates autostart registry keys with suspicious names
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 861074 Sample: 31b57PMNSc.exe Startdate: 08/05/2023 Architecture: WINDOWS Score: 80 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Machine Learning detection for sample 2->57 7 31b57PMNSc.exe 1 3 2->7         started        11 WindowsHolographicDevicesDesktop-ver7.9.9.1.exe 2->11         started        13 WindowsHolographicDevicesDesktop-ver7.9.9.1.exe 2->13         started        process3 file4 49 WindowsHolographic...ktop-ver7.9.9.1.exe, PE32 7->49 dropped 51 WindowsHolographic...exe:Zone.Identifier, ASCII 7->51 dropped 59 Creates autostart registry keys with suspicious names 7->59 61 Contain functionality to detect virtual machines 7->61 63 Hides threads from debuggers 7->63 15 WindowsHolographicDevicesDesktop-ver7.9.9.1.exe 7->15         started        18 WerFault.exe 16 7->18         started        21 WerFault.exe 16 7->21         started        31 2 other processes 7->31 23 WerFault.exe 21 11->23         started        25 WerFault.exe 21 11->25         started        27 WerFault.exe 21 11->27         started        29 WerFault.exe 13->29         started        33 2 other processes 13->33 signatures5 process6 file7 65 Detected unpacking (creates a PE file in dynamic memory) 15->65 67 Hides threads from debuggers 15->67 35 WerFault.exe 16 15->35         started        37 WerFault.exe 19 16 15->37         started        39 WerFault.exe 16 15->39         started        41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Unicode 31->45 dropped 47 C:\ProgramData\Microsoft\...\Report.wer, Unicode 31->47 dropped signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a2bf257d6c6ecb246abd6e50163f126ea4683ffaca7d20fbd861ddfa3dfe0a5/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2023-05-07 21:28:52 UTC
File Type:
PE (Exe)
AV detection:
18 of 37 (48.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hiv7ev6wy3wlervl23sqcy7re3vena77vst5ed55qyo57i674csq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230508-kjqnqshg44/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
3a2bf257d6c6ecb246abd6e50163f126ea4683ffaca7d20fbd861ddfa3dfe0a5
MD5 hash:
0e2a4765d5e77ea83afaaf74b4ebee61
SHA1 hash:
adf9dd03fad70cd2493889c97814b1e7090604f6
Link:
https://www.unpac.me/results/7f2b02de-fdd0-49f1-9046-e541839f6acc/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3a2bf257d6c6ecb246abd6e50163f126ea4683ffaca7d20fbd861ddfa3dfe0a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2580611/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/387476/

Comments