MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40156767b7c2d016c2727e539746c2b8dcb89ef8b535a6815cec5b0b39197bd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40156767b7c2d016c2727e539746c2b8dcb89ef8b535a6815cec5b0b39197bd4
SHA3-384 hash: dd127175bbbd750f5ce59cfe1c3def92791744acca3bfd034200fd3158970fb55da38b1db8e555fb4081076030d3eccd
SHA1 hash: 3f6cac28cad4c94b063881d901d036158c8ced73
MD5 hash: 00a87f9901db25ade894ab06f25805ee
humanhash: undress-early-orange-kansas
File name:00a87f9901db25ade894ab06f25805ee.exe
Download: download sample
File size:1'910'706 bytes
First seen:2022-11-10 12:34:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:KyGjMY7PjRCaPCAPCcGi7Y8dDBGNQva9JVCttUQr:Kys7PFdPDPOD2va9XOhr
Threatray 2'309 similar samples on MalwareBazaar
TLSH T1E4952312FBC58872E531593016B5A730293EBC205B354ACF63E86E2E9E705C1DA35BB7
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00a87f9901db25ade894ab06f25805ee.exe
Verdict:
Malicious activity
Analysis date:
2022-11-10 12:42:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6254ac45-aaef-4f19-b5d1-4fef49a2ca4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331927/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44081008.21193.10752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50932/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/636ceffb4834ec1f25eecb00/reports/45dae66b-07ea-4330-9799-b7b1ebc45875/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b54f981a-3580-4506-9d50-8faaa08eb23c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1110366
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40156767b7c2d016c2727e539746c2b8dcb89ef8b535a6815cec5b0b39197bd4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 12:35:17 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iakwoz5xylibnqtspzjzorwcxdolrhxywu22nak45rnqwoizppka._file
Verdict:
malicious
Similar samples:
38066ee9fea009a8a6c2575e1a05fadd49a2cfe205dd8a6604eea85f5c7a42bd
5bd7a1d3894b770b58190bfb3c6020344ce47389ccdc5b080cff9d23718ff4b3
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
7aa19913253d9a036b10df1f8f0bdb25567edda11fe99050d85a47249142bec2
85bf8cdcb77b76ba481a9f230bd4ae942861618be7bdf6b4e45797a834a396e7
8629c6d83161280020e6f02a08da3b29b5eed6a19717b03c021048e9b57b8ef9
db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b
f517c9576d21eb344a419f39255d835248e794b1b2d4951a0bbe185f20a04c4c
+ 2'299 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221110-psc68ahha5/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/70729207-6eb5-4e63-925d-0704f988f2cb
Unpacked files
SH256 hash:
7d0fb376cf69c48c599cd79edb2641acfc1fcddc6974e01a366a023471b55762
MD5 hash:
812eb8af49ebdf5260a01d826f6897a1
SHA1 hash:
bf4552eb0c33f7e80162e7aa6a337b532f0bab84
Link:
https://www.unpac.me/results/ac798d46-a976-4ad8-b1d5-d699e20c82cb/
SH256 hash:
a3caaafdee34cbae030cc3151e6173c9d5bc931d3740261deacba14a633ff61e
MD5 hash:
d34f1ad9a835e272eadc2740cc70556d
SHA1 hash:
8ba03a4917ad24cf91ee4e4e2d84e972f26f465e
Link:
https://www.unpac.me/results/ac798d46-a976-4ad8-b1d5-d699e20c82cb/
SH256 hash:
40156767b7c2d016c2727e539746c2b8dcb89ef8b535a6815cec5b0b39197bd4
MD5 hash:
00a87f9901db25ade894ab06f25805ee
SHA1 hash:
3f6cac28cad4c94b063881d901d036158c8ced73
Link:
https://www.unpac.me/results/ac798d46-a976-4ad8-b1d5-d699e20c82cb/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/40156767b7c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40156767b7c2d016c2727e539746c2b8dcb89ef8b535a6815cec5b0b39197bd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 40156767b7c2d016c2727e539746c2b8dcb89ef8b535a6815cec5b0b39197bd4

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/331927/
  
URLhaus
https://urlhaus.abuse.ch/url/2405964/
  
Delivery method
Distributed via web download

Comments