MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 414ad5d3597fae8af743fc7777d376be7ae00f2decd270639dc5667c2a00f3a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash: 414ad5d3597fae8af743fc7777d376be7ae00f2decd270639dc5667c2a00f3a8
SHA3-384 hash: 1a6af03caeee0c1c1db540595510db904a2fd51d8fdc2b9268817fe800b0dc0011e8c1d3352f87f45552729e9d31c075
SHA1 hash: 7234dc7608ba8c01dd0902721dfd3120d512cb8b
MD5 hash: ca81687cf3f2985fcf77c46435d9c178
humanhash: avocado-georgia-muppet-diet
File name:ca81687cf3f2985fcf77c46435d9c178.exe
Download: download sample
File size:2'575'872 bytes
First seen:2022-12-29 07:47:15 UTC
Last seen:2022-12-29 09:33:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 524a20b9dcaf6af98b81c979e05d1d24
ssdeep 49152:QFOy/GJk3oFmJp/zPRJlyrnEbTPDoWZprbsLKXN+JpCMI:QHOczUrnEb7DrZprY2XmpC
Threatray 1 similar samples on MalwareBazaar
TLSH T169C5AEB2FB048272E79121B19D0C5BBF8CC89A31177940C7E2D51A592AE07E37B36797
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e08caab0f0b29679
Reporter abuse_ch
Tags:exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca81687cf3f2985fcf77c46435d9c178.exe
Verdict:
Malicious activity
Analysis date:
2022-12-29 07:50:43 UTC
Tags:
loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the Windows directory
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware hacktool
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Signature
Antivirus detection for URL or domain
Contains functionality to inject threads in other processes
Drops executables to the windows directory (C:\Windows) and starts them
Injects files into Windows application
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775238 Sample: 964c0po2Oc.exe Startdate: 29/12/2022 Architecture: WINDOWS Score: 80 40 Multi AV Scanner detection for domain / URL 2->40 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 7 964c0po2Oc.exe 15 2->7         started        process3 dnsIp4 34 auth.unduhfile.my.id 103.178.175.23, 49695, 49696, 80 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 7->34 36 cdn.unduhfile.my.id 7->36 30 C:\Windows\CB.exe, PE32 7->30 dropped 48 Drops executables to the windows directory (C:\Windows) and starts them 7->48 12 CB.exe 7->12         started        17 cmd.exe 1 7->17         started        19 cmd.exe 7->19         started        21 208 other processes 7->21 file5 signatures6 process7 dnsIp8 38 vipenjoyers.xyz 104.21.60.232, 443, 49697 CLOUDFLARENETUS United States 12->38 32 C:\hwid.ini, ASCII 12->32 dropped 50 Performs DNS queries to domains with low reputation 12->50 52 Contains functionality to inject threads in other processes 12->52 23 notepad.exe 12->23         started        26 mode.com 1 17->26         started        28 conhost.exe 19->28         started        file9 signatures10 process11 signatures12 46 Injects files into Windows application 23->46
Threat name:
Win32.Trojan.Lazy
Status:
Malicious
First seen:
2022-11-18 04:23:03 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
91f27c6e65e2c2207c277b7c10e550a567707aed914ea161ce77b43696d88585
MD5 hash:
3e4218ef01628058158b9c1da126492e
SHA1 hash:
9aa5d25a6e75419f89450af684598b0c7502b527
SH256 hash:
414ad5d3597fae8af743fc7777d376be7ae00f2decd270639dc5667c2a00f3a8
MD5 hash:
ca81687cf3f2985fcf77c46435d9c178
SHA1 hash:
7234dc7608ba8c01dd0902721dfd3120d512cb8b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:Base64_decoding
Author:iam-py-test
Description:Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)
Rule name:BitcoinAddress
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Author:@wowabiy314
Description:PDB
Rule name:yara_template

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments