MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 436c945c55202a8312a042886f9131aff9aa3ce2730d81089c4bb3036ff41990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 436c945c55202a8312a042886f9131aff9aa3ce2730d81089c4bb3036ff41990
SHA3-384 hash: 7ffb1e419bc194cf250d3beeff49326ba8ec7d5663eb6647b8e3543fa74a69726d350d7b57aad860d8dadda863b163eb
SHA1 hash: 73e26b33cf68d42e75a78da26092c5114d1402de
MD5 hash: 8a581e21c06dfd34d3b5859983503249
humanhash: eight-blue-lion-lake
File name:8a581e21c06dfd34d3b5859983503249
Download: download sample
File size:28'160 bytes
First seen:2024-10-19 21:53:21 UTC
Last seen:2024-10-19 23:42:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 384:zjvGBJcTH7APugo2Hgm2cMbt4kwZFT2g9TCLFJGL/sQwtgHv2rzGek5arEEjD8Zq:PnHp5bOkIV97LstgP2rvE9ZEscnvr
TLSH T1DBC2084462DC8833EE9F5BFC9861429247728367DA12F34E5CCCE2D4194BB4696087EF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
404
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8a581e21c06dfd34d3b5859983503249
Verdict:
Malicious activity
Analysis date:
2024-10-19 21:55:29 UTC
Tags:
loader privateloader
Link:
https://app.any.run/tasks/a9608bbe-adc4-4c76-8540-0b0fe43ba7bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.32193.21277.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/67142a7ab21b1aa5a918da73/reports/70df70f8-9966-417c-a39d-b2518e1818f5/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/436c945c55202a8312a042886f9131aff9aa3ce2730d81089c4bb3036ff41990
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d274ab4f-fdd2-4e91-b3a9-e0c9d428e2ef
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1537899
Signature
AI detected suspicious sample
Creates multiple autostart registry keys
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1537899 Sample: N2ER4ZENF1.exe Startdate: 19/10/2024 Architecture: WINDOWS Score: 76 38 yalubluseks.eu 2->38 42 Multi AV Scanner detection for submitted file 2->42 44 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->44 46 Machine Learning detection for sample 2->46 48 AI detected suspicious sample 2->48 8 N2ER4ZENF1.exe 1 6 2->8         started        12 BraveBrowser.exe 2->12         started        14 BraveBrowser.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 file5 32 C:\Users\user\AppData\...\BraveBrowser.exe, PE32 8->32 dropped 34 C:\Users\...\BraveBrowser.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\AppData\...362ER4ZENF1.exe.log, CSV 8->36 dropped 56 Creates multiple autostart registry keys 8->56 18 BraveBrowser.exe 248 238 8->18         started        23 WerFault.exe 12->23         started        signatures6 process7 dnsIp8 40 yalubluseks.eu 104.21.54.163, 443, 49730, 49731 CLOUDFLARENETUS United States 18->40 28 C:\Users\user\AppData\Local\...\Chromium.exe, PE32 18->28 dropped 30 C:\Users\...\Chromium.exe:Zone.Identifier, ASCII 18->30 dropped 50 Multi AV Scanner detection for dropped file 18->50 52 Machine Learning detection for dropped file 18->52 54 Creates multiple autostart registry keys 18->54 25 Chromium.exe 18->25         started        file9 signatures10 process11 signatures12 58 Multi AV Scanner detection for dropped file 25->58 60 Machine Learning detection for dropped file 25->60
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/436c945c55202a8312a042886f9131aff9aa3ce2730d81089c4bb3036ff41990
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/436c945c55202a8312a042886f9131aff9aa3ce2730d81089c4bb3036ff41990/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2024-10-19 20:38:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=inwjixcveavigevaikeg7ejrv742uphcomgycce4jozqg37udgia._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/241019-1r69fstapk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0e86af31-7b16-4884-86e6-2193cede2aae
Unpacked files
SH256 hash:
436c945c55202a8312a042886f9131aff9aa3ce2730d81089c4bb3036ff41990
MD5 hash:
8a581e21c06dfd34d3b5859983503249
SHA1 hash:
73e26b33cf68d42e75a78da26092c5114d1402de
Link:
https://www.unpac.me/results/d68107e7-45d2-43b1-8746-e8a50fd6e45f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AlphaCrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/436c945c55202a8312a042886f9131aff9aa3ce2730d81089c4bb3036ff41990

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 436c945c55202a8312a042886f9131aff9aa3ce2730d81089c4bb3036ff41990

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3242952/
  
URLhaus
https://urlhaus.abuse.ch/url/3229735/
  
URLhaus
https://urlhaus.abuse.ch/url/3244684/
  
URLhaus
https://urlhaus.abuse.ch/url/3244687/
  
URLhaus
https://urlhaus.abuse.ch/url/3244716/
  
URLhaus
https://urlhaus.abuse.ch/url/3245222/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-10-19 21:53:23 UTC

url : hxxp://147.45.47.185/css/67065a0933c9e_UUESUpdater.exe