MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44bb21418b1de5b467f42559fa14ef105543db5cbe0ac033100bb1c1cf2589da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	44bb21418b1de5b467f42559fa14ef105543db5cbe0ac033100bb1c1cf2589da
SHA3-384 hash:	1a56448515bb8fdf4e257e9c46000f1f84be9a0c1c0ee2625007c97e964ef95b7136e09cbc01d74e538fa0bcdfccdeea
SHA1 hash:	ac6f67be81cd07ff44af348f2164c4295dc67b0e
MD5 hash:	578f01f72e6bfdcb8f942a10aba86c26
humanhash:	hamper-zebra-summer-spring
File name:	file
Download:	download sample
File size:	167'424 bytes
First seen:	2022-08-27 10:18:47 UTC
Last seen:	2022-08-27 11:09:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2ebef10eee7ef22eee1fd7304987abf9
ssdeep	3072:nRQseWCZKxWOTbxHl/lM7BoOfnwrvqBKTO9Ue+4NqpsVDb8:nPCZCWaxHl/lwBpwrvqsRakA
Threatray	1 similar samples on MalwareBazaar
TLSH	T18BF34A1BF7A920F5D5BAA13894911A0AE771787287615BEF4360477A1F233D0BE3EB10
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	dc987860f0f2910f (4 x Metasploit)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from http://163.123.143.4/WW/DiskView.exe

Intelligence

File Origin

# of uploads :

# of downloads :

312

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-08-27 10:21:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a9ea2cb3-3dea-41df-b02b-bf3bc45e1599

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/301586/

Detection(s):

SecuriteInfo.com.Program.Win32.Wacapew.Cml.28360.6807.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file

Searching for the window

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/30298/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Result

Verdict:

MALICIOUS

Details

Base64 Encoded Powershell Directives

Detected one or more base64 encoded Powershell directives.

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2b68aaf0-7a45-46fe-b84d-0a7b541237ba

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

4 / 100

Link:

https://www.joesandbox.com/analysis/1058872

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/44bb21418b1de5b467f42559fa14ef105543db5cbe0ac033100bb1c1cf2589da/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2022-08-27 10:19:06 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=is5scqmldxs3iz7uevm7ufhpcbkuhw24xyfmamyqboy4dtzfrhna._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220827-mchewsafa5/

Unpacked files

SH256 hash:

44bb21418b1de5b467f42559fa14ef105543db5cbe0ac033100bb1c1cf2589da

MD5 hash:

578f01f72e6bfdcb8f942a10aba86c26

SHA1 hash:

ac6f67be81cd07ff44af348f2164c4295dc67b0e

Link:

https://www.unpac.me/results/a101fd6a-8ac4-47fa-bde4-aa51d9615d3e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/44bb21418b1de5b467f42559fa14ef105543db5cbe0ac033100bb1c1cf2589da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/301586/

URLhaus

https://urlhaus.abuse.ch/url/2280646/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample