MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44f40b79a12c1665987fe0d6158731d79e7ec9662dd7b30b9e0c63a2c56667ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44f40b79a12c1665987fe0d6158731d79e7ec9662dd7b30b9e0c63a2c56667ec
SHA3-384 hash: 9b6dbb0b88c908bee20159292d3acb84923df79a31d17fa09d2faca62ebdd9007f338838444ee161b1d6759e21109a41
SHA1 hash: 6d84750e42c242ab2461c673ac8b2ca2d766ca41
MD5 hash: d996db1d2481bb287b2adb466beba234
humanhash: eighteen-orange-august-lithium
File name:Nightmangle
Download: download sample
File size:958'464 bytes
First seen:2024-11-13 13:25:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54047facc5e73f904435ab194951fc26
ssdeep 24576:cWZTxUOmOdajOpFBvvgLn+xHjO9ZJUfYrrW:cwvgb+xHjO9Zlr
Threatray 5 similar samples on MalwareBazaar
TLSH T13115190BE3B344E8C56AC97886A39631B935BC1941387E2E5FD4D7311F20E509BAFB19
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
4'625
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nightmangle
Verdict:
No threats detected
Analysis date:
2024-11-13 13:37:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f1a88315-5059-46f6-8990-c99d430d61fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.RansomX-gen.12840.12150.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67351a5f34b6906b348294b8
Tags:
ransomware virus gates
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Changing a file
Modifies multiple files
Modifying an executable file
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Creating a file in the mass storage device
Enabling autorun by creating a file
Encrypting user's files
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expand lolbin ransomware rundll32
Link:
https://www.filescan.io/uploads/6734a8ec9b14cf4ddf5a4594/reports/86c31d6f-617a-47dc-96f0-8f47b9e39044/overview
Verdict:
Malicious
Labled as:
Trojan.Havokiz.Marte.E.Generic
Link:
https://www.hybrid-analysis.com/sample/44f40b79a12c1665987fe0d6158731d79e7ec9662dd7b30b9e0c63a2c56667ec
Malware family:
AwfulRobber
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87ca26ef-0651-4899-8e35-4025b5e44a6e
Result
Threat name:
TrojanRansom
Create hunting rule
Detection:
malicious
Classification:
rans.spre
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1555149
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected TrojanRansom
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/44f40b79a12c1665987fe0d6158731d79e7ec9662dd7b30b9e0c63a2c56667ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44f40b79a12c1665987fe0d6158731d79e7ec9662dd7b30b9e0c63a2c56667ec/
Threat name:
Win64.Trojan.HavokizMarte
Create hunting rule
Status:
Malicious
First seen:
2024-04-20 15:52:54 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=it2aw6nbfqlglgd74dlblbzr26ph5slgfxl3gc46brr2frlgm7wa._file
Verdict:
malicious
Label(s):
coffloader
Create hunting rule
Similar samples:
30390db8ef77afdb6add86f7f2990a142823401078ab237020933d0423374b27
44f40b79a12c1665987fe0d6158731d79e7ec9662dd7b30b9e0c63a2c56667ec
6e5887670a74b010bff1c5bc11e936b392a12ed48a6afd796bd712c2594d423b
7a93184b91ab6cdad22df79dd252d90fd3bc714f0b4feff114069fa4bb830955
error
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery ransomware spyware stealer
Link:
https://tria.ge/reports/241113-qph4qssgqn/
Behaviour
Browser Information Discovery
Drops file in Program Files directory
Drops desktop.ini file(s)
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Reads user/profile data of web browsers
Renames multiple (8609) files with added filename extension
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2a68ac2-148f-4e3a-9c8f-ff8700227695
Unpacked files
SH256 hash:
44f40b79a12c1665987fe0d6158731d79e7ec9662dd7b30b9e0c63a2c56667ec
MD5 hash:
d996db1d2481bb287b2adb466beba234
SHA1 hash:
6d84750e42c242ab2461c673ac8b2ca2d766ca41
Link:
https://www.unpac.me/results/c1833032-574a-4776-b4e3-435171fdc379/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44f40b79a12c1665987fe0d6158731d79e7ec9662dd7b30b9e0c63a2c56667ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Windows_Hacktool_COFFLoader_81ba13b8
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileMappingA
SHLWAPI.dll::PathRemoveFileSpecA

Comments