MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46db2cb734082006aa792fac99e35f17a012b0ca0d530563d5fe2a2d30a996b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	46db2cb734082006aa792fac99e35f17a012b0ca0d530563d5fe2a2d30a996b4
SHA3-384 hash:	ca8a49b4d5cf8e7ff8d671d555a72131d80ab4abd2dcc366152a790c37bc57425cb0f5a69becb5c03abb15512d0e9ea1
SHA1 hash:	169052f8e80bf3858f8b744a2a591622b64fbf91
MD5 hash:	585dc08713bd5c4993f82372fab19124
humanhash:	burger-illinois-virginia-nebraska
File name:	585dc08713bd5c4993f82372fab19124.exe
Download:	download sample
File size:	1'388'544 bytes
First seen:	2023-02-01 14:46:21 UTC
Last seen:	2023-02-01 16:51:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	edc6c3de5dcea9514b11905219670b4c
ssdeep	24576:SlxObwiWk8Ty80JGTom2s8iQ+FVu1YteAqE9DpQGjl314ZD3bQ2jgcMFS:SlgwXm8PMEb5F4IeAvUGhF4l02oF
Threatray	4'058 similar samples on MalwareBazaar
TLSH	T14B55128DB3E604F9C41BD23A8AC69625E2F3741947B443DF57248B769F0A7F2263A341
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

585dc08713bd5c4993f82372fab19124.exe

Verdict:

Malicious activity

Analysis date:

2023-02-01 14:54:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eb51bbc3-20e3-4e07-b0db-494c4fe61084

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/359067/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65244697.19101.4953.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Сreating synchronization primitives

Sending a UDP request

Creating a file in the drivers directory

Creating a service

Loading a system driver

Creating a file in the Windows subdirectories

Moving a file to the drivers directory

Searching for synchronization primitives

Replacing files

Changing a file

Sending an HTTP GET request

Sending a custom TCP request

Enabling autorun for a service

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/64524/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

shell32.dll

Link:

https://www.filescan.io/uploads/63da7b672d4f6d560e23f167/reports/b6a2019d-6410-443c-9cc4-60aed5caea72/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fc499640-26a3-4d23-8df7-325bec09708f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1163300

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Contain functionality to detect virtual machines

Detected VMProtect packer

Drops executable to a common third party application directory

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample is not signed and drops a device driver

Sample is protected by VMProtect

Snort IDS alert for network traffic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/46db2cb734082006aa792fac99e35f17a012b0ca0d530563d5fe2a2d30a996b4/

Threat name:

Win64.Trojan.Tedy

Status:

Malicious

First seen:

2023-01-23 11:54:40 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 39 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i3nsznzubaqanktzf6wjty27c6qbfmgkbvjqky6v7yvc2mfjs22a._file

Verdict:

malicious

23c9fe013be7bed47c421bb84e272c492787dc16d773596263d4f25f638d8e6f

2eacb4a0ed8066b690c4173bf308d3144076daa9fa545f361731907b2842d698

3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483

a637dbaba86125c4fdaf3b0e01462f0e8c6e51faa6f678e08df1ef991bf4d29c

cd3005a4493f4ca278985f4a25ceee50b851f8cb82157984111f8dd3ac80fb54

d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e

d89d94282170e98d32127e2c87754a1badf527018da2cb9338c3e5e6487e90c2

+ 4'048 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware stealer

Link:

https://tria.ge/reports/230201-r5vyxaca7z/

Behaviour

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Maps connected drives based on registry

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Drops file in Drivers directory

Sets service image path in registry

Unpacked files

SH256 hash:

46db2cb734082006aa792fac99e35f17a012b0ca0d530563d5fe2a2d30a996b4

MD5 hash:

585dc08713bd5c4993f82372fab19124

SHA1 hash:

169052f8e80bf3858f8b744a2a591622b64fbf91

Link:

https://www.unpac.me/results/4169f55e-32d2-4f1c-9918-c8ed53ec37c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/46db2cb734082006aa792fac99e35f17a012b0ca0d530563d5fe2a2d30a996b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/359067/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample