MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 49444feec95481546d0376dfbb73e3bdf91159798996811c5b63384cdbd387f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 10
| SHA256 hash: | 49444feec95481546d0376dfbb73e3bdf91159798996811c5b63384cdbd387f1 |
|---|---|
| SHA3-384 hash: | c39eec3666b3664c8e896f75ee08b7e5f2789eb2d4ff603c722d99af8b3b1dad3429342f03b57bf945a18d2ab30df07c |
| SHA1 hash: | 545d6bbb32fa35ac01f70dc0d0065107498a35a5 |
| MD5 hash: | 5002b9e3880480c4efa3230543b8b0f0 |
| humanhash: | two-fruit-florida-delta |
| File name: | virussign.com_5002b9e3880480c4efa3230543b8b0f0 |
| Download: | download sample |
| File size: | 263'031 bytes |
| First seen: | 2022-07-15 16:35:21 UTC |
| Last seen: | 2024-07-24 13:51:43 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5d90989f29f36dacd92090770e1f3b9e |
| ssdeep | 6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6v:Plf5j6zCNa0xeE3m+ |
| Threatray | 3 similar samples on MalwareBazaar |
| TLSH | T19E4413C2A2D95AA6FCC619771A27DFC42B96FE3119C609117A44B17F09F7380AE13323 |
| TrID | 35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.9% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | e0e4a2aaa4b8a888 (10 x DarkWatchman, 5 x SnakeKeylogger, 5 x Formbook) |
| Reporter |  KdssSupport |
| Tags: | exe |
Intelligence
File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
virussign.com_5002b9e3880480c4efa3230543b8b0f0
Verdict:
Suspicious activity
Analysis date:
2022-07-16 03:32:46 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the Windows directory
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Searching for the window
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing the Windows explorer settings to hide files extension
Blocking a possibility to launch for cmd.exe command interpreter
Blocking the Windows File Protection
Enabling autorun
Blocking the Windows Security Center notifications
Blocking the System Restore
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling a "Do not show hidden files" option
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
96 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes autostart functionality of drives
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Disables the Windows registry editor (regedit)
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Threat name:
Win32.Worm.YaLove
Status:
Malicious
First seen:
2022-07-10 01:51:35 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
26 of 26 (100.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
n/a
Score:
10/10
Tags:
evasion persistence spyware stealer trojan upx
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Modifies WinLogon
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Disables RegEdit via registry modification
Executes dropped EXE
UPX packed file
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Windows security bypass
Unpacked files
SH256 hash:
49444feec95481546d0376dfbb73e3bdf91159798996811c5b63384cdbd387f1
MD5 hash:
5002b9e3880480c4efa3230543b8b0f0
SHA1 hash:
545d6bbb32fa35ac01f70dc0d0065107498a35a5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
exe 49444feec95481546d0376dfbb73e3bdf91159798996811c5b63384cdbd387f1
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.