MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a4f33afe3086aa1962d92412fc2166c5e6b565087bbe20cc411dfc0e9ded6a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	4a4f33afe3086aa1962d92412fc2166c5e6b565087bbe20cc411dfc0e9ded6a0
SHA3-384 hash:	8261ffcdfbfd7445950c9cb2bd616119cb0c99338d72744452284157d0c8b1bdcc04139937285203b8039371ee889ffd
SHA1 hash:	4fb59980a15ce7974a796575b762f8f422ce5b07
MD5 hash:	6f665047f3ccce8c93bdd5eead1318de
humanhash:	river-zulu-triple-minnesota
File name:	6f665047f3ccce8c93bdd5eead1318de
Download:	download sample
Signature	CustomerLoader Alert Create hunting rule
File size:	13'312 bytes
First seen:	2023-07-11 14:18:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	192:e05nsnX+MyUY2NV28bBGnV87xKh8OuAU1OizJRRk1FShS7:HxsntyUZNVRtGocHuAUrzJUShS7
Threatray	54 similar samples on MalwareBazaar
TLSH	T1C1525C089FEC472BD1DF13BDCCFB02912276D6773113DB6BAACD904818623646A5277A
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	zbetcheckin
Tags:	64 CustomerLoader exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

296

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN amadey

Malware family:

amadey

Alert

Create hunting rule

ID:

1

File name:

6f665047f3ccce8c93bdd5eead1318de

Verdict:

Malicious activity

Analysis date:

2023-07-11 14:19:46 UTC

Tags:

lgoogloader opendir gcleaner loader amadey trojan

Link:

https://app.any.run/tasks/fd4148f0-72e4-4486-b5e5-129804286db6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/415764/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2167.11928.16201.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Creating a file in the Windows directory

Launching a process

Enabling autorun for a service

Forced shutdown of a system process

Unauthorized injection to a system process

FileScan.IO Unknown

Verdict:

Unknown

Threat level:

  0/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/64ad64d6a15fc7eb4fd0c887/reports/ebe69ebb-5116-44a9-9c0a-bbdd3eafd9d5/overview

Hybrid Analysis MSIL/TrojanDownloader.Agent_AGen

Verdict:

Malicious

Labled as:

MSIL/TrojanDownloader.Agent_AGen

Link:

https://www.hybrid-analysis.com/sample/4a4f33afe3086aa1962d92412fc2166c5e6b565087bbe20cc411dfc0e9ded6a0

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Suspicious

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/db32004e-e025-4ca3-bf9a-97cc830b2471

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1270977

Signature

Antivirus detection for URL or domain

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample is not signed and drops a device driver

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a4f33afe3086aa1962d92412fc2166c5e6b565087bbe20cc411dfc0e9ded6a0/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Generic

Threat name:

ByteCode-MSIL.Trojan.Generic

Alert

Create hunting rule

Status:

Suspicious

First seen:

2023-07-11 14:19:04 UTC

File Type:

PE+ (.Net Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jjhthl7dbbvkdfrnsjas7qqwnrpgwvsqq656edgechp4b2o622qa._file

Threatray malicious

Verdict:

malicious

Similar samples:

06dc6394565b70ac8efd2cc98225cf3ec9b5f7711e036189b186340c591e4f67

CustomerLoader

37efec4c9df42e2a53f73a9923a8e9a1154a790dc5316ec875b5b7640f27d294

CustomerLoader

3956c21824bc18caca2523381ce3fa113e40d5e7f47bf2a05d65f2a1a27a3f1d

CustomerLoader

3e24e97aba6e7432395abc346ee3484b9dbadbe803a046a84ea41529d6ed8c89

CustomerLoader

5cb9717a04cda4e2affebca598a9a2afcfe7f6e45b7544b9bbb9b6893540a111

CustomerLoader

71b83a4a645cee8038819ee490a2b6324d287d8aac405adb1b373277dc5c23ab

CustomerLoader

d73dbd022ae04284c10281b7aad42b0b80d45deec6beee79858e635a43627f65

CustomerLoader

e43e5c816ce04f8fa14c819ff2b5bfc02c03e27a4b0a6b85875ef11ea4d4489f

CustomerLoader

f938bd23b3f834f0548463c4479c53e68a622f08078412d73c3931e9bcc80120

CustomerLoader

+ 44 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://tria.ge/reports/230711-rmtywshd93/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Drops file in System32 directory

UnpacMe

Unpacked files

SH256 hash:

4a4f33afe3086aa1962d92412fc2166c5e6b565087bbe20cc411dfc0e9ded6a0

MD5 hash:

6f665047f3ccce8c93bdd5eead1318de

SHA1 hash:

4fb59980a15ce7974a796575b762f8f422ce5b07

Link:

https://www.unpac.me/results/6c6616ec-b73a-4f89-b5a7-a4fb396a87a6/

VMRay Amadey

Malware family:

Amadey

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4a4f33afe308/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CustomerLoader

exe 4a4f33afe3086aa1962d92412fc2166c5e6b565087bbe20cc411dfc0e9ded6a0

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2680699/

Cape

https://www.capesandbox.com/analysis/415764/

  

URLhaus

https://urlhaus.abuse.ch/url/2681148/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-07-11 14:18:35 UTC

url : hxxp://45.58.41.152/files/HHH1.exe