MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
SHA3-384 hash: 6f5a6074195ffa792aae03eaf1b62995031140679d856f701e9e10fab8844652e3d6b2b11f6934decf0d15e2f80970a6
SHA1 hash: 33c341130bf9c93311001a6284692c86fec200ef
MD5 hash: d5671758956b39e048680b6a8275e96a
humanhash: november-pluto-snake-chicken
File name:000.exe
Download: download sample
File size:6'983'680 bytes
First seen:2023-05-20 14:47:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:V3LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzzo9Y:lLJlC6j0CX4XmvWHVcd62uo9
TLSH T12766F29B5ECC82E2FD3E05314062F676A6647EE903E14FCB62F80D47FA502E56C7119A
TrID 58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.4% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter JaffaCakes118

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
000.exe
Verdict:
Malicious activity
Analysis date:
2019-07-16 12:04:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cd24854e-1475-42d9-b787-fd5984131863

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Trojan.PSE.50TJET.UNOFFICIAL
Create hunting rule

Win.Malware.Generic-9828792-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Setting a global event handler
Creating a file in the %temp% directory
Running batch commands
Сreating synchronization primitives
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Changing a file
Modifying a system executable file
Creating a file
Launching a process
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Launching a tool to kill processes
Forced shutdown of a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm lolbin packed packed xpack
Link:
https://www.filescan.io/uploads/6468ddab3777f76e22145735/reports/cbd461c8-abb3-49ec-a470-0530ddaced4b/overview
Verdict:
Malicious
Labled as:
Trojan.KillProc
Link:
https://www.hybrid-analysis.com/sample/4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
Result
Verdict:
MALICIOUS
Malware family:
Diztakun
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d07421c0-862a-494e-8da2-9db7f97ab7bb
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046332
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the wallpaper picture
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 678825 Sample: 000.exe Startdate: 04/08/2022 Architecture: WINDOWS Score: 100 27 Antivirus detection for dropped file 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 4 other signatures 2->33 7 000.exe 39 34 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\rniw.exe, PE32 7->23 dropped 35 Contains functionality to register a low level keyboard hook 7->35 37 Installs a global keyboard hook 7->37 39 Changes the wallpaper picture 7->39 41 Disables the Windows task manager (taskmgr) 7->41 11 cmd.exe 223 7->11         started        signatures5 process6 file7 25 C:\ProgramData\Microsoft\Windows\...\rniw.exe, PE32 11->25 dropped 43 Drops PE files to the startup folder 11->43 15 taskkill.exe 1 11->15         started        17 taskkill.exe 1 11->17         started        19 WMIC.exe 1 11->19         started        21 2 other processes 11->21 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47/
Threat name:
Win32.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2019-03-17 13:33:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
33 of 37 (89.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkiawnco65s2m34yz442ybrhhvlfzihv2gpx5jgkda3ymfk5jjdq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence ransomware
Link:
https://tria.ge/reports/230520-r6enbacg78/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Sets desktop wallpaper using registry
Enumerates connected drives
Modifies WinLogon
Disables Task Manager via registry modification
Unpacked files
SH256 hash:
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
MD5 hash:
9232120b6ff11d48a90069b25aa30abc
SHA1 hash:
97bb45f4076083fca037eee15d001fd284e53e47
Detections:
win_koadic_auto
Create hunting rule
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
Parent samples :
4d5ee9d005508709e50b4a44656d0765c4c1e0e050bc8c20f10748d2a58cef45
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481
5eed2b5832483191e67f2ffbdcf349a6256039a8a7f934fb6bb9188873f8a73b
SH256 hash:
dc6ee4edbbbe1116a200b928f2b62dbc55594a9f79152bbb0076161a58546c11
MD5 hash:
979b597855746aee2f30ee74f9d7c163
SHA1 hash:
56dd0b4bbc5ddcc3fab99ea2e8f781d8b7c7c05f
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
SH256 hash:
7c7feee100a46098a612c6c9e0b416342cfe5fe436c7de0efc5612bdc4123241
MD5 hash:
fe58ce135a4d107c152853d325164acd
SHA1 hash:
2ebc4ebc849cd71aa1e52b426d8ac814680dbed2
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
SH256 hash:
41b63b968ac5b568070ea10343e72bd718f532f092708a592633c33122c0f6ed
MD5 hash:
f58d32b8de920f763b4a5dc1f368a917
SHA1 hash:
f90ea20341e8622b635c4d13598e64b5461a2235
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
SH256 hash:
4f137a243ae2d35324f1e8d9d62c21bb973875a7076fa958f3afd9af6ecc6b89
MD5 hash:
3b088d379dd34dc933456e229b78af9a
SHA1 hash:
e6e163452dab66f5d1e4da8a2551d64aed1f9aed
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
SH256 hash:
37f483ae15017dc8fd772db3950b38167f370ef90a0ba52d54cb6541fac6a77b
MD5 hash:
676ae2e484c4e59bed0f05678f8e579c
SHA1 hash:
e4c6b41c9418130019e7b758dc6e2bf4ffb6637d
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
SH256 hash:
3af80d405d16548c2a07601d16c5cc005e5774383872a5ef15a81d0328aa3a2f
MD5 hash:
114e6bcb3a687be55df86d97f29dd470
SHA1 hash:
0995324dcbfa4cdfb64cea4e8e5f46fa79bc033f
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
SH256 hash:
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
MD5 hash:
d5671758956b39e048680b6a8275e96a
SHA1 hash:
33c341130bf9c93311001a6284692c86fec200ef
Link:
https://www.unpac.me/results/1264683c-2d8a-4241-821c-34c88b3df9aa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a900b344ef7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Oni
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:kill_explorer
Create hunting rule
Author:iam-py-test
Description:Detect files killing explorer.exe
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments