MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
SHA3-384 hash: e94894ba21aeba0fdef4309ff9af423a32a273a9a94779ebdbdcdfd19bff9c5b2bf38d6a068f3f2c7c83f0d81120b60d
SHA1 hash: 6c3fcf45e35aaf6b747f29a06108093c284100da
MD5 hash: f27b6e8cf5afa8771c679b7a79e11a08
humanhash: spaghetti-cup-georgia-foxtrot
File name:file
Download: download sample
File size:1'784'832 bytes
First seen:2024-11-27 14:37:52 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 24576:3rKxoVT2iXc+IZ++6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:WHZ5pdqYH8ia6GcKuR7
TLSH T13B851918F6D8423ED857D2359A7153B2D7FAB9482F20738A2928075A7F2B3D02B3575C
TrID 35.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.9% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
10.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.5% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika pebin
Reporter jstrosch
Tags:.NET dll MSIL


Avatar
jstrosch
Found at hxxp://68.178.207[.]33:8000/RR/XWorm-5.6/Plugins/HRDP.dll by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
378
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
Win.Malware.Msilperseus-9807948-0
Create hunting rule

Win.Malware.Ursu-9937395-0
Create hunting rule

PUA.Win.Virus.Rdpwrap-6793227-0
Create hunting rule

PUA.Win.Virus.Rdpwrap-6793229-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67472ed7d0583382434b7cb3
Tags:
dropper virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
apt lolbin netsh rdpwrap vbnet
Link:
https://www.filescan.io/uploads/67472ed31913673a9b247474/reports/224fde68-d435-4119-ad1d-a4c97887dc25/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
Malware family:
SideCopy
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3830900-4f64-494b-896f-0becf56b2829
Result
Threat name:
RDPWrap Tool
Create hunting rule
Detection:
malicious
Classification:
spre
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1563881
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to hide user accounts
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RDPWrap Tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1563881 Sample: file.dll Startdate: 27/11/2024 Architecture: WINDOWS Score: 72 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Contains functionality to hide user accounts 2->19 21 3 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-03-13 10:14:28 UTC
File Type:
PE (.Net Dll)
Extracted files:
17
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkqyornf7xpx5qkk3l7tvunu34nzcd2lm4il6vple75tsqv3m7pa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/241127-rzqr1atngj/
Unpacked files
SH256 hash:
63fb201040002775e6ef6f836a8f0f4d94324fc299c0f9bc1f17a97c6bb24552
MD5 hash:
5505592313b74f2e2c8727837750f66d
SHA1 hash:
d0394cf350090ba4fc68c7e12fd806881b0c42e0
Link:
https://www.unpac.me/results/6f5b39ab-8b50-4dc6-8a71-bee1f94e0d16/
SH256 hash:
2f33ed67124a2225104726cb59f001e5ff4d78b0d88a650ced997890b515a73b
MD5 hash:
51b15fc8de1a07851f648ffe4362e5ca
SHA1 hash:
b8215e0a97424eff245eaf196ed4fccd154723b6
Link:
https://www.unpac.me/results/6f5b39ab-8b50-4dc6-8a71-bee1f94e0d16/
SH256 hash:
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
MD5 hash:
3288c284561055044c489567fd630ac2
SHA1 hash:
11ffeabbe42159e1365aa82463d8690c845ce7b7
Detections:
RDPWrap
Create hunting rule
RDPWrap
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/6f5b39ab-8b50-4dc6-8a71-bee1f94e0d16/
Parent samples :
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
SH256 hash:
4c19d053751a68b30c045119642964268659bf79bd066046c32ddb875ec339eb
MD5 hash:
b52ac2b928342ee016739834af802beb
SHA1 hash:
1d4d62475d6ab667fdbc68a46177b7ae01c2ddeb
Link:
https://www.unpac.me/results/6f5b39ab-8b50-4dc6-8a71-bee1f94e0d16/
SH256 hash:
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
MD5 hash:
461ade40b800ae80a40985594e1ac236
SHA1 hash:
b3892eef846c044a2b0785d54a432b3e93a968c8
Detections:
RDPWrap
Create hunting rule
RDPWrap
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/6f5b39ab-8b50-4dc6-8a71-bee1f94e0d16/
Parent samples :
ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
663bb8fd085cf61f0204f2f5a9cbed5c5d1eb08aebbb6dbb47702c328b44c3e2
fc16a364530103595b8d36d6c3e7f00a08bf5783c6860bf63bcdbeb90b6c78f8
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6
SH256 hash:
861ad4bbf682b35affda23fab92c8db945f3fa34f78177843c87802d1fd02020
MD5 hash:
9c6a68742ea7abf802940e7f1502e20f
SHA1 hash:
54418c9537830772fc5a7a441867829ec533828f
Detections:
RDPWrap
Create hunting rule
win_infy_auto
Create hunting rule
RDPWrap
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/6f5b39ab-8b50-4dc6-8a71-bee1f94e0d16/
Parent samples :
ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
663bb8fd085cf61f0204f2f5a9cbed5c5d1eb08aebbb6dbb47702c328b44c3e2
fc16a364530103595b8d36d6c3e7f00a08bf5783c6860bf63bcdbeb90b6c78f8
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6
SH256 hash:
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
MD5 hash:
f27b6e8cf5afa8771c679b7a79e11a08
SHA1 hash:
6c3fcf45e35aaf6b747f29a06108093c284100da
Detections:
RDPWrap
Create hunting rule
Link:
https://www.unpac.me/results/6f5b39ab-8b50-4dc6-8a71-bee1f94e0d16/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Lazarus_Loader_Dec_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect loader used by Lazarus group in december 2020
Reference:Internal Research
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll 4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3305453/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments