MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b24254a2e351333a79359e5f3806fdf086852c5a55aaed919323d70fa06a654. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b24254a2e351333a79359e5f3806fdf086852c5a55aaed919323d70fa06a654
SHA3-384 hash: f80902f2c6f33eddec5de8601721e065b77ab840883be7ad603c3af5e4c1a16fb1e650da8ca775b71d0bb9d29536c68a
SHA1 hash: ee142c0f3eba382678f6de0b32e56e64d3c074a5
MD5 hash: 1767762d0d9e80f4dc1f1095274fce6e
humanhash: eight-football-magazine-item
File name:1767762d0d9e80f4dc1f1095274fce6e
Download: download sample
File size:135'680 bytes
First seen:2022-01-23 14:20:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:bNSA4U+yMEsaOi9mYGBajbG2G4tOYSjQnYewd:5l+Ab9jbY4tdBnm
Threatray 343 similar samples on MalwareBazaar
TLSH T175D3188A77884B10D9D924B5C1EF583403E1ADC71A32E2953F8877CD5D02BB7EE85B89
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://62.182.156.187/MicrosoftApi.exe
Verdict:
Malicious activity
Analysis date:
2022-01-17 02:04:14 UTC
Tags:
trojan miner
Link:
https://app.any.run/tasks/4ccc848f-f37a-4180-a5ea-436c1fe919b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221716/
Detection(s):
Win.Dropper.Witch-9936665-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd.exe evasive obfuscated overlay replace.exe schtasks.exe virus
Link:
https://www.filescan.io/uploads/61ed6451d32385db6322265b/reports/88cb4843-cf45-471d-869c-7c88521fe0f2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf9b9a3d-939f-4f7f-b015-b761e2d196eb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925853
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558331 Sample: jnhtTLwM5W Startdate: 23/01/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Antivirus detection for URL or domain 2->52 54 6 other signatures 2->54 8 jnhtTLwM5W.exe 1 5 2->8         started        12 MicrosoftApi.exe 14 2 2->12         started        15 MicrosoftApi.exe 2->15         started        process3 dnsIp4 40 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 8->40 dropped 42 C:\Users\...\MicrosoftApi.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\jnhtTLwM5W.exe.log, ASCII 8->44 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->66 17 MicrosoftApi.exe 1 5 8->17         started        46 62.182.156.187, 49752, 49753, 49754 AutonomousSystemofBaunetworks-SerbiaRS Russian Federation 12->46 file5 signatures6 process7 file8 38 C:\Users\user\AppData\...\tmpE7F0.tmp.cmd, DOS 17->38 dropped 56 Multi AV Scanner detection for dropped file 17->56 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->58 60 Machine Learning detection for dropped file 17->60 21 cmd.exe 1 17->21         started        24 cmd.exe 1 17->24         started        signatures9 process10 signatures11 62 Uses schtasks.exe or at.exe to add and modify task schedules 21->62 64 Adds a directory exclusion to Windows Defender 21->64 26 powershell.exe 21 21->26         started        28 conhost.exe 21->28         started        30 timeout.exe 1 21->30         started        32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started        36 schtasks.exe 1 24->36         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b24254a2e351333a79359e5f3806fdf086852c5a55aaed919323d70fa06a654/
Threat name:
ByteCode-MSIL.Trojan.Witch
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 13:30:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
51e6527daa5a10028c434c7ceaed1570ddd95e1de0eafa702f77860cec3d0b7c
5cbc602e1850dce976f8f5a33a1b97aed7648f409892fc2a0da0900d3d97bb53
6912561e48a62b49018cbed0fda8cdcfcf5afcd16f0a65b49390117b2331ef99
a32437ab62c0ac90c236c6a8e33bd6b57e661cd83aaae7d6c9f371eefca5a7a5
d1653b5cbbf61f3666ac0c5ac308b75d0d0c5029941ca9efbf37f18b51f9a3a6
d486573a12a0a407b7ae295318b59e750fb63cd9de6d46cceb2c173ae0b6b650
e0453a56a222c1a325d6b9ddc8ce5a692ecfba00664d0e36f9fdad9fde46acfb
fb78e43ae17426eb0f2066a30e1eff92116eff495f10f1789f1f69fab3c377c0
+ 333 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/220123-rnzwjagbb6/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
4b24254a2e351333a79359e5f3806fdf086852c5a55aaed919323d70fa06a654
MD5 hash:
1767762d0d9e80f4dc1f1095274fce6e
SHA1 hash:
ee142c0f3eba382678f6de0b32e56e64d3c074a5
Link:
https://www.unpac.me/results/88730fe1-0e67-4dae-8268-d0022f20be93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b24254a2e351333a79359e5f3806fdf086852c5a55aaed919323d70fa06a654

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4b24254a2e351333a79359e5f3806fdf086852c5a55aaed919323d70fa06a654

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2000372/
Cape
Cape
https://www.capesandbox.com/analysis/221716/

Comments


Avatar
zbet commented on 2022-01-23 14:20:29 UTC

url : hxxp://62.182.156.187/MicrosoftApi.exe