MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b9c4a311f2b3fa9f2c954a70bfa8bd4c89e87899f6d35d54c46edf9d6c3e859. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b9c4a311f2b3fa9f2c954a70bfa8bd4c89e87899f6d35d54c46edf9d6c3e859
SHA3-384 hash: 2cced5d08b610f7acebe875c55720a8e423c0ecbb14e319f341970ebc6c5e490db20b130a906ef206c528893686bc00c
SHA1 hash: a949c3711cb57564916a7732f1274c7d5d7dd733
MD5 hash: fba4f54cfdca650a57c66f83ec1b084e
humanhash: autumn-iowa-florida-robert
File name:fba4f54cfdca650a57c66f83ec1b084e
Download: download sample
File size:7'172'608 bytes
First seen:2021-11-26 00:51:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e88eb7cc5742529ccc6b16edd9f9c23
ssdeep 196608:8OUZuR6VUYceLcNt2iCxTyXUg1TJDt0vURmS:8NZ66VUYce4n2t2Ug1VDo
Threatray 110 similar samples on MalwareBazaar
TLSH T1DA7623AA62A8331CC01BC9B5D537BD07F272521F59E485B972CEBAC03FDB014DA46B46
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fba4f54cfdca650a57c66f83ec1b084e
Verdict:
No threats detected
Analysis date:
2021-11-26 00:55:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a410cfdd-7978-4c27-b261-0c1693b732f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a02fb5b71ceed41530cd6a/reports/6d26f7f0-8a90-43e0-bea2-06372b89b2e9/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8fcd9e1-ca94-4d86-b412-37682c53399e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/896425
Signature
Antivirus / Scanner detection for submitted sample
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b9c4a311f2b3fa9f2c954a70bfa8bd4c89e87899f6d35d54c46edf9d6c3e859/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-16 05:50:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
50d77a8a5e5ced0e79891d026a9329744a23b75e80359e4a2b23bab1eaa95188
67af043c52562a130a97ccd9391ea99c9aed49eef5383767c366d45f3dcf9740
6b096fad1b452e6ad6a07a1ab6d713fda4e4e5f14f6ba4c9a40f232b8f88c12a
8301c177db142c3062ed9e7fe6fe2b519d4d184770d9c0689417f5ae4619c4d1
89ff189deb3ff3b32b516ee106e8529ab556803dea34f8f1570155833c39a27d
cccc59bb80ee4003e60632ef75835efe3a5ef2cdf762f6da95f5610f0647d3c1
cfa9c1d8b0ea8b947b89c01c9cbb87a70161a528337e5af00e855a70d350f22e
eebd330208d3021ba7caf06e78588daaa3e9de826c373025aad1bea09a94865d
f980ad74c0102e182c42c66aa59dbd23879f6cfa5ee2fa40541613503b5a272a
fdc5ae1a23f456d6edd75da1dedb29f1b8425292a6318d8e1374b3e1769fb7fe
+ 100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/211126-a73yvshfcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
4b9c4a311f2b3fa9f2c954a70bfa8bd4c89e87899f6d35d54c46edf9d6c3e859
MD5 hash:
fba4f54cfdca650a57c66f83ec1b084e
SHA1 hash:
a949c3711cb57564916a7732f1274c7d5d7dd733
Link:
https://www.unpac.me/results/30f03953-32c0-4643-ae33-9344723128ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b9c4a311f2b3fa9f2c954a70bfa8bd4c89e87899f6d35d54c46edf9d6c3e859

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4b9c4a311f2b3fa9f2c954a70bfa8bd4c89e87899f6d35d54c46edf9d6c3e859

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1818230/
Cape
Cape
https://www.capesandbox.com/analysis/209555/

Comments


Avatar
zbet commented on 2021-11-26 00:51:17 UTC

url : hxxp://l93069nr.beget.tech/updaterapex.exe