MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d41f95b0cac25da5a03c5f9813c00b7c8ec53bc29e06dd962ac225b327f6c9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d41f95b0cac25da5a03c5f9813c00b7c8ec53bc29e06dd962ac225b327f6c9d
SHA3-384 hash: 84b800acf7e1cc8192004d012a8cade95cf5a5b197d039df1af8d58781bc98dab864daeaad20a7635222206e8df9479f
SHA1 hash: 1242f2b5d16a93b675870493ef39479c81a1787f
MD5 hash: 704a33a076e1cd1f16f75c039efd2806
humanhash: washington-kansas-queen-asparagus
File name:704a33a076e1cd1f16f75c039efd2806
Download: download sample
File size:7'901'696 bytes
First seen:2022-12-11 01:43:46 UTC
Last seen:2022-12-11 03:30:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (60 x LummaStealer, 49 x AuroraStealer, 45 x Vidar)
ssdeep 98304:XFgvebEGe3yoOzZH1vmzGpqXUbwrhYkoL7vHuuV1SaT:1/EUOzG8X2wrhYkoLbHLSaT
Threatray 34 similar samples on MalwareBazaar
TLSH T18F868C41F9DBA4B5EA431530047792AF23306D095B20EF87EA547F7FE8776A20E36258
gimphash d162036ba3ee1aab39791439d8c51d06fa0ab49593fa4ef9920df24cc0925d10
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345103/
Detection(s):
SecuriteInfo.com.FileRepMalware.18803.29772.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Changing a file
Creating a file
Reading critical registry keys
Modifying an executable file
Searching for the window
Stealing user critical data
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang greyware packed
Link:
https://www.filescan.io/uploads/639535e4f6e448d42df803ac/reports/8ac760fc-2081-4ab4-8a45-da342634526d/overview
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7e053826-d58c-4216-9634-0b448117a092
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1132093
Signature
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d41f95b0cac25da5a03c5f9813c00b7c8ec53bc29e06dd962ac225b327f6c9d/
Threat name:
Win32.Ransomware.Encoder
Create hunting rule
Status:
Malicious
First seen:
2022-12-11 01:44:13 UTC
File Type:
PE (Exe)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jva7swymvqs5uwqdyx4ycpaaw7eoyu54fhqg3wlcvqrfwmt7nsoq._file
Verdict:
malicious
Similar samples:
319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a
365129fc256e1cc025ad1428f241e1b371c79fc801926cc2afe4ef9d55fdb100
3a6ff8e3ab8b15036ff5a4e6fcaf4c84d0a122d3f6f2636dc10af77068896f62
63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146
7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b
7e197097351b093b6698ed9634e8ae0dbd7bc4aa65470bde4ce131c4de641f64
80991222b1cf2e863e1e8ac51b6fe90cf0b701df1d8af8c3a9ce9ec10e089f77
873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware
Link:
https://tria.ge/reports/221211-b5t4lsgd88/
Behaviour
GoLang User-Agent
Sets desktop wallpaper using registry
Drops desktop.ini file(s)
Modifies extensions of user files
Gathering data
Unpacked files
SH256 hash:
4d41f95b0cac25da5a03c5f9813c00b7c8ec53bc29e06dd962ac225b327f6c9d
MD5 hash:
704a33a076e1cd1f16f75c039efd2806
SHA1 hash:
1242f2b5d16a93b675870493ef39479c81a1787f
Link:
https://www.unpac.me/results/15467afe-4cfc-4865-ac6d-f457e2eda790/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d41f95b0cac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d41f95b0cac25da5a03c5f9813c00b7c8ec53bc29e06dd962ac225b327f6c9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_bin
Create hunting rule
Author:Jonathan Cole
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:go_binary
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4d41f95b0cac25da5a03c5f9813c00b7c8ec53bc29e06dd962ac225b327f6c9d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2454005/
Cape
Cape
https://www.capesandbox.com/analysis/345103/

Comments


Avatar
zbet commented on 2022-12-11 01:43:51 UTC

url : hxxp://35.235.126.33/cia.windows.386.exe