MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d52f61961a8e584db24d2162cdcd12781bc4f63e32171964a51410421108401. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d52f61961a8e584db24d2162cdcd12781bc4f63e32171964a51410421108401
SHA3-384 hash: afd685de2de7d97160856726dc6cd078c501c1dc8d96dca9f0d8db37e5b80e62380a47ede7de4be65e6566e9cba7072f
SHA1 hash: eb5767f7f16e84a3af82edc9cf251d766484e3c7
MD5 hash: e4afaaa8153391f10b7a38b98540e5ab
humanhash: hamper-eleven-don-vegan
File name:bird.png.exe
Download: download sample
File size:282'624 bytes
First seen:2021-11-15 16:29:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b0e52253c1525c2c6374783715fea7f8
ssdeep 6144:O8OMtKfr6tR6/ZG/FyI2edvlCGlyRLb4c+IYS/TF/p/uwONct43j92U:f0D6r6c/Cedv5IbjT9pGHNu4B2U
Threatray 8 similar samples on MalwareBazaar
TLSH T12154E14133C4A4F6E6CB9A7A823095BD627A38757F6390C9D7E27D8E1C39ED05E30609
File icon (PE):PE icon
dhash icon 787c78fa87f7e6c4 (16 x Gh0stRAT, 11 x Pikabot, 9 x ManusCrypt)
Reporter info_sec_ca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205974/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Sending an HTTP GET request to an infection source
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/61928b0d3edf00a722d5920e/reports/c443d251-3f1f-4aa0-a8cf-343530f47774/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/806634b0-40df-4c1d-90da-36496d6f88c6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/889638
Signature
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 522107 Sample: bird.png.exe Startdate: 15/11/2021 Architecture: WINDOWS Score: 68 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Uses an obfuscated file name to hide its real file extension (double extension) 2->34 36 Suspicious powershell command line found 2->36 38 Found C&C like URL pattern 2->38 7 bird.png.exe 15 2->7         started        12 powershell.exe 18 2->12         started        process3 dnsIp4 30 188.130.139.47, 49755, 49756, 80 ASKONTELRU Russian Federation 7->30 26 C:\Users\user\AppData\...behaviorgraphet-Variable.exe, PE32 7->26 dropped 28 C:\Users\...behaviorgraphet-Variable.exe:Zone.Identifier, ASCII 7->28 dropped 40 Uses schtasks.exe or at.exe to add and modify task schedules 7->40 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->42 14 Get-Variable.exe 14 7->14         started        16 schtasks.exe 7->16         started        18 conhost.exe 12->18         started        20 Get-Variable.exe 12->20         started        file5 signatures6 process7 process8 22 WerFault.exe 23 9 14->22         started        24 WerFault.exe 2 9 14->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d52f61961a8e584db24d2162cdcd12781bc4f63e32171964a51410421108401/
Threat name:
Win32.Trojan.SpyEye
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 16:30:09 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
27df37e6d4e820e016c55415b4c1ab5732ed402443296e2c547800eae4bf560c
6b74dc043f9a12823ed98d704e4c8543c9b5d8b9240e65e9d31d2303ab914906
7c964794e19b093b78a81da3b8dcafbe3d32153a044c19f6892829ed9ff71f46
851b9e416b22c80a435f7d11f0298272ad23a4ae49f6fbe23aafa0578c400bd0
a334885a72d65b2920f247d4a15de104e1b020713f08964316e566d8323bd474
d36674d4c3214e0b0560c6e172bb1765e085892959472afdda2f1debda84ca9d
f5fd02ebd2376fd1bc1ff121e9bfda618755a5c049edc8a4288eb67eb1cc7f9b
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211115-tztj1aahe5/
Unpacked files
SH256 hash:
4d52f61961a8e584db24d2162cdcd12781bc4f63e32171964a51410421108401
MD5 hash:
e4afaaa8153391f10b7a38b98540e5ab
SHA1 hash:
eb5767f7f16e84a3af82edc9cf251d766484e3c7
Link:
https://www.unpac.me/results/d53bf69d-5156-4a13-a4b2-077e4717d181/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d52f61961a8e584db24d2162cdcd12781bc4f63e32171964a51410421108401

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205974/

Comments