MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd
SHA3-384 hash: 6004d399494ca3e70721198a96c88cd5ec30006df530e78eeb3976158c97cb3fc812f0fc22eb404ee2367571cdf00884
SHA1 hash: 2d281881e36a41acad58b1d1f89ea12f3cfd79c0
MD5 hash: 1aa31c8d706a918ca5ce96d035cafc30
humanhash: wisconsin-hydrogen-beer-venus
File name:4_ico.exe
Download: download sample
File size:1'857'536 bytes
First seen:2021-02-26 22:23:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 24576:s1d9zkJnSyGJpyI7lymQFqIHoeGjp3VnXTaQua4mU6a8Dc+QoeFr8abETp0botGD:sb9sqJQI7Yvo1VXtOopnemawTektG
Threatray 264 similar samples on MalwareBazaar
TLSH 7A8533449A755C73C4F1F97064C7E8CB2AE98E54A8CC458B704791761EF9BE8383B88E
Reporter JasonMilletary

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lv.bin
Verdict:
Malicious activity
Analysis date:
2021-02-26 19:51:54 UTC
Tags:
evasion opendir loader
Link:
https://app.any.run/tasks/e54e94c6-88cd-48dd-928f-370b5f504725

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119550/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Creating a window
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620249
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 18:23:41 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
00723545fff6ce259e729f8f1f9c7129e0d667502f94ef137bbbd9642ced4cc0
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
2d7099e54db4d0617fcd725de09e05cdd23479b87540b98c4fb90f517efb012e
5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
60ca0a3819cc5a24cb229e79c4fc0ac610e59691fe99dda733cbb5ac06844d41
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
b8392aaf409d89fe323576fdf09bf3320094962da9812918d23bb47b3d8d53f8
ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
+ 254 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/210226-xhk4zg9dpj/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Drops startup file
Identifies Wine through registry keys
Loads dropped DLL
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd
MD5 hash:
1aa31c8d706a918ca5ce96d035cafc30
SHA1 hash:
2d281881e36a41acad58b1d1f89ea12f3cfd79c0
Link:
https://www.unpac.me/results/ac09538d-fd5d-4cbb-8c0d-10c03a2ba68f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6

Executable exe 4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd

(this sample)

  
Dropped by
SHA256 5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
Cape
Cape
https://www.capesandbox.com/analysis/119550/

Comments