MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA3-384 hash: 45b0d772d7c9378854cf652024ad3cd859c3458474d665e04056c452a20744bb011a16cfab45ddd132410427fba1f5bf
SHA1 hash: 1029492c1a12789d8af78d54adcb921e24b9e5ca
MD5 hash: f2b7074e1543720a9a98fda660e02688
humanhash: lamp-november-red-winner
File name:000.exe
Download: download sample
File size:6'983'680 bytes
First seen:2023-06-08 10:10:06 UTC
Last seen:2025-05-06 11:42:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9
TLSH T11E66F39B5ECC82E2FD3E05314062F676A6607EE907D24FCB62F80D47FA502E56C7119A
TrID 58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.4% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter Neiki

Intelligence

File Origin
# of uploads :
3
# of downloads :
83
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Endermanch@000.exe
Verdict:
Malicious activity
Analysis date:
2021-09-05 13:50:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d99861fa-8bc5-47be-b46f-7529d6da7e3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396853/
Detection(s):
Win.Malware.Generic-9828792-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Setting a global event handler
Creating a file in the %temp% directory
Running batch commands
Сreating synchronization primitives
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Changing a file
Sending a custom TCP request
Modifying a system executable file
Creating a file
Launching a process
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Launching a tool to kill processes
Forced shutdown of a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
diztakun keylogger lolbin packed packed xpack
Link:
https://www.filescan.io/uploads/6481a93f4210b37bc33f973c/reports/b348d5b7-eb4c-46ce-ac6d-c099ee011248/overview
Verdict:
Malicious
Labled as:
Trojan.Diztakun
Link:
https://www.hybrid-analysis.com/sample/4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
Result
Verdict:
MALICIOUS
Malware family:
Diztakun
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b58dccdc-ddfb-4840-8d7f-53e83d97243d
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251055
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the wallpaper picture
Contains functionality to log keystrokes (.Net Source)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses shutdown.exe to shutdown or reboot the system
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884071 Sample: 000.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 27 Antivirus detection for dropped file 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 4 other signatures 2->33 7 000.exe 39 31 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\rniw.exe, PE32 7->23 dropped 35 Installs a global keyboard hook 7->35 37 Changes the wallpaper picture 7->37 39 Disables the Windows task manager (taskmgr) 7->39 11 cmd.exe 403 7->11         started        signatures5 process6 file7 25 C:\ProgramData\Microsoft\Windows\...\rniw.exe, PE32 11->25 dropped 41 Drops PE files to the startup folder 11->41 43 Uses shutdown.exe to shutdown or reboot the system 11->43 15 taskkill.exe 1 11->15         started        17 taskkill.exe 1 11->17         started        19 WMIC.exe 1 11->19         started        21 3 other processes 11->21 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966/
Threat name:
Win32.Trojan.Diztakun
Create hunting rule
Status:
Malicious
First seen:
2016-10-03 06:36:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
33 of 37 (89.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2q7f3hx5mjis3zmx6dihwxikrwsxdoeht3xcdliz2m6cj6avfta._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence ransomware
Link:
https://tria.ge/reports/230608-l7xydsef5t/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Sets desktop wallpaper using registry
Enumerates connected drives
Modifies WinLogon
Disables Task Manager via registry modification
Unpacked files
SH256 hash:
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
MD5 hash:
9232120b6ff11d48a90069b25aa30abc
SHA1 hash:
97bb45f4076083fca037eee15d001fd284e53e47
Detections:
win_koadic_auto
Create hunting rule
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
Parent samples :
4d5ee9d005508709e50b4a44656d0765c4c1e0e050bc8c20f10748d2a58cef45
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481
5eed2b5832483191e67f2ffbdcf349a6256039a8a7f934fb6bb9188873f8a73b
SH256 hash:
dc6ee4edbbbe1116a200b928f2b62dbc55594a9f79152bbb0076161a58546c11
MD5 hash:
979b597855746aee2f30ee74f9d7c163
SHA1 hash:
56dd0b4bbc5ddcc3fab99ea2e8f781d8b7c7c05f
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
9eb97bbb49384cb7e52cb87b345f4081e975c6d6b71c9e76df5dad61751efff1
MD5 hash:
368d95336bc9f695840a8fcc526e3e06
SHA1 hash:
647c78ed21b2be2ba0d692d340dd1e8be25897c0
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
15c523ef899ccd081ac63abc6fe994fbb1fba85004dc1943f10d9de801b75be4
MD5 hash:
c658168c1065853372a212ee1f773148
SHA1 hash:
62f96afea32fac61511fe7cb2439f0dcd11d593e
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
c189c1e1c55282853b4735ec8c4b039b2ecfe643ea31ad563ff52d0e688635eb
MD5 hash:
ea3cd5cb3b5f29b6c92a5b4bcd6ac803
SHA1 hash:
c7d26830d601e5c9cf9205cb8d292baecaaecc5b
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
a11b7c9215956112e8d865e65428b80e839391187bc3e0c0efa47d98d861b226
MD5 hash:
390b023dd4a22b47662023edbf363365
SHA1 hash:
b4ddb3042f67ce2f17feaa3ff6af09910f8b762d
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
7a59acfe2120113440a9cab8620c3e04d316199358dce59437dffa738e6d0af5
MD5 hash:
a2441f9ad0e8367c67e8a0e6d7076ade
SHA1 hash:
7ef2f573a86a3248a78c43e093d760a966bd7a1c
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
47a25387e1a1be14cdae4b6600bd2a772cc82ce4b9435283ee2464d2be56b550
MD5 hash:
23620b9b96d49e3953dd6cc58814e30b
SHA1 hash:
6445a4e1a4caf34eaffdfeea63dbdd3fac7ee40f
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
cd62a942933770560eb13115b25d4e4f7529b5ee311d32d13102ef226f562455
MD5 hash:
f27f60c1f9036ad74139cbdad0a3c109
SHA1 hash:
44ebb1ae3b79f9e3679df14b55db387c9e52f24a
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
SH256 hash:
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
MD5 hash:
f2b7074e1543720a9a98fda660e02688
SHA1 hash:
1029492c1a12789d8af78d54adcb921e24b9e5ca
Link:
https://www.unpac.me/results/f66cdcf6-1687-4eca-bc10-a31e5b32a52c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ea1f2ecf7eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Oni
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:kill_explorer
Create hunting rule
Author:iam-py-test
Description:Detect files killing explorer.exe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/86603/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/396853/

Comments