MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd
SHA3-384 hash: 7433f328e4cb8b59039873f94260bee893c3848102ab8af4834da1d78c9290e2dd02249b20df2139e935da3185a0302f
SHA1 hash: 23d5df7acab95ecbbb434bd22a38f806f1b43c6d
MD5 hash: d2071e4300298657f8e7a36e910c889a
humanhash: uniform-oklahoma-uncle-red
File name:4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd.bin
Download: download sample
File size:6'256'976 bytes
First seen:2021-09-23 10:18:27 UTC
Last seen:2021-09-23 11:12:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5bda47c2d61767d7c35480252d1c3c6d
ssdeep 98304:HhxKuyyfpPfbRQtMzNh6QYPdmtW1YQ8JI8sHSKATajC+rYQ8JI8sHSKATajC+Bhe:Hdyyf9h4dmUos+ajjos+ajP2yun
Threatray 39 similar samples on MalwareBazaar
TLSH T193569E20729AC43BD57A05B01A6DDBAF51397EB50F7284D7A3D82E6E09B09C25331F27
File icon (PE):PE icon
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter JAMESWT_WT
Tags:exe Idris Kanchwala Holding Corp.

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd.bin
Verdict:
Malicious activity
Analysis date:
2021-09-23 10:23:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/25479ed0-1c38-4075-8a50-75c58d850fa5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190708/
Detection(s):
SecuriteInfo.com.generic.ml.24938.13176.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/652411c4-f024-4654-b218-c95c07cb4ca0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/856847
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Disables Windows Defender (via service or powershell)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: Regsvr32 Anomaly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489276 Sample: uhwBmJGGqo.bin Startdate: 23/09/2021 Architecture: WINDOWS Score: 54 38 updatemsicheck.com 194.67.90.217, 443, 49740 AS-REGRU Russian Federation 2->38 42 Multi AV Scanner detection for submitted file 2->42 44 Sigma detected: Powershell Defender Exclusion 2->44 46 Sigma detected: Regsvr32 Anomaly 2->46 48 Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring 2->48 9 MSIDA37.tmp 1 2->9         started        12 uhwBmJGGqo.exe 25 2->12         started        15 msiexec.exe 2->15         started        17 msiexec.exe 2->17         started        signatures3 process4 dnsIp5 40 192.168.2.1 unknown unknown 9->40 19 cmd.exe 1 9->19         started        34 C:\Users\user\AppData\Local\...\shi2891.tmp, PE32+ 12->34 dropped 36 C:\Users\user\AppData\Local\...\MSI292E.tmp, PE32 12->36 dropped 22 msiexec.exe 4 12->22         started        file6 process7 signatures8 50 Bypasses PowerShell execution policy 19->50 52 Adds a directory exclusion to Windows Defender 19->52 54 Disables Windows Defender (via service or powershell) 19->54 24 cmd.exe 19->24         started        26 powershell.exe 24 19->26         started        28 powershell.exe 3 25 19->28         started        30 27 other processes 19->30 process9 process10 32 powershell.exe 24->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd/
Threat name:
Win32.Trojan.ZLoader
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:36:24 UTC
AV detection:
6 of 43 (13.95%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
38b2cd6c40791c11a2cdb5f2c31f2304175a202e11e25bfcc87ed914e6bf5902
57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
df7049b8c4d704376be3920232b1ba6b2c8cf2ff0f9cf3bf22f6d89c1c9515dc
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210923-mchqnabhaj/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd
MD5 hash:
d2071e4300298657f8e7a36e910c889a
SHA1 hash:
23d5df7acab95ecbbb434bd22a38f806f1b43c6d
Link:
https://www.unpac.me/results/8682e009-2021-46e2-9624-3c308b053f75/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.01
Link:
https://yomi.yoroi.company/submissions/4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190708/

Comments