MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f55dfc040b920c7d7e184142588f17c9d99129e48dadae0c711fcaa083e4437. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f55dfc040b920c7d7e184142588f17c9d99129e48dadae0c711fcaa083e4437
SHA3-384 hash: 2199183c3fe072f24a7a60a5857e713fe2265b08b799afc497e86a518d7a054cccc36ffe649d3864fc142a5fa9de5c60
SHA1 hash: 2b4b3f2461e9b13d5cf981eb5b79501cecb8b9cf
MD5 hash: 89cf5146f2f88c60c0d4a85b5ce0134c
humanhash: bulldog-massachusetts-cardinal-sierra
File name:89cf5146f2f88c60c0d4a85b5ce0134c
Download: download sample
File size:3'796'480 bytes
First seen:2022-02-09 19:38:20 UTC
Last seen:2022-02-09 21:54:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep 98304:Ti0zAHfvvL0MIO9r+FYX5gpyyQ8Cp7RIePJPftTlSBrOo8AVD3cMzO:XG/LJIcrCcuct8oDhXtYBroAVbM
Threatray 1'221 similar samples on MalwareBazaar
TLSH T1CC0623DA89EC2D43CA8FF77569252D13C6CA1EB180D2808957A8BC75F3FD8A791104E7
File icon (PE):PE icon
dhash icon 8ab2c0c4d0c0b282 (9 x RedLineStealer, 2 x AsyncRAT)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f55dfc040b920c7d7e184142588f17c9d99129e48dadae0c711fcaa083e4437
Verdict:
Malicious activity
Analysis date:
2022-02-10 00:46:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f71160bd-74b5-40e8-ae79-2e048515d848

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239837/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
DNS request
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6204185e36f992191832a924/reports/d50e0e2a-fd71-46d1-92d7-d19ba2fc3944/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/baabfc32-48ea-4fb0-a66a-4715597555b7
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937215
Signature
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to prevent local Windows debugging
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 569690 Sample: 99TdCVWLNI.exe Startdate: 09/02/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Clipboard Hijacker 2->35 37 2 other signatures 2->37 8 99TdCVWLNI.exe 2->8         started        11 oobeldr.exe 2->11         started        13 oobeldr.exe 2->13         started        15 oobeldr.exe 2->15         started        process3 signatures4 45 Writes to foreign memory regions 8->45 47 Allocates memory in foreign processes 8->47 49 Injects a PE file into a foreign processes 8->49 17 AppLaunch.exe 1 8->17         started        21 WerFault.exe 23 9 8->21         started        51 Contains functionality to prevent local Windows debugging 11->51 process5 file6 27 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 17->27 dropped 39 Found evasive API chain (may stop execution after checking mutex) 17->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 17->41 43 Contains functionality to compare user and computer (likely to detect sandboxes) 17->43 23 schtasks.exe 1 17->23         started        29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->29 dropped signatures7 process8 process9 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f55dfc040b920c7d7e184142588f17c9d99129e48dadae0c711fcaa083e4437/
Threat name:
Win32.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 15:54:51 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2c7e8a9b546f7c133469fabcfc200e5ab79da84ffa180fda9e088bc5476af860
374ec0de5ab31bc54adc80e494194f0070a78839701d19b73b27ca605f05c768
3dc72b0f754bdd940a27033839a6b08c7ac6a41259a92764638194afe3e969de
4fa28556557b228a0cabb6a51597217e09afdf58a140b1181f0bd8325e6e4d0f
6d2a3832a1b693d9f5eed571212585443e6ee282429160973d67e17736c43629
6e60006ac8af12483aee2b0f6bcf0a963a0423b494b55f56ad51bfc9b3a3bd71
72846967a4a479a7e4e47584e74a2689e6aa4756e4541d32e9bcf2e55cf19da5
790b75e1d50978e41ae57a87008b3d1922d3efd15924b59a2a0967f29abdab8a
bdbfee005e1400f36296856b83458c338e287c415315f8840e12f58aaf45cc59
f79a731182ddcb3007804a2370c40e89f5ab2af160a0c4b0379b757f463f0abb
+ 1'211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220209-ycy87abecr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
0f289ea18711762df292fee05539a971113b60df113913085c78d90cb0e6af95
MD5 hash:
2b847a22d8985d6722728c4ee771eb05
SHA1 hash:
057e451f7e83553d3419a2858b6ccd205da11666
Link:
https://www.unpac.me/results/0eba4273-7e91-4773-8f74-760eff1e8772/
SH256 hash:
4f55dfc040b920c7d7e184142588f17c9d99129e48dadae0c711fcaa083e4437
MD5 hash:
89cf5146f2f88c60c0d4a85b5ce0134c
SHA1 hash:
2b4b3f2461e9b13d5cf981eb5b79501cecb8b9cf
Link:
https://www.unpac.me/results/0eba4273-7e91-4773-8f74-760eff1e8772/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4f55dfc040b920c7d7e184142588f17c9d99129e48dadae0c711fcaa083e4437

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2038960/
Cape
Cape
https://www.capesandbox.com/analysis/239837/

Comments


Avatar
zbet commented on 2022-02-09 19:38:23 UTC

url : hxxp://45.84.0.253/clipper.exe