MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fe9f04679564d302766e073c01225d0a3715e523aabada12426546a74df1284. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fe9f04679564d302766e073c01225d0a3715e523aabada12426546a74df1284
SHA3-384 hash: 193dfa8541b6464f87f4828ca703e88deb8e2b86c14edb24095c8d460bb4e74bb252d77410b4f95249198a6df0d82933
SHA1 hash: 92ce08d96cb493bc8b02c8a308e137fa57e0bc0e
MD5 hash: 3b8bcc8ba7681d3af8b6d3ecb5fdc814
humanhash: fanta-william-fifteen-alabama
File name:3b8bcc8ba7681d3af8b6d3ecb5fdc814.exe
Download: download sample
File size:8'880'128 bytes
First seen:2022-03-05 17:58:54 UTC
Last seen:2022-03-05 19:35:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f084553d02ee9faa371daf024a1480c (3 x CoinMiner)
ssdeep 196608:joaJ1tur5oyPRmLmn5aVZorLDOHjNYsa4ioFr:0qDur5RPRpn5wZobOHjNtacr
Threatray 240 similar samples on MalwareBazaar
TLSH T12B9623FD3144375CC46E8830C423ED5472B6592E4FE685AA70D7BAE1BBAF835DA01B42
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2022-03-05 14:49:36 UTC
Tags:
evasion trojan socelars stealer loader rat redline opendir vidar ransomware stop
Link:
https://app.any.run/tasks/c1525f35-28ab-4218-9149-c5836afcea84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247548/
Detection(s):
SecuriteInfo.com.Win32.Packed.VMProtect.ACR.29527.22026.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8296/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6cfd0625-b6d2-4715-a485-12b0cb35a3ee
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951214
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583695 Sample: WwdYiMlgIp.exe Startdate: 05/03/2022 Architecture: WINDOWS Score: 100 96 store-images.s-microsoft.com 2->96 100 Multi AV Scanner detection for domain / URL 2->100 102 Antivirus detection for URL or domain 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 Machine Learning detection for sample 2->106 13 WwdYiMlgIp.exe 1 2 2->13         started        signatures3 process4 dnsIp5 98 185.137.234.33, 49762, 49763, 49764 SELECTELRU Russian Federation 13->98 94 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 13->94 dropped 124 Injects code into the Windows Explorer (explorer.exe) 13->124 126 Writes to foreign memory regions 13->126 128 Allocates memory in foreign processes 13->128 130 3 other signatures 13->130 18 explorer.exe 2 13->18         started        20 bfsvc.exe 1 13->20         started        22 conhost.exe 13->22         started        file6 signatures7 process8 process9 24 RegHost.exe 1 18->24         started        27 curl.exe 1 18->27         started        29 curl.exe 1 18->29         started        33 9 other processes 18->33 31 conhost.exe 20->31         started        signatures10 116 Multi AV Scanner detection for dropped file 24->116 118 Machine Learning detection for dropped file 24->118 120 Injects code into the Windows Explorer (explorer.exe) 24->120 122 5 other signatures 24->122 35 explorer.exe 2 24->35         started        37 bfsvc.exe 1 24->37         started        39 conhost.exe 24->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        49 conhost.exe 33->49         started        51 4 other processes 33->51 process11 process12 53 RegHost.exe 35->53         started        56 curl.exe 35->56         started        58 curl.exe 35->58         started        62 9 other processes 35->62 60 conhost.exe 37->60         started        signatures13 108 Injects code into the Windows Explorer (explorer.exe) 53->108 110 Writes to foreign memory regions 53->110 112 Allocates memory in foreign processes 53->112 114 2 other signatures 53->114 64 explorer.exe 53->64         started        66 bfsvc.exe 53->66         started        68 conhost.exe 53->68         started        70 conhost.exe 56->70         started        72 conhost.exe 58->72         started        74 conhost.exe 62->74         started        76 conhost.exe 62->76         started        78 conhost.exe 62->78         started        80 4 other processes 62->80 process14 process15 82 curl.exe 64->82         started        84 curl.exe 64->84         started        86 conhost.exe 64->86         started        88 conhost.exe 66->88         started        process16 90 conhost.exe 82->90         started        92 conhost.exe 84->92         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fe9f04679564d302766e073c01225d0a3715e523aabada12426546a74df1284/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 17:59:18 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
24dddac175ec0ecbe3a13040165f0438fca44502c216c96655cdff8f4bc0ddcb
2b76f69615106615f7ac66c72a4cfbecd1475a1d4a73a7c07230fa3573dd83be
59131e55898be4de6efa846f46a69f71e7ab941e6b0e3f6fc01b80693d68ea44
9f6e71649662dd86ed3b65a8d20ad8c21971cb8087d14eeb34449f04b573b737
b63ab3c3d30931c5c5297641b70cd011151334a03151287e57d7b6d7a32ba457
dd469d067ee8f95f77fa9de6ae88c95e3a3d1b35c908c04eeba82a46316d1990
e8d6083106514e1fa3a1687de25e4ac31b1f1af0d4cf35bf0c11d7f5bea377b5
+ 230 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220305-wkqwnsaebn/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
4fe9f04679564d302766e073c01225d0a3715e523aabada12426546a74df1284
MD5 hash:
3b8bcc8ba7681d3af8b6d3ecb5fdc814
SHA1 hash:
92ce08d96cb493bc8b02c8a308e137fa57e0bc0e
Link:
https://www.unpac.me/results/9e428d88-f0f9-446d-ad03-16833ade16d1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4fe9f0467956/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/4fe9f04679564d302766e073c01225d0a3715e523aabada12426546a74df1284

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247548/

Comments