MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50aa0651f35cb07db9fdff826df63f5737ec8ac43d65e9fad8efdf287e2299a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	50aa0651f35cb07db9fdff826df63f5737ec8ac43d65e9fad8efdf287e2299a8
SHA3-384 hash:	c2d6c8fc74d9accbcccd986ae0aab89ebe3ec8f4f94651d8836f54010d8d299e51c4dc1a5fb66783cd7925f6e7d0ec87
SHA1 hash:	b45f31122a0fd1bc03fc4cf017d611f94e610b6d
MD5 hash:	ea3c4d4b4fcef4410f25f4f8c58babb5
humanhash:	south-skylark-thirteen-pasta
File name:	file
Download:	download sample
File size:	137'728 bytes
First seen:	2023-06-24 08:08:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	768:qJreEJhy3ZzLajdolVfeUBrYTHkSsh4KrWOb4MjiBXLZ2k2/sA:OraAolNeYcDcdVEhC/sA
TLSH	T186D3A41BFA8C93AEEB48CEF9747153702760EF7769129A29F5C5FE6D05B112C22102C6
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	6ccccc9cc4d8e8f4 (41 x Formbook, 34 x AgentTesla, 3 x AveMariaRAT)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from http://85.217.144.228/files/AAAd.exe

Intelligence

File Origin

# of uploads :

# of downloads :

332

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-06-24 08:09:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/18233fff-1754-4f31-bede-623e88693477

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/402319/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Creating a file in the Windows directory

Launching a process

Creating a window

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Searching for the window

Enabling autorun for a service

Forced shutdown of a system process

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6496a49e76927ec2c0075a24/reports/bae9dd62-bce7-42c7-b316-3fffcec6209b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/50aa0651f35cb07db9fdff826df63f5737ec8ac43d65e9fad8efdf287e2299a8

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b332bca8-b3c7-4af9-81fa-386697dcedcc

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1260854

Signature

.NET source code references suspicious native API functions

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/50aa0651f35cb07db9fdff826df63f5737ec8ac43d65e9fad8efdf287e2299a8/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-06-24 08:09:05 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kcvamuptlsyh3op576bg35r7k436zcwehvs6t6wy57psq7rctgua._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230624-j14q9aae44/

Behaviour

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

50aa0651f35cb07db9fdff826df63f5737ec8ac43d65e9fad8efdf287e2299a8

MD5 hash:

ea3c4d4b4fcef4410f25f4f8c58babb5

SHA1 hash:

b45f31122a0fd1bc03fc4cf017d611f94e610b6d

Link:

https://www.unpac.me/results/2d516175-b1ef-4bfd-a0a4-721474dc4fcf/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/50aa0651f35c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/50aa0651f35cb07db9fdff826df63f5737ec8ac43d65e9fad8efdf287e2299a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/402319/

URLhaus

https://urlhaus.abuse.ch/url/2670912/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample