MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 511d45db9f19d470d7c4af3afef0c99e66e4fbae53128f9bc12481477751438b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 511d45db9f19d470d7c4af3afef0c99e66e4fbae53128f9bc12481477751438b
SHA3-384 hash: 6116dea86b0e4120cf13b821e0a7700d95aa243d802e4b21b54e002f2a0b72e63d4e14860f1db0f604c855e338f55e7a
SHA1 hash: f3c27642060afb3d062ad82e11986153781809b6
MD5 hash: a15419df02ffae775b6231dd77fd9c6f
humanhash: virginia-three-mango-sodium
File name:a15419df02ffae775b6231dd77fd9c6f.exe
Download: download sample
Signature Adhubllka
Create hunting rule
File size:363'520 bytes
First seen:2021-12-11 06:49:59 UTC
Last seen:2021-12-11 08:31:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:MkZOQVFAJnj/Shond2MDuzwAeZgmsMOGZ/+6THtQM/+3:BUQVF4nj/godHDuMPsMOGV+6TN5C
TLSH T1AC74CE5003E40B8AF1F22FB56DF105015F31B692AD32EB4D0EC4A5E948B9B958F79B1B
Reporter abuse_ch
Tags:Adhubllka exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a15419df02ffae775b6231dd77fd9c6f.exe
Verdict:
Malicious activity
Analysis date:
2021-12-11 06:51:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/132bdd03-d853-4143-a2fc-4b85bf6506a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/213281/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.22456.1682.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Creating a window
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Changing a file
Moving a recently created file
Modifying an executable file
Creating a file in the Program Files subdirectories
Сreating synchronization primitives
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Modifying a system executable file
Forced shutdown of a system process
Unauthorized injection to a system process
Encrypting user's files
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61b44a234d8e6f3a5e212c77/reports/94864365-60a3-4035-a71e-eb75e15974c3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d66b354c-7b62-4bd6-b3b3-b4569056ea99
Result
Threat name:
Covid19 Cryptolocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/905655
Signature
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Drops executable to a common third party application directory
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Covid19 Ransomware
Yara detected Cryptolocker ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/511d45db9f19d470d7c4af3afef0c99e66e4fbae53128f9bc12481477751438b/
Threat name:
ByteCode-MSIL.Trojan.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-12-11 05:26:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/211211-hlznbaahc3/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Modifies extensions of user files
Unpacked files
SH256 hash:
fd43b492b6e9990901d234a9497e6f0b44b4bec4a37d3620a895740665803679
MD5 hash:
9043039824d34a79ce01f21f411c9598
SHA1 hash:
fbb65849cdfcfd0bdf4e08ba55b4ff235043cb71
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
53615832daa0aa701e2e2fcd66aa8bd28a8ecce5b80d5ead5d9f2af6d17b1a85
MD5 hash:
5340d23f150bb046f94ce17187d339bd
SHA1 hash:
c12fd1a7e56500b7ab10f1df60163781930b8b92
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
2216c3328a14314454f63cdfd6c60d7b93909a548051cf8535676b0aa806591d
MD5 hash:
cc8b84e0abad3753c9155d894b407870
SHA1 hash:
c03c6b2db2fae5d10a92425044e0d5eebc02a1f1
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
469512a854d7b6b09acb1719169f22dea536bc2b8a41fd8ec799ac305cd4db96
MD5 hash:
571e8637317e38cefcbb001de0c67e13
SHA1 hash:
03dc36175f7a3235659962feddb19c68dbb93215
Detections:
win_adhubllka_a0
Create hunting rule
win_adhubllka_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
28d3e3d61321ede1da35ae2a943831fb40e3e73495c893d6552a759027745572
MD5 hash:
e2c459ca0845a39df6010f1f125eeda2
SHA1 hash:
c8cbe67d7c9286d1521f10b34b2a5d25ed6ca6aa
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
fb523273a7e75f52fb487b7b2e472a1850ca837b4a0256c95748a43f6274da70
MD5 hash:
8d7cb2186dd41f45973dada67d010f48
SHA1 hash:
ab98322e41160312acd7b80e4fd222cb99c61f27
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
c30d336f26417ed23f6e8504c1f498c4ebe0169a0a127ec188fd013d01662448
MD5 hash:
f7b59da185d5543d568d355761b955c2
SHA1 hash:
9a21f8855f3d25ff5705e587b09eeede9e25ef7b
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
23309021629aab50f791cde10903ccf23568da69aff679a1c50ab4d1aba7e82c
MD5 hash:
ff2c6bc570e1f6914c7d2cc7adde5964
SHA1 hash:
59100bb653eb26e0f290837b8302c6a2c8df445a
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
fddbf4489baf13fcc63c048fb6da4dc9e70d8690ad63db0888dae04a7602a61d
MD5 hash:
69b3b499afe13d89e4ff242619d4b152
SHA1 hash:
523da4c28ae7f16eaf64bd043bd746eea0b939df
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
4889a61afa34e244e727f08d6b838580c67e2a37d6dcf8a154210e4536792953
MD5 hash:
af5c0a5d2032ed8d66d8d8de2151be0a
SHA1 hash:
1859d2af12b51f5377aa59d7c5eb6671cf58f59e
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
SH256 hash:
511d45db9f19d470d7c4af3afef0c99e66e4fbae53128f9bc12481477751438b
MD5 hash:
a15419df02ffae775b6231dd77fd9c6f
SHA1 hash:
f3c27642060afb3d062ad82e11986153781809b6
Link:
https://www.unpac.me/results/bc426253-6a9f-4902-beb6-1d3d6c0c7d8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/511d45db9f19d470d7c4af3afef0c99e66e4fbae53128f9bc12481477751438b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_adhubllka_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.adhubllka.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adhubllka

Executable exe 511d45db9f19d470d7c4af3afef0c99e66e4fbae53128f9bc12481477751438b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/213281/
  
URLhaus
https://urlhaus.abuse.ch/url/1874085/
  
Delivery method
Distributed via web download

Comments