MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 521ee4ebc055c938cef4592146f0db06bdc9785e06cec3137d9a6eeca4d10c51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	521ee4ebc055c938cef4592146f0db06bdc9785e06cec3137d9a6eeca4d10c51
SHA3-384 hash:	de342ff1220d4b6e6538b4206ad1ad9d325ad8b18dc8d325c32f91585d1d751457e306564cec09b71ec7c96bfb34d2d6
SHA1 hash:	4066ca8942facb2c9c6b4f365685316116081361
MD5 hash:	a7926995fb4df3ce10b78f14a85f6cfd
humanhash:	coffee-cold-florida-fourteen
File name:	a7926995fb4df3ce10b78f14a85f6cfd.exe
Download:	download sample
File size:	387'584 bytes
First seen:	2021-12-04 10:37:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bcc72a924b908e9a13e070d8decf7d90 (4 x RedLineStealer, 1 x CryptBot)
ssdeep	6144:vYdhMK9LdzescyOKmpEYwkP2QGhLRn+pzS:vYMKLe1lHuhLRU
Threatray	1'366 similar samples on MalwareBazaar
TLSH	T10684DF11B5C0C032D19769B68C25CB754EB974B15B361ACB7FE80AB91F246E1A73A30E
File icon (PE):
dhash icon	d2b1e4d4ecb987f8
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a7926995fb4df3ce10b78f14a85f6cfd.exe

Verdict:

Malicious activity

Analysis date:

2021-12-04 10:42:24 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/be2edaa7-564c-498b-8a53-1a2b3ec277bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/211277/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/785/overview

Behaviour

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61ab451047ed217c0130fb2f/reports/109dcd6c-c927-4a9f-80a9-aa30aad44f49/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/114278c7-315f-42b6-95ad-caf46d074345

Result

Threat name:

MedusaHTTP

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/901390

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected MedusaHTTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/521ee4ebc055c938cef4592146f0db06bdc9785e06cec3137d9a6eeca4d10c51/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-04 10:38:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Verdict:

malicious

33574c9e0f179950b9c8df201e9ace21976bf15fcec8afec8d6221ecc2f07331

3bdcd4071feaaedd310ca11a2c598e95da859016b73236992ab8cca3b97d7faf

500fac9441ad73605875e83b17b9d116ef8e016131f7e5dc19ae0a2ebbf701ea

5f131a6fd46a437ab6cfaf7ea0a554c9c9248ac8aaec7770a0f8395817ed7321

78fd1ec918a1ce3de315df48fbf8dfd640258532ef3d2fe97870077f475ad40e

911503a00ba2338991c0252e6183ac36184d17048892ef51d91d4f950c7f51fb

d035415df5f3a9180697a6aa8e8561e3cbc6a8c561be653247d8a93dc64c556a

e62f9557a44b5453784420d0e4b4f341a78176ee91d6cc99298bcf465c3fb943

+ 1'356 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/211204-mpd81aahak/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Unpacked files

SH256 hash:

9d2595a41df97491e626cdc0afe35621cb2081d7f92ee94e1b47dc1c23843fd6

MD5 hash:

c01d561d5e23b0b7a5e826c778a34b8c

SHA1 hash:

5945d5fe0b5ea8be119e43720e98e8ea3d38f1df

Link:

https://www.unpac.me/results/81ff0676-5071-4ed4-bb22-162a06c1e695/

SH256 hash:

521ee4ebc055c938cef4592146f0db06bdc9785e06cec3137d9a6eeca4d10c51

MD5 hash:

a7926995fb4df3ce10b78f14a85f6cfd

SHA1 hash:

4066ca8942facb2c9c6b4f365685316116081361

Link:

https://www.unpac.me/results/81ff0676-5071-4ed4-bb22-162a06c1e695/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/521ee4ebc055c938cef4592146f0db06bdc9785e06cec3137d9a6eeca4d10c51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 521ee4ebc055c938cef4592146f0db06bdc9785e06cec3137d9a6eeca4d10c51

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1849996/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/211277/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample