MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3
SHA3-384 hash: dd04ec159a88e535d83eaee1d7f35a03c975fece8f6b27792f498c9b30ce013834582d4730352c57573bc21d9c566a88
SHA1 hash: 7af117f07ca61a75baa2e4b183f980832b19f390
MD5 hash: 9f25eb870ee8a56eda7d35dc25f2241c
humanhash: aspen-montana-jig-december
File name:9f25eb870ee8a56eda7d35dc25f2241c
Download: download sample
File size:6'300'672 bytes
First seen:2021-12-20 11:55:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 98304:aDPq64p8tJ7l64y0eO+EWjV+8RTOxdJt7vOA6pB:wqcJ7nyWWxgdJtt6
Threatray 6 similar samples on MalwareBazaar
TLSH T133568C03F85561A9D6EED230C67582527B317888073033D36F95AABA2B77FD4AE78350
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215452/
Detection(s):
Win.Ransomware.Hive-9916034-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Sending a UDP request
DNS request
Creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2749/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed ransomware
Link:
https://www.filescan.io/uploads/61c06f55ec6c6c14a9e4ef98/reports/f994ae40-16e1-41cb-a0ad-fd72e907e4bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Garble
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/425eb880-8e51-4d63-95f8-a4abad16da48
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/910238
Signature
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 542716 Sample: 2tq620NCNv Startdate: 20/12/2021 Architecture: WINDOWS Score: 72 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 10 2tq620NCNv.exe 1 2->10         started        process3 dnsIp4 44 146.59.208.242, 49757, 80 OVHFR Norway 10->44 34 C:\Users\user\AppData\...\counterstrike.exe, PE32+ 10->34 dropped 14 cmd.exe 1 10->14         started        file5 process6 process7 16 counterstrike.exe 2 14->16         started        20 conhost.exe 14->20         started        file8 32 C:\Users\user\AppData\Local\...\leakless.exe, PE32+ 16->32 dropped 46 Machine Learning detection for dropped file 16->46 22 leakless.exe 16->22         started        signatures9 process10 dnsIp11 36 127.0.0.1 unknown unknown 22->36 25 chrome.exe 5 171 22->25         started        28 taskkill.exe 1 22->28         started        process12 dnsIp13 38 gstaticadssl.l.google.com 142.250.203.99, 443, 49778, 54234 GOOGLEUS United States 25->38 40 i.ytimg.com 172.217.168.22, 443, 49776, 54235 GOOGLEUS United States 25->40 42 8 other IPs or domains 25->42 30 conhost.exe 28->30         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3/
Threat name:
Win64.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 11:56:14 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 43 (39.53%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
5cbea0c2d3f18aafe1c3ab60b3d670bcc47e4001f26c8923c3e4735e6964708c
664543a2800a9d4d0ebae4f742350251bb0df2a447a302032c1fe22c7c1e7398
6cc8e13f66166e615a847f9444a0258b0e7a01fb8e607c49c482b2b4d50cd829
d708ff93f30255df025e9335dd05fc2f9bd818cb0925d8889d95cb477cfc81f2
eb4ed5f6140aa6e26adf5408f9924e5263b9c0fa3b66cec699f7e50eb893537c
f62434d2bfd1b9d953618d0be4ba442e3210b821575ae1b1c97ae6aa55ae394a
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211220-n32rwsbcdm/
Behaviour
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3
MD5 hash:
9f25eb870ee8a56eda7d35dc25f2241c
SHA1 hash:
7af117f07ca61a75baa2e4b183f980832b19f390
Link:
https://www.unpac.me/results/57af3634-b723-40ed-bda9-d7f18ffba5d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1901589/
Cape
Cape
https://www.capesandbox.com/analysis/215452/

Comments


Avatar
zbet commented on 2021-12-20 11:55:22 UTC

url : hxxp://data-file-data-7.com/files/5293_1639994752_7486.exe