MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5450806ae37bf26fc3d0db2190b03f0d74c032c3f9a2c91b7870e354992c6e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5450806ae37bf26fc3d0db2190b03f0d74c032c3f9a2c91b7870e354992c6e35
SHA3-384 hash: 7309c4ecec7af6bb5f84d9ab7546ea22c9274f4d931ed244163453aebe510218a3ddb5b2c0021944ae761e9fec76eab4
SHA1 hash: 05d1b7881dcd103c35d16814d4a7d7d8fee91103
MD5 hash: 2595b6a3695d90dd8bb8762cd294da24
humanhash: venus-xray-social-fruit
File name:5450806AE37BF26FC3D0DB2190B03F0D74C032C3F9A2C91B7870E354992C6E35.exe
Download: download sample
File size:2'263'040 bytes
First seen:2022-05-31 12:33:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 827c0a5301b8d9d9d9ab4c984e2cdb2a
ssdeep 49152:7pp5HHy7Oyj8ZgJKZtFRU7gkdMzIQsmBR:BHtZw+hUU3vv
Threatray 12'366 similar samples on MalwareBazaar
TLSH T128A51246BAA09277E03609B1581289ECE1717C625D3DC97F23E4332E7EB61E05F36B52
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b0f4d4e8f0f0d4e8
Reporter obfusor
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5450806AE37BF26FC3D0DB2190B03F0D74C032C3F9A2C91B7870E354992C6E35.exe
Verdict:
Malicious activity
Analysis date:
2022-05-31 13:12:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6768236b-8c5e-47bb-a4e3-e62d4385cc10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275733/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.3821.5420.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Delayed reading of the file
Сreating synchronization primitives
Moving a recently created file
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug control.exe explorer.exe hacktool packed
Link:
https://www.filescan.io/uploads/62960b5899047d1f991b5286/reports/a67d7ef2-c61c-4dd3-9667-8f3413341779/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad8c4338-8f84-43d0-9681-4c36bb293074
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004250
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5450806ae37bf26fc3d0db2190b03f0d74c032c3f9a2c91b7870e354992c6e35/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-31 12:34:12 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kriia2xdppzg7q6q3mqzbmb7bv2mamwd7grmsg3yodrvjgjmny2q._file
Verdict:
unknown
Similar samples:
2dc810c540787f600ba073fcc3966102a266d867938861c3ac3da38dd7c004fa
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
887aae4c40ef5ac852dcb98c50598ae087e21ba02456b35da67365fcfa6fea9b
8ec16e4c4fd0a80322418ea661e4dd3b427f7369078d85f64069588624752bdc
9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
ae0a99c5cc44699f19c5967df89e034876b214da707275a33bcf7298697ac184
+ 12'356 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220531-prq2pabbe8/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Executes dropped EXE
suricata: ET MALWARE Win32/SiMay RAT Activity M2 (GET)
Unpacked files
SH256 hash:
82c2343e60745711e171a46124ce186888a3ca9cac1ffaf6b20f7353d4277544
MD5 hash:
a93a77e4f08f9fef9b0b436d5283d9f4
SHA1 hash:
a0445b38cdbec7b3a692009650af46a0443e303e
Link:
https://www.unpac.me/results/6adbcf7c-88ce-4741-a786-1595be5c1fdb/
SH256 hash:
6fbec8c010ff19908bf1b698bb8d57dc92d3cdc77f5ac4e3aa45fd5095e4f669
MD5 hash:
61ea0aea9b6949dd104a4acc2c5afe7b
SHA1 hash:
2a20ecde61330aa2879a67ab35ae124d1fffa29b
Link:
https://www.unpac.me/results/6adbcf7c-88ce-4741-a786-1595be5c1fdb/
SH256 hash:
5450806ae37bf26fc3d0db2190b03f0d74c032c3f9a2c91b7870e354992c6e35
MD5 hash:
2595b6a3695d90dd8bb8762cd294da24
SHA1 hash:
05d1b7881dcd103c35d16814d4a7d7d8fee91103
Link:
https://www.unpac.me/results/6adbcf7c-88ce-4741-a786-1595be5c1fdb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/5450806ae37bf26fc3d0db2190b03f0d74c032c3f9a2c91b7870e354992c6e35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275733/

Comments