MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 554b54dd18ef35af4bfe0f065f0310a29a3ae19bfc518bc50be481744aaa01fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 554b54dd18ef35af4bfe0f065f0310a29a3ae19bfc518bc50be481744aaa01fe
SHA3-384 hash: 8a8c2cbad0095fb2480f53afd61c21f7d37119117915e1f9e070b80dff1a34e4ad26797284d4008af3147afa7f61d40b
SHA1 hash: 22a56e9ed057e945d97ce77ffb222aa428804a89
MD5 hash: d08e82f2b16f3fe2d0f4ff23429f7a5c
humanhash: wyoming-gee-echo-angel
File name:d08e82f2b16f3fe2d0f4ff23429f7a5c.exe
Download: download sample
File size:6'120'365 bytes
First seen:2021-02-10 12:21:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba54e48d0f0346b349e9f7a2c8ecaf5c (1 x ValleyRAT)
ssdeep 98304:TtWFLq2gXJAT86nXlXxHh/ZEYoPHGlBBYYYR9MU6JADxpuL0DQ8rAIRde:TwYNJAT8UXlVh/iYofG7rYnEuDCLRQ
Threatray 24 similar samples on MalwareBazaar
TLSH 41563364212120E2FA7B5836C997662AD1F77440037A80DF4B2573257EA3F99BE3DB31
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d08e82f2b16f3fe2d0f4ff23429f7a5c.exe
Verdict:
No threats detected
Analysis date:
2021-02-10 12:22:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8c48f64-a3b9-42ce-8487-d90650bec402

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116498/
Detection(s):
SecuriteInfo.com.PE_File_pyinstaller.24421.30566.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Creating a file in the system32 subdirectories
Launching a process
Creating a window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Sending a UDP request
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/604395
Signature
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Windows Shell Script Host drops VBS files
Writes or reads registry keys via WMI
Writes registry values via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351231 Sample: l7H7Uq5q9v.exe Startdate: 10/02/2021 Architecture: WINDOWS Score: 84 41 Multi AV Scanner detection for domain / URL 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Connects to a pastebin service (likely for C&C) 2->47 8 l7H7Uq5q9v.exe 18 2->8         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        process3 file4 27 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->27 dropped 29 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->29 dropped 31 C:\Users\user\AppData\Local\...\python37.dll, PE32+ 8->31 dropped 33 10 other files (none is malicious) 8->33 dropped 55 Potentially malicious time measurement code found 8->55 16 l7H7Uq5q9v.exe 1 8->16         started        signatures5 process6 dnsIp7 35 callonenergy.com 162.0.232.250, 443, 49740, 49747 NAMECHEAP-NETUS Canada 16->35 37 pastebin.com 104.23.98.190, 443, 49738 CLOUDFLARENETUS United States 16->37 39 grabify.link 104.27.41.48, 443, 49746 CLOUDFLARENETUS United States 16->39 19 wscript.exe 3 3 16->19         started        process8 file9 25 C:\ProgramData\...\Software Essentials.vbs, ASCII 19->25 dropped 49 Windows Shell Script Host drops VBS files 19->49 51 Writes or reads registry keys via WMI 19->51 53 Writes registry values via WMI 19->53 23 wscript.exe 19->23         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/554b54dd18ef35af4bfe0f065f0310a29a3ae19bfc518bc50be481744aaa01fe/
Threat name:
Win64.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 11:30:34 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
06eeeac97751699903c4751be6fce5d4d453e25830e8a02cc118f41d592308c9
0f4238a14d0c6dbd53c84513df03d0d3be5f8452aa858e2273788690fe7c59dc
260809d850f42fd71f5ddff0bf68a241a82595aa062d82fa5ca6c7bf8076ad15
290452bb8eb4dfcc3cfb1590c8fb1b44427a3c9f0439ad5855e35bc39537a3a3
4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6
4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea
5f7edbfee38f8e9a93df459405b952189d48b4a7f2ddc7a81d25bdfd59b31c80
e68a310f4d4a1a9d76c462cf0404a702bc138296a1badd2a7728656b3757c254
f29a85a0a8d5c438141903be9402dfea15cc0eb89e356da5b53d31edfabed15e
fbe1b7e3984d33ae5f5756116aaddce9139849cf0364f4ca1edb74d8a273e766
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller ransomware
Link:
https://tria.ge/reports/210210-yt3b4hec4a/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Unpacked files
SH256 hash:
554b54dd18ef35af4bfe0f065f0310a29a3ae19bfc518bc50be481744aaa01fe
MD5 hash:
d08e82f2b16f3fe2d0f4ff23429f7a5c
SHA1 hash:
22a56e9ed057e945d97ce77ffb222aa428804a89
Link:
https://www.unpac.me/results/baa3855b-162d-437b-b0e3-4131bedf3b9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/554b54dd18ef35af4bfe0f065f0310a29a3ae19bfc518bc50be481744aaa01fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 554b54dd18ef35af4bfe0f065f0310a29a3ae19bfc518bc50be481744aaa01fe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/994950/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116498/

Comments