MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5555f55281b93a52723c64aab98b8a3d32f7ac72650296046d5d811663c8d724. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5555f55281b93a52723c64aab98b8a3d32f7ac72650296046d5d811663c8d724
SHA3-384 hash: 171b6adfd4463dac3d368dd237115e09687645153c1e426af5a6478a0f2b581f19affad06bc61b4b163c8ac72d141e3e
SHA1 hash: 0ad5d3f32a5195b5d218aaf4141c169143ca76b3
MD5 hash: 5e400278c5c2ed5f07e603b09b338780
humanhash: winter-angel-video-zulu
File name:5e400278c5c2ed5f07e603b09b338780.exe
Download: download sample
File size:396'315 bytes
First seen:2021-11-30 07:15:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:qQi3JpH6m6UR0IbPIV1VTFunZEg00Fo4GcAXd7+gDh23:qQiZpaHIbgV1VcZ/00dGDXg3
Threatray 192 similar samples on MalwareBazaar
TLSH T1E2841247DBEAC432E452CAF02E72A2609F3FBABA1E79510C39DE4ACE1F171416419753
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e400278c5c2ed5f07e603b09b338780.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-30 07:19:40 UTC
Tags:
installer
Link:
https://app.any.run/tasks/19901529-1366-4ff7-a764-6bf8e916b043

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/209772/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Adding an access-denied ACE
Launching a process
Searching for the browser window
Creating a file
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/309/overview
Behaviour
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61a5cfb5c4c531414822f911/reports/936af032-1096-459d-96a6-6ca05bc5b571/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44d7c30a-79e0-4ef4-86cb-c9271d3b83c4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/898477
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sets debug register (to hijack the execution of another thread)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 530956 Sample: 67MPsax8fd.exe Startdate: 30/11/2021 Architecture: WINDOWS Score: 96 105 Antivirus detection for URL or domain 2->105 107 Antivirus detection for dropped file 2->107 109 Antivirus / Scanner detection for submitted sample 2->109 111 4 other signatures 2->111 10 67MPsax8fd.exe 2 2->10         started        14 Jibugaegofu.exe 2->14         started        16 Jibugaegofu.exe 2->16         started        process3 file4 71 C:\Users\user\AppData\...\67MPsax8fd.tmp, PE32 10->71 dropped 113 Obfuscated command line found 10->113 18 67MPsax8fd.tmp 3 19 10->18         started        signatures5 process6 dnsIp7 79 163.172.208.8 OnlineSASFR United Kingdom 18->79 81 8.8.8.8 GOOGLEUS United States 18->81 55 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 18->55 dropped 57 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->57 dropped 59 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->59 dropped 61 C:\Users\user\...\((((_________456.exe, PE32 18->61 dropped 22 ((((_________456.exe 20 20 18->22         started        file8 process9 dnsIp10 89 66.29.128.34 ADVANTAGECOMUS United States 22->89 91 162.0.210.44 ACPCA Canada 22->91 63 C:\Users\user\AppData\...\Jiraevaexaji.exe, PE32 22->63 dropped 65 C:\Users\user\AppData\...\Lydipodepi.exe, PE32 22->65 dropped 67 C:\Program Files\...\foldershare.exe, PE32 22->67 dropped 69 4 other malicious files 22->69 dropped 26 Lydipodepi.exe 14 4 22->26         started        31 Jiraevaexaji.exe 14 17 22->31         started        33 foldershare.exe 22->33         started        file11 process12 dnsIp13 93 142.250.180.78 GOOGLEUS United States 26->93 95 104.21.33.188 CLOUDFLARENETUS United States 26->95 73 C:\Users\user\AppData\Local\...\BumperWW.exe, PE32 26->73 dropped 75 C:\Users\user\AppData\Local\...\installer.exe, PE32 26->75 dropped 77 C:\Users\user\AppData\Local\Temp\...\161.exe, PE32 26->77 dropped 115 Multi AV Scanner detection for dropped file 26->115 117 Sets debug register (to hijack the execution of another thread) 26->117 97 172.217.21.68 GOOGLEUS United States 31->97 35 chrome.exe 31->35         started        38 chrome.exe 31->38         started        40 chrome.exe 31->40         started        42 22 other processes 31->42 file14 signatures15 process16 dnsIp17 83 192.168.2.1 unknown unknown 35->83 85 192.168.2.3 unknown unknown 35->85 87 239.255.255.250 unknown Reserved 35->87 44 chrome.exe 35->44         started        47 chrome.exe 38->47         started        49 chrome.exe 40->49         started        51 chrome.exe 42->51         started        53 chrome.exe 42->53         started        process18 dnsIp19 99 87.250.251.119 YANDEXRU Russian Federation 44->99 101 212.82.100.181 YAHOO-IRDGB United Kingdom 44->101 103 69 other IPs or domains 44->103
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5555f55281b93a52723c64aab98b8a3d32f7ac72650296046d5d811663c8d724/
Threat name:
Win32.Downloader.Chebka
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 12:35:59 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
15 of 27 (55.56%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
3b70b57af7fcdfb9d0c83217e58d6acd5fafe898f11a815b88b444ecfadb57ab
3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab
8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884
ac0cd27c71d75b6ea298c5169f845ab40e4b5750cb76368c5364f29178e0594d
b64cc3011b334fe3fdc47852da28f1d865a1f71dd819827a035b9b3adab1a163
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
+ 182 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence upx
Link:
https://tria.ge/reports/211130-h3s7vshch6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Checks for common network interception software
Process spawned unexpected child process
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/0e9d644d-a70d-4682-a22f-85b5cbe4c701/
SH256 hash:
c78a7b0b9009696256a7bb3f28f3f50b0ea8d6c549152f1326bd79fd2d1f8e84
MD5 hash:
ec272ac80231b4bc276f19639a7a1f37
SHA1 hash:
336273a9ed80e9e22980a8a81d4106aa80de03f0
Link:
https://www.unpac.me/results/0e9d644d-a70d-4682-a22f-85b5cbe4c701/
SH256 hash:
5555f55281b93a52723c64aab98b8a3d32f7ac72650296046d5d811663c8d724
MD5 hash:
5e400278c5c2ed5f07e603b09b338780
SHA1 hash:
0ad5d3f32a5195b5d218aaf4141c169143ca76b3
Link:
https://www.unpac.me/results/0e9d644d-a70d-4682-a22f-85b5cbe4c701/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5555f55281b93a52723c64aab98b8a3d32f7ac72650296046d5d811663c8d724

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5555f55281b93a52723c64aab98b8a3d32f7ac72650296046d5d811663c8d724

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1829829/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209772/

Comments