MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55af8940100b432c2873c1b4ec0068516ec9459ae313fd1d3ac2957ef7abe033. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55af8940100b432c2873c1b4ec0068516ec9459ae313fd1d3ac2957ef7abe033
SHA3-384 hash: d4c5877e1863a4890f136615d6bc68b86ce6fed083da6a79ab150b4665c731f23f0bcce1e90091f5defcc47260ca94c6
SHA1 hash: 7870a26f33469c4cef96cecd4e0b20c82fa4e1af
MD5 hash: 96cbbd2930425374e0d2d6e251be9834
humanhash: five-xray-item-nineteen
File name:96cbbd2930425374e0d2d6e251be9834.exe
Download: download sample
File size:6'231'483 bytes
First seen:2022-11-06 17:05:12 UTC
Last seen:2022-11-06 19:04:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 98304:UJlQcZOWdS58SUxTzskoHi3a7UpYLzwnGuqfkIF8RK2qBHNp6mgC6ZwECQ0em5v8:UJltOuS54xTzs5XTLFBfkJ42qBtpJ2wU
Threatray 6'505 similar samples on MalwareBazaar
TLSH T12456336901790D8BF70B727314293D7F83E71A9F24A9EE5967446ECF3A53190ECB90A0
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://bit.ly/3F3uhJA
Verdict:
Malicious activity
Analysis date:
2022-11-06 12:46:23 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/dbb2b261-7f0a-402c-af2d-18cafa8c1319

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329511/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.46415.31463.30709.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49315/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6367e97ca8436570d7409f43/reports/b334af88-b472-455d-8f18-e6404846542f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/19f494dd-8d3e-47fa-8a16-2b8b909d4faa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1106682
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Deletes itself after installation
Encrypted powershell cmdline option found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 739346 Sample: eYtnKcX9Ie.exe Startdate: 06/11/2022 Architecture: WINDOWS Score: 92 30 Multi AV Scanner detection for domain / URL 2->30 32 Antivirus detection for URL or domain 2->32 34 Antivirus detection for dropped file 2->34 36 3 other signatures 2->36 7 eYtnKcX9Ie.exe 16 2->7         started        process3 file4 24 C:\Users\user\AppData\Local\...\SelfDel.dll, PE32 7->24 dropped 26 C:\Program Files (x86)behaviorgraphoogle\chrome.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->28 dropped 38 Encrypted powershell cmdline option found 7->38 11 explorer.exe 7->11         started        14 powershell.exe 24 7->14         started        16 powershell.exe 11 7->16         started        18 chrome.exe 7->18         started        signatures5 process6 signatures7 40 Deletes itself after installation 11->40 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55af8940100b432c2873c1b4ec0068516ec9459ae313fd1d3ac2957ef7abe033/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2022-11-06 15:35:08 UTC
File Type:
PE (Exe)
Extracted files:
142
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwxysqaqbnbsykdtyg2oyadikfxmsrm24mj72hj2ykkx555l4azq._file
Verdict:
malicious
Similar samples:
04e95db9663cac79ec012fe52be0a8c25fad8ba3644acb0c179123da2504621e
057e92d5cb962f0860f3f59f767645350a870c5a884afe1a2806509954036633
086896ba131161dac8f232478d8d9167f33fd81a02271f49fa0a362aa236c8ca
0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f
3d898349908143bef8f7652dada13c6075f84af469349be709b1d33d2ddf6672
763b9ddb8670835d34e5ecbd031c8077ad8c1e1572e43f558fa664a8d6b0c4d5
b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
cffe6e5ff4988a9aa30fcce3f005db402986bf5689516976fca483310265a2a4
f2000a110ef3052177a9a035ae3d6c811590d6d02534afc6e94d313b31a6b8eb
+ 6'495 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion upx vmprotect
Link:
https://tria.ge/reports/221106-vmd48aeffk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
VMProtect packed file
ACProtect 1.3x - 1.4x DLL software
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/74cbbb7e-1390-4070-9b04-5610d17be0fb
Unpacked files
SH256 hash:
df66573cd34dc477aac8a06185f0519143c403766dc93492fccd29a2a7e5e7be
MD5 hash:
93918bca8e219f9b65d1fe304afc2428
SHA1 hash:
c4b39df748384c906abae86003f35db6ec75369f
Link:
https://www.unpac.me/results/52fc6aad-cab9-43d0-b75e-52f52c5c5cc9/
SH256 hash:
8f79940660b88b13bc727cb5ddbb69a7fe5c9512030a977c052578e1940103b4
MD5 hash:
106d8ffe658f771aa4699f95a30197ec
SHA1 hash:
7fb907dc8ce2e9e812d693bf99a609b3de5cbf5e
Link:
https://www.unpac.me/results/52fc6aad-cab9-43d0-b75e-52f52c5c5cc9/
SH256 hash:
0b2277d8aaf36e01aca3ae33e227b44bebc541a9c5cef6eb4fef93e96821a6cd
MD5 hash:
b1ba7a8263281244782ca5604876cb2c
SHA1 hash:
b8523dee6d7e74512a05c60cc35c0fddac370252
Link:
https://www.unpac.me/results/52fc6aad-cab9-43d0-b75e-52f52c5c5cc9/
SH256 hash:
55af8940100b432c2873c1b4ec0068516ec9459ae313fd1d3ac2957ef7abe033
MD5 hash:
96cbbd2930425374e0d2d6e251be9834
SHA1 hash:
7870a26f33469c4cef96cecd4e0b20c82fa4e1af
Link:
https://www.unpac.me/results/52fc6aad-cab9-43d0-b75e-52f52c5c5cc9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55af8940100b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55af8940100b432c2873c1b4ec0068516ec9459ae313fd1d3ac2957ef7abe033

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 55af8940100b432c2873c1b4ec0068516ec9459ae313fd1d3ac2957ef7abe033

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2402534/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/329511/

Comments