MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 572ab8a858b7d9cfd33d6f140f43b4ae890ba62bd5fa3eb1dee16c184e8d921c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 572ab8a858b7d9cfd33d6f140f43b4ae890ba62bd5fa3eb1dee16c184e8d921c
SHA3-384 hash: f3a53a38bb84a3acec5c23a5804ff8400e5473c96f152f1906d2d81a23d75e1b9307adc3dbd69fa6db11e2b6d5bf983e
SHA1 hash: 351650af37d4f119fe7c58710f8f3047b6878e1b
MD5 hash: f9f112479af939c79af58d8470bbbcbc
humanhash: mountain-seventeen-pip-apart
File name:f9f112479af939c79af58d8470bbbcbc.exe
Download: download sample
File size:9'629'184 bytes
First seen:2023-02-19 17:07:05 UTC
Last seen:2023-02-19 18:27:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c25baa32156986b3f7d855fb19850993
ssdeep 196608:7VAqMbJ4SS6avdifiQ/wcemK3+Svzc29r/aQDK3FLl+mgfnstexi9Y:7VUbJ4SalZSwkK3XL3ryQuJpgni9
Threatray 31 similar samples on MalwareBazaar
TLSH T1CBA623FA1BDA82B5C081E6104947D3AB7886E91D48BD9D1B3EC76E06661CCEB104FF71
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f9f112479af939c79af58d8470bbbcbc.exe
Verdict:
Malicious activity
Analysis date:
2023-02-19 17:08:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e3abf2c-bcc9-4379-b0b4-83d6c526269d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368239/
Detection(s):
SecuriteInfo.com.Win64.Trojan-gen.32100.32283.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f2577342bf85850e3e12d9/reports/2f8efa44-a23a-45a8-bc6d-fca612534287/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/572ab8a858b7d9cfd33d6f140f43b4ae890ba62bd5fa3eb1dee16c184e8d921c
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/636dbc80-276d-4037-a12c-f2da9fbcba7f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1178845
Signature
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/572ab8a858b7d9cfd33d6f140f43b4ae890ba62bd5fa3eb1dee16c184e8d921c/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-18 06:03:18 UTC
File Type:
PE+ (Exe)
AV detection:
9 of 25 (36.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4vlrkcyw7m47uz5n4ka6q5uv2eqxjrl2x5d5mo64fwbqtunsioa._file
Verdict:
unknown
Similar samples:
0d272083d39759e5b5408290740e598bd7df649d5a3db280543b56eaa3637454
37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d
58591d220d48fbc565054766db000c1d14250a02c160bfe86370877441e5d2da
62061f2ff5f75c7450260f161c0adfc52622c8aa09bb461d594b151ce1fb47b0
804826c7da65f0ef6aba984fc65cd2e701f4d26ef52fedd3dcea5808c4c70542
b7e70119bad5c9fcd84035b4b9064911f45f0e95a2ec4a84b0ee10105d541055
c7d11c958c790562daf2522a05d7ba39e0c013e810f51ff2013af571d9394679
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/230219-vnj2vsfe5t/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
572ab8a858b7d9cfd33d6f140f43b4ae890ba62bd5fa3eb1dee16c184e8d921c
MD5 hash:
f9f112479af939c79af58d8470bbbcbc
SHA1 hash:
351650af37d4f119fe7c58710f8f3047b6878e1b
Link:
https://www.unpac.me/results/23b42965-4f64-4bb2-ab5e-889e6f91d696/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/572ab8a858b7d9cfd33d6f140f43b4ae890ba62bd5fa3eb1dee16c184e8d921c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 572ab8a858b7d9cfd33d6f140f43b4ae890ba62bd5fa3eb1dee16c184e8d921c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2469977/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368239/

Comments