MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 591c4b18225fb41ce754ffc0bb30d7cda046f768469470da4757c04613ec00ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 591c4b18225fb41ce754ffc0bb30d7cda046f768469470da4757c04613ec00ed
SHA3-384 hash: d4208bbea9b6872a92667ab24b339ea1b709fe5e5f6a80f9e441a412a70cd5265a9d8c99a8ea9c131202e639d0a24db1
SHA1 hash: 5167c7e242b76f4338f35fbf2b7352d278f65148
MD5 hash: 899c63ad442ad628054c96ec16c6049f
humanhash: seventeen-butter-alabama-mars
File name:899c63ad442ad628054c96ec16c6049f
Download: download sample
File size:2'826'240 bytes
First seen:2022-12-29 08:50:56 UTC
Last seen:2022-12-29 10:38:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 612edbc3b53f6e607818891b34ab969c
ssdeep 49152:NOhkDcRTciEZoO5gECCKptLWi2BrR82f3/9huZrDCKgJPyYpVXn:NnDAZCGLWi2BtTf3/uZrDMP7p
Threatray 4 similar samples on MalwareBazaar
TLSH T1BCD58D32FB149531E68101B2E80C5B6BCE6D953A07BD00D3E3E51F6964A0AE3E735B97
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon a296f8f8e8ec9282
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
899c63ad442ad628054c96ec16c6049f
Verdict:
Suspicious activity
Analysis date:
2022-12-29 08:51:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/20844d06-7f54-43a4-9954-67ab47383dca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Zusy.439259.7893.11761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware hacktool keylogger packed
Link:
https://www.filescan.io/uploads/63ad54f8a70bef46551c0c81/reports/0dcf304f-fd79-4b12-b273-0c392149ad0a/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e22c0475-418c-4f2a-9b46-7801bdbdbd7b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1142562
Signature
Contains functionality to inject threads in other processes
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775290 Sample: L4xwJI8fK8.exe Startdate: 29/12/2022 Architecture: WINDOWS Score: 52 18 Multi AV Scanner detection for submitted file 2->18 7 L4xwJI8fK8.exe 1 2->7         started        process3 signatures4 20 Contains functionality to inject threads in other processes 7->20 10 cmd.exe 1 7->10         started        12 conhost.exe 7->12         started        14 cmd.exe 1 7->14         started        process5 process6 16 mode.com 1 10->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/591c4b18225fb41ce754ffc0bb30d7cda046f768469470da4757c04613ec00ed/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-12-29 08:51:15 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=leoewgbcl62bzz2u77alwmgxzwqen53ii2khbwshk7aeme7madwq._file
Verdict:
malicious
Similar samples:
0f97c680d17090656181523c346e3c809f8358d854652e9090959eea6a971237
226f38b23e4fe4c05c8fb3bf0b8209ce9c8f1a9132542c128874f79b8bf606e3
414ad5d3597fae8af743fc7777d376be7ae00f2decd270639dc5667c2a00f3a8
60fb214ed47ae81825b6eb63ce9bbfb75a2e9d264665bd50485cb44d372b4ce0
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221229-kr6d6acg33/
Behaviour
Suspicious use of WriteProcessMemory
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/616dc62d-62ec-401e-9a1b-0c2347c0c1c3
Unpacked files
SH256 hash:
9b3b9257bebad591bbc3a1a8b0c392f299ba91c4188110e3956a34037fae001c
MD5 hash:
a4d102b19793931dfaab9c32677e45a6
SHA1 hash:
4ef60d1959746c032ffc4c5f0ab3380b39b9772d
Link:
https://www.unpac.me/results/8473d9b1-9464-4f92-b9f8-c633f74240eb/
SH256 hash:
f5590489ddb21fd3feb0f58220751a6a16b410de2725d73d6cb3366401034d37
MD5 hash:
e92345b691f65d9bffcbad688f722d2f
SHA1 hash:
e64061036dc8fecbdb702614589d6ac35626840c
Link:
https://www.unpac.me/results/8473d9b1-9464-4f92-b9f8-c633f74240eb/
SH256 hash:
591c4b18225fb41ce754ffc0bb30d7cda046f768469470da4757c04613ec00ed
MD5 hash:
899c63ad442ad628054c96ec16c6049f
SHA1 hash:
5167c7e242b76f4338f35fbf2b7352d278f65148
Link:
https://www.unpac.me/results/8473d9b1-9464-4f92-b9f8-c633f74240eb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/591c4b18225f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/591c4b18225fb41ce754ffc0bb30d7cda046f768469470da4757c04613ec00ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:Base64_decoding
Create hunting rule
Author:iam-py-test
Description:Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 591c4b18225fb41ce754ffc0bb30d7cda046f768469470da4757c04613ec00ed

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2490154/

Comments


Avatar
zbet commented on 2022-12-29 08:51:03 UTC

url : hxxp://cdn.unduhfile.my.id/tigerking.exe