MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59276c49519ebd5194b95622c1c81d4b2c45d14eb6b07ea6d9f2b37c9c7bbf93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	59276c49519ebd5194b95622c1c81d4b2c45d14eb6b07ea6d9f2b37c9c7bbf93
SHA3-384 hash:	c191f2ea23387fc13cf9de12a912a0855ec2d79d2d0a5ade0d91bb2639b771e057eea5d4253c81cc1ad4476eb2f100db
SHA1 hash:	3d68b200bd4b3a1babe669aafca5a9e1fbd4027d
MD5 hash:	a62e518b9ccc56434abadd61d481b43a
humanhash:	leopard-apart-cola-dakota
File name:	file
Download:	download sample
File size:	3'226'656 bytes
First seen:	2022-11-27 16:39:07 UTC
Last seen:	2023-08-26 21:37:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	033fc3209214566af0e06e5863a94256 (5 x CryptOne)
ssdeep	98304:oeZB+BfKEuCiGWcABPGd7kL/opm3DuWqJSeJl:V1x0sBPGdYjB3DIn
Threatray	1'948 similar samples on MalwareBazaar
TLSH	T179E523027BC54473D26329339B62B725CE3EE9615F65C8CBF344896CFA306C16A32766
TrID	88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 4.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.0% (.EXE) Win32 Executable (generic) (4505/5/1) 0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter	jstrosch
Tags:	exe signed

Code Signing Certificate

Organisation:	win.rar GmbH
Issuer:	GlobalSign CodeSigning CA - SHA256 - G3
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-08-25T13:42:07Z
Valid to:	2023-08-26T13:42:07Z
Serial number:	731d40ae3f3a1fb2bc3d8395
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	66db1c86d38273627c837f4638122fa88bbffff31c4052115b98caf6ce0c631e
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9887e7a708b4fc3a91114f78ebfd8dcc2d5149fd9c3657872056ca3e5087626d.iso

Verdict:

Malicious activity

Analysis date:

2022-08-02 18:20:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fc4078b7-7250-46ba-bb64-617487f3a4cb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/339086/

Detection(s):

SecuriteInfo.com.Trojan.Ciusky.Gen.6.13535.7007.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Sending a custom TCP request

Verdict:

Unknown

Threat level:

n/a -.1/10

Confidence:

100%

Tags:

anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/638392e55be128ac718f2461/reports/0a926224-884e-4572-baa4-be3612d9d270/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6c93877d-844d-461f-ad98-ab58e751ab2f

Result

Threat name:

Unknown

Detection:

clean

Classification:

rans

Score:

16 / 100

Link:

https://www.joesandbox.com/analysis/1121983

Signature

Writes a notice file (html or txt) to demand a ransom

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59276c49519ebd5194b95622c1c81d4b2c45d14eb6b07ea6d9f2b37c9c7bbf93/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=letwyskrt26vdffzkyrmdsa5jmwelukow2yh5jwz6kzxzhd3x6jq._file

Verdict:

unknown

432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239

476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4

7e1b3e39610c4af7924e0b1d34dedc0dd29d8da4752d97f9a6dc16a0b674057e

996c4e5418405912b929e7916def0a6c0aaedf77065ec5725f4782b00fb1464e

d5234d480c203df8e7f07086c0fb4c39a6a11909dfe2e5e33b98cb382d2e1964

d66671894b4128adf6ff365ef0769f831bfe4738c7452f1e094b0e35dda94b8a

ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83

f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4

+ 1'938 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/221127-t6jndacb94/

Behaviour

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Gathering data

Unpacked files

SH256 hash:

a093cf9a95b3c6e6f72beecf3f095dddee8a73420e07bd2a1663a9ebddeca136

MD5 hash:

58476a4da7eb97e426318e11aba61afe

SHA1 hash:

64290ea794ee748529e35f5e7b6bfe35c74550a5

Link:

https://www.unpac.me/results/08b9c8ad-0fd5-4aac-a07e-085459d72c72/

SH256 hash:

59276c49519ebd5194b95622c1c81d4b2c45d14eb6b07ea6d9f2b37c9c7bbf93

MD5 hash:

a62e518b9ccc56434abadd61d481b43a

SHA1 hash:

3d68b200bd4b3a1babe669aafca5a9e1fbd4027d

Link:

https://www.unpac.me/results/08b9c8ad-0fd5-4aac-a07e-085459d72c72/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59276c49519ebd5194b95622c1c81d4b2c45d14eb6b07ea6d9f2b37c9c7bbf93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 59276c49519ebd5194b95622c1c81d4b2c45d14eb6b07ea6d9f2b37c9c7bbf93

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/339086/

URLhaus

https://urlhaus.abuse.ch/url/2434903/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample