MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dae5aaedb99aa87206c300d214cbf2362ecd437ea3c02f3e4099fd4876cf393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dae5aaedb99aa87206c300d214cbf2362ecd437ea3c02f3e4099fd4876cf393
SHA3-384 hash: d402ba96d8fbdd60562a002e51590c777251940eb4258959c75a74e326a82974f9697e818185d7f1a591dd7d16972c70
SHA1 hash: 9a3d3a13908e439a8f68b1f18eac1c542ceb911d
MD5 hash: db1388e3daae1651d4c277afb553efa3
humanhash: item-magnesium-florida-crazy
File name:db1388e3daae1651d4c277afb553efa3.exe
Download: download sample
File size:15'776'016 bytes
First seen:2023-02-22 15:05:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6e51dda1622035b42b177c9afe67c30
ssdeep 393216:2DNFawbhV8d98JgLoZOUcryo8mRHVu3yRmazVNEJb2wo2uQFP:2DNFFVe7Wqyo8mBsiRIZVFP
Threatray 14 similar samples on MalwareBazaar
TLSH T1A2F60217ADA9CC6CC9A384331092C397D20AD18DAE0DDB9F13B11945CEE496B5F12BED
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 164e6d0d9c4c272c
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
db1388e3daae1651d4c277afb553efa3.exe
Verdict:
Malicious activity
Analysis date:
2023-02-22 15:07:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5f0aa163-0eef-44e1-9fbd-5248ac55c259

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6717506-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72259/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
anti-debug javadropper overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f62f5cd385ee58585034ee/reports/ecd2cf8e-f988-4ede-b37a-ab0633a508c6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5dae5aaedb99aa87206c300d214cbf2362ecd437ea3c02f3e4099fd4876cf393
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2fb65966-9478-4f76-ac13-e5ae0c7612c4
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1180691
Signature
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813517 Sample: MBVsaJxUJ4.exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 28 30 Uses known network protocols on non-standard ports 2->30 8 MBVsaJxUJ4.exe 2->8         started        process3 process4 10 javaw.exe 4 8->10         started        process5 12 javaw.exe 48 10->12         started        16 icacls.exe 1 10->16         started        dnsIp6 24 disepvp.ee 84.50.154.59, 49714, 9274 ESTPAKEE Estonia 12->24 26 127.0.0.1 unknown unknown 12->26 28 192.168.2.1 unknown unknown 12->28 20 C:\Users\user\...\discord_game_sdk_jni.dll, PE32 12->20 dropped 22 C:\Users\user\...\discord_game_sdk.dll, PE32 12->22 dropped 18 conhost.exe 16->18         started        file7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dae5aaedb99aa87206c300d214cbf2362ecd437ea3c02f3e4099fd4876cf393/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwxfvlw3tgvioidmgagsctf7enrozvbx5i6af47ebgp5jb3m6ojq._file
Verdict:
unknown
Similar samples:
0ead50b6e178331dc5e0ed73d4080afd8682f12358730c0d7ae62a95be167e52
5053f7a18f78763456267484fe3787e2502c64d8a8f2c2036d5bfeca60ca96e2
767a951ea1f41e10287199d95ffed5a84a94e1d33d82d519c91db89d37941f42
7d99d9dc8e69d9adc8bf0f44170eef5fe06ed8b58560b432c7349924cc74e591
8dc5d35e7f0a75f8a864ce2a569ac1cc3825521bcd269e5bc2ee7e6ce40c3fae
9b1af42072b91c504d9298d5938b8b5976a4ed4326484e9559a931a1173ee466
c2dcc646a68381f519b6461c54129e0b4ec5efc0125c382f75c67341cecd2f2e
db3dec6fc542d0d1e7e00233812984c3698a54bcc2a4d124e0a7075794e162c5
e034f070ece091bfb23daacd153f9121030abd88a2349c00c3f7f4aba176dd8b
fe317007a64424dc6161dae1c8f7a84542170ab100f5bbd12d7c9b995ec0acac
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230222-sgq6gscc32/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
5dae5aaedb99aa87206c300d214cbf2362ecd437ea3c02f3e4099fd4876cf393
MD5 hash:
db1388e3daae1651d4c277afb553efa3
SHA1 hash:
9a3d3a13908e439a8f68b1f18eac1c542ceb911d
Link:
https://www.unpac.me/results/78300a13-2c77-4349-a200-5a966c84af06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/5dae5aaedb99aa87206c300d214cbf2362ecd437ea3c02f3e4099fd4876cf393

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments