MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c
SHA3-384 hash: 03cb57799b3dd97976f7d28bf62744808a0c8079abd1bbaf1f9ccab5ad56c194d7194bb202c43966203c72e543be620a
SHA1 hash: ed64a3dd1e1f3b8aec79bd14090ff1516e7a838d
MD5 hash: a3fc86696512a68337f2f98fb7d4dbb5
humanhash: whiskey-mike-undress-autumn
File name:a3fc86696512a68337f2f98fb7d4dbb5.exe
Download: download sample
File size:4'337'680 bytes
First seen:2024-08-18 12:43:49 UTC
Last seen:2024-08-18 13:36:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9fcfb15a5aa9fa0f3b761a2696ae772 (4 x RiseProStealer, 1 x PrivateLoader)
ssdeep 98304:CThmo0NPxyNdYIsb1bJggN8ykRRdNHn460XS3JOH6K:CTx09xyNdYWs8y+RdNH/0vaK
Threatray 5 similar samples on MalwareBazaar
TLSH T13C1633123894E4DDECC1CA71DA1DE4F68A23BC5EC9361457769E3F267BB386C0396A10
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f9b17165351d1d8d (2 x RedLineStealer, 1 x Vidar, 1 x PrivateLoader)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://shurll.com/2sHSc8
Verdict:
Malicious activity
Analysis date:
2024-08-02 13:15:23 UTC
Tags:
evasion privateloader stealer loader amadey botnet redline metastealer risepro themida
Link:
https://app.any.run/tasks/606cdcb7-0394-49da-808e-ef87253be131

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop28.1514.12307.27363.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c1ec97aa5b40be0aa071a0
Tags:
Execution Generic Network Stealth Malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm installer lolbin microsoft_visual_cc packed packed shell32 themidawinlicense virus
Link:
https://www.filescan.io/uploads/66c1ec95d07f13198dd359fa/reports/2c2b753f-4218-4d40-9b95-ec0d3fe0385c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2dca0b7c-411e-431a-81d4-6d7d8a9f525c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1494481
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1494481 Sample: ozA28PDMTu.exe Startdate: 18/08/2024 Architecture: WINDOWS Score: 100 51 Suricata IDS alerts for network traffic 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 7 ozA28PDMTu.exe 1 17 2->7         started        12 jewkkwnf.exe 2->12         started        14 jewkkwnf.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 49 77.105.164.24, 49710, 49712, 50505 ICOMF-ASRU Russian Federation 7->49 41 C:\...\ozA28PDMTu.exebagQx7UUiFdhOOZn (copy), PE32 7->41 dropped 43 C:\Users\user\Desktop\ozA28PDMTu.exe, PE32 7->43 dropped 45 C:\Users\user\AppData\...\PowerExpertNNT.exe, PE32 7->45 dropped 47 6 other malicious files 7->47 dropped 59 Multi AV Scanner detection for dropped file 7->59 61 Query firmware table information (likely to detect VMs) 7->61 63 Machine Learning detection for dropped file 7->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 18 ozA28PDMTu.exe 1 7->18         started        21 schtasks.exe 1 7->21         started        23 schtasks.exe 1 7->23         started        67 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->67 69 Hides threads from debuggers 12->69 71 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->71 73 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->73 25 ExtreamFanV6.exe 16->25         started        27 ExtreamFanV6.exe 16->27         started        29 PowerExpertNNT.exe 16->29         started        31 2 other processes 16->31 file5 signatures6 process7 file8 39 C:\Users\user\AppData\...\ozA28PDMTu.exe.log, ASCII 18->39 dropped 33 ozA28PDMTu.exe 1 18->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-08-01 23:14:00 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=maww3koindqduqb2wtpwobgufteu3c4wb6272ocxlpq2luw2gj6a._file
Verdict:
malicious
Similar samples:
6ccb73967f66acd2af71b4d41a7b5f3755f04d1adba41bafc573f8c1cc14c26a
c955b3b1da4142b077f791749db32f9a871e62c503b421dc8fc061ac3ad71025
e9e2b36855a104b566a9bcdf118a692539c364538fb1822b1d4267cfb3a6cd43
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence themida trojan
Link:
https://tria.ge/reports/240818-pygrlatele/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/72d1e700-a374-4159-807a-1c1ee04f50d1
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/860251d2-3f9b-44df-b47d-c6b4aca9f230/
SH256 hash:
8533dee5c4682f81316561e008885c7752cea2f8765695a895e6a12dfb63faf0
MD5 hash:
7d961f59d801cf3a4d298a1834179c4c
SHA1 hash:
704059d8a5b57b716ba9ff1698e881154b0408c9
Link:
https://www.unpac.me/results/860251d2-3f9b-44df-b47d-c6b4aca9f230/
SH256 hash:
602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c
MD5 hash:
a3fc86696512a68337f2f98fb7d4dbb5
SHA1 hash:
ed64a3dd1e1f3b8aec79bd14090ff1516e7a838d
Link:
https://www.unpac.me/results/860251d2-3f9b-44df-b47d-c6b4aca9f230/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA

Comments