MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61845568bb072984b6dba5151ede3969440736a7d7d674de0137ca4b7b8ab6e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61845568bb072984b6dba5151ede3969440736a7d7d674de0137ca4b7b8ab6e4
SHA3-384 hash: e080cb508f1ec622b1a1a2c44e1502b470b2dc212e631a03cea8a67eade39435b01ac86e80fc204c2759a29e9684945a
SHA1 hash: 18ab5973145dd016c34d536e2ac9a750592187bc
MD5 hash: bffb13fc28cabed46313b33d437f0f90
humanhash: sixteen-fourteen-lima-berlin
File name:[PDF]-Maintenance-Re_hjZpegiO.exe
Download: download sample
File size:7'489'090 bytes
First seen:2022-07-25 08:54:24 UTC
Last seen:2022-07-25 09:52:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash da86ff6d22d7419ae7f10724a403dffd (1'679 x GCleaner, 1 x Socks5Systemz)
ssdeep 196608:HZ8BLPt2zK/vLp3PO1KLpDFdfI9mekSWf:HOt2zKdIKL/dwAe1+
Threatray 94 similar samples on MalwareBazaar
TLSH T1E976334CB95CC8F5C5B3C2F4FA0E1701422B7BB18EC656CA9B490916E53F39B985A78C
TrID 81.0% (.EXE) Inno Setup installer (109740/4/30)
10.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
1.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 686c74f4c2e8e4c0 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293921/
Detection(s):
PUA.Win.Packer.Overlay-1
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file in the Windows subdirectories
Moving a file to the Windows subdirectory
Modifying a system file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27333/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62de5aeacfc305167689e435/reports/2ff2cc29-9266-467f-bede-2515a6a5fe43/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f1820de-bf61-4d2e-bb48-ec9ed9c0bc77
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1040237
Signature
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672731 Sample: [PDF]-Maintenance-Re_hjZpegiO.exe Startdate: 25/07/2022 Architecture: WINDOWS Score: 48 48 Machine Learning detection for dropped file 2->48 8 [PDF]-Maintenance-Re_hjZpegiO.exe 2 2->8         started        process3 file4 34 C:\Users\user\AppData\Local\...\is-69UM5.tmp, PE32 8->34 dropped 11 is-69UM5.tmp 512 26 8->11         started        process5 file6 36 C:\Program Files (x86)\...\AutoBackup.exe, PE32 11->36 dropped 38 C:\...\AutoBackup.exe.manifest (copy), XML 11->38 dropped 40 C:\Windows\SysWOW64\is-QCJDB.tmp, PE32 11->40 dropped 42 12 other files (none is malicious) 11->42 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 11->50 15 AutoBackup.exe 11->15         started        18 AutoBackup.exe 1 11->18         started        20 schtasks.exe 1 11->20         started        signatures7 process8 dnsIp9 44 188.114.96.3, 49824, 80 CLOUDFLARENETUS European Union 15->44 46 idtetangede.cf 188.114.97.3, 49770, 80 CLOUDFLARENETUS European Union 15->46 22 WerFault.exe 15->22         started        24 WerFault.exe 15->24         started        26 WerFault.exe 20 9 18->26         started        28 WerFault.exe 9 18->28         started        30 WerFault.exe 9 18->30         started        32 conhost.exe 20->32         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61845568bb072984b6dba5151ede3969440736a7d7d674de0137ca4b7b8ab6e4/
Threat name:
Win32.Trojan.Ekstak
Create hunting rule
Status:
Malicious
First seen:
2022-07-25 08:55:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgcfk2f3a4uyjnw3uukr5xrznfcaonvh27lhjxqbg7few64kw3sa._file
Verdict:
malicious
Similar samples:
093b0f8dda3411c2fbe3d8b04560de7021e8e1c0b43ff08c7296c000a05286da
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
5ef62c7d66c9f9470658e647afd257cbc087056ec07b4eafd7879682701cd05a
6c37bb680dc9c51f9c15e988fa3586cb9f0fe8786f2b9c9408aa953894c10180
77d1c06b1f52455505ad8e1af3d2182c13682dda7bda13185879c4c4a4018d04
890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664
9faf75e3fbe46e1427a754ab1186bec3ada84735e3f7503a67df6ebe3eefa103
b3c5e36f9aa05f6af9a685e32fe3e979a92ce5c96d5be130e7145b62c3948650
bbfae2ab644c8d0f1ba82b01032b1962c43855cc6716193ce872ac16cda166df
ec117203d9cf5a324fdd8ead407b681096e9f60a0916f8316febb76943240b0a
+ 84 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220725-kvfynsahf9/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6e29c2c471aa6323bcecddfe47dc3bf65a2c74d88acd513126e7383001d1f141
MD5 hash:
4c424b3f08f1161705991d17450eac70
SHA1 hash:
b4e3e5c1fe8ed5ead8950163d224be886f07e9ad
Link:
https://www.unpac.me/results/8f868031-6870-46de-806e-d94d76264cf7/
SH256 hash:
de6a9d52bc7ce2ad78c63ac24c1b33e5664c52ea9b61e4c90708f941cd0dc5ce
MD5 hash:
250afc0033e9ba5c35d25043a408bd49
SHA1 hash:
ebfcb95653d3b6cd53a9c57707295b4f5ccb73ed
Link:
https://www.unpac.me/results/8f868031-6870-46de-806e-d94d76264cf7/
SH256 hash:
b767035092bbee2b1f0b05015a3eb9b02701046da89372c1480cfd2a6e66ea69
MD5 hash:
433db239e8ec8108ecb3980dbe2084fd
SHA1 hash:
10bc609065fff475a19e93f54cc35c84a99fc5b2
Link:
https://www.unpac.me/results/8f868031-6870-46de-806e-d94d76264cf7/
SH256 hash:
61845568bb072984b6dba5151ede3969440736a7d7d674de0137ca4b7b8ab6e4
MD5 hash:
bffb13fc28cabed46313b33d437f0f90
SHA1 hash:
18ab5973145dd016c34d536e2ac9a750592187bc
Link:
https://www.unpac.me/results/8f868031-6870-46de-806e-d94d76264cf7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61845568bb07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61845568bb072984b6dba5151ede3969440736a7d7d674de0137ca4b7b8ab6e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293921/

Comments