MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 628d1584a744b33d32ac8291ce235f1d389dfaaa4bc45a15826f02e34cc32e16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 628d1584a744b33d32ac8291ce235f1d389dfaaa4bc45a15826f02e34cc32e16
SHA3-384 hash: 6e57c537ed1636f1701c4ee95752e2063351a2b13a68743e7c9390cc99cc24886d189c65507a888c30a4ba3d87c8d001
SHA1 hash: 3ea0868446a89a5d0298bfaccaa7e7668f5d83f2
MD5 hash: 90ec31759eed5148fd4a3c58b16ccc8a
humanhash: beer-carpet-double-robin
File name:file.exe
Download: download sample
File size:320'608 bytes
First seen:2023-05-11 18:20:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ddcccd7f5247e71ea0dafd9c36729ea1 (2 x RedLineStealer, 1 x Formbook)
ssdeep 6144:Qcg/LqEqjH3Ucm+ugP3bjhUcXo9O+JkMaQ6Q4X:Qc+FoUcm+VLjmfwEkMX6QQ
Threatray 15 similar samples on MalwareBazaar
TLSH T12164AE03F6858475F477983C0CECD97196A864352B5F58E7B3C8262E793E7E2A53830A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
No threats detected
Analysis date:
2023-05-11 18:21:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/655407eb-3f98-4b21-b97a-d8166af67823

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388460/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.25226.14461.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83542/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/645d3211b87853d1e17b65c4/reports/173898b9-5215-453c-a43c-7603e9891046/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/628d1584a744b33d32ac8291ce235f1d389dfaaa4bc45a15826f02e34cc32e16
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c89cf5df-4480-4bce-a254-2d711b33d872
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1231198
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 864185 Sample: file.exe Startdate: 11/05/2023 Architecture: WINDOWS Score: 60 13 Multi AV Scanner detection for submitted file 2->13 6 file.exe 1 2->6         started        process3 signatures4 15 Writes to foreign memory regions 6->15 17 Allocates memory in foreign processes 6->17 19 Injects a PE file into a foreign processes 6->19 9 conhost.exe 6->9         started        11 AppLaunch.exe 6->11         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/628d1584a744b33d32ac8291ce235f1d389dfaaa4bc45a15826f02e34cc32e16/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 18:21:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkgrlbfhiszt2mvmqki44i27du4j36vkjpcfufmcn4bogtgdfyla._file
Verdict:
unknown
Similar samples:
001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48
1d11c985ab456d176302f4102a0391047843779b5dec3f38139e718e6d785600
348f79dc98ed91d11dea91d8295eac25cbd8a67daaa52ab0120708d2c7bde40c
3fe6c3edb6593444aaed9ae78a6164a3c98a10a32012d32c35ca4aa987db2c61
563aedec5563a6139918e8871cc2e7e784a3bf13d0873186f67e0b24463f4f8a
a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec
c9deeda7cd7adb4ff584d13ea64cdb50c9e8b5c616f1dff476f372e86c9b9be6
cf68ac02858c0053067b47b24338b564aeb92f25310765a2bad8928174285a62
db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230511-wzbqasha67/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
8535f0cf617a2a91a176485760c012ed6b3efe6da36f18a621fa50d9eb76d515
MD5 hash:
72ec72a83fa438fa20b422e2655e3ff9
SHA1 hash:
f72ba83bb7782f8650f96e427a3242bf511d479e
Link:
https://www.unpac.me/results/72b3d93b-0965-4c31-906a-6da175b898a8/
SH256 hash:
628d1584a744b33d32ac8291ce235f1d389dfaaa4bc45a15826f02e34cc32e16
MD5 hash:
90ec31759eed5148fd4a3c58b16ccc8a
SHA1 hash:
3ea0868446a89a5d0298bfaccaa7e7668f5d83f2
Link:
https://www.unpac.me/results/72b3d93b-0965-4c31-906a-6da175b898a8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/628d1584a744/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/628d1584a744b33d32ac8291ce235f1d389dfaaa4bc45a15826f02e34cc32e16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/388460/

Comments