MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6333176aeff8e8bcf4afa893729e2264bd29ed4db5d0b8211eb92a4844b4002e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6333176aeff8e8bcf4afa893729e2264bd29ed4db5d0b8211eb92a4844b4002e
SHA3-384 hash: f649d7525bd6d52bcec53c28c9beb9509524f09ef2ee642e41742c6c37ed7b42e3c49a9ee1348e62aa02bbe44fa9215b
SHA1 hash: 098dd17322c2d231146b5ea08246ecd6ffedec7d
MD5 hash: c4b9d83a65b7a0b05d7d24d4abcb29ae
humanhash: jupiter-skylark-six-bulldog
File name:c4b9d83a65b7a0b05d7d24d4abcb29ae
Download: download sample
File size:1'672'846 bytes
First seen:2023-06-03 22:10:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:UTbBv5rUe0cjGq9uFHK6c71E0GHSjLXFso0heHhv1ekNr2r0hspaAcKEYMI9IulL:mBJLSfo6i1IHSjrFs+vRngaAcwMItf
Threatray 2'660 similar samples on MalwareBazaar
TLSH T10B751242BAD1A8B2D4631C365A666B20AA7C7C300FB48DCF53D07A5DEE315C1E7317A6
TrID 53.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
39.8% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
2.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0e0f22abae6e074 (3 x Formbook, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c4b9d83a65b7a0b05d7d24d4abcb29ae
Verdict:
Malicious activity
Analysis date:
2023-06-03 22:11:22 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/4bd190f4-d732-451c-903f-639b968fa0f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/395357/
Detection(s):
Win.Dropper.Formbook-9980566-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Creating a process from a recently created file
DNS request
Creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89264/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm autoit cmd.exe greyware keylogger lolbin overlay packed setupapi.dll shdocvw.dll shell32.dll wscript wscript.exe
Link:
https://www.filescan.io/uploads/647bba7974f7e6e51869332a/reports/3b4bcfa5-1b04-45ba-850e-983ee00488f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6333176aeff8e8bcf4afa893729e2264bd29ed4db5d0b8211eb92a4844b4002e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b992b76d-6c97-4926-965e-b58fc40c72bb
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1248262
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Connects to many ports of the same IP (likely port scanning)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM autoit script
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 881283 Sample: hZq3rN1gSa.exe Startdate: 04/06/2023 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected AntiVM autoit script 2->56 58 .NET source code contains potential unpacker 2->58 60 5 other signatures 2->60 9 hZq3rN1gSa.exe 86 2->9         started        process3 file4 48 C:\Users\user\AppData\Local\...\fjxcrdcio.xl, PE32 9->48 dropped 66 Starts an encoded Visual Basic Script (VBE) 9->66 13 wscript.exe 1 9->13         started        signatures5 process6 process7 15 cmd.exe 1 13->15         started        17 cmd.exe 1 13->17         started        20 cmd.exe 1 13->20         started        signatures8 22 fjxcrdcio.xl 1 4 15->22         started        26 conhost.exe 15->26         started        52 Uses ipconfig to lookup or modify the Windows network settings 17->52 28 conhost.exe 17->28         started        30 ipconfig.exe 1 17->30         started        32 conhost.exe 20->32         started        34 ipconfig.exe 1 20->34         started        process9 file10 46 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 22->46 dropped 64 Multi AV Scanner detection for dropped file 22->64 36 RegSvcs.exe 22->36         started        40 mshta.exe 22->40         started        42 mshta.exe 22->42         started        44 5 other processes 22->44 signatures11 process12 dnsIp13 50 explore.ddns.net 213.152.161.211, 35919, 35920, 35921 GLOBALLAYERNL Netherlands 36->50 62 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->62 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6333176aeff8e8bcf4afa893729e2264bd29ed4db5d0b8211eb92a4844b4002e/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2023-06-03 22:11:06 UTC
File Type:
PE (Exe)
Extracted files:
114
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmzro2xp7dulz5fpvcjxfhrcms6st3knwxilqii6xeveqrfuaaxa._file
Verdict:
malicious
Similar samples:
136f87c6d9a1b61c87ba550c7f550e54d66a1b51dab1c803c43705f178ed9e55
4505a80b468e6816046c95f93fa332409314ec77d790aa07ed68d4b481feed7b
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
60f3966c3a1984024b515a62c1dce029717182dc7a8c7e02b13bc9e5d366fb38
6c50963cb2f68cba3949a030f3e9520c239f096d22de4f104670588758dd9d26
715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
ee0fac5b1ab0a1e4c8efadea7919f8f1105d0928ca3a7c359a65af0246e06cf1
+ 2'650 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230603-13xjdsag4t/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
6333176aeff8e8bcf4afa893729e2264bd29ed4db5d0b8211eb92a4844b4002e
MD5 hash:
c4b9d83a65b7a0b05d7d24d4abcb29ae
SHA1 hash:
098dd17322c2d231146b5ea08246ecd6ffedec7d
Link:
https://www.unpac.me/results/b7a31dea-ae84-425d-8339-b11af01279f4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6333176aeff8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6333176aeff8e8bcf4afa893729e2264bd29ed4db5d0b8211eb92a4844b4002e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6333176aeff8e8bcf4afa893729e2264bd29ed4db5d0b8211eb92a4844b4002e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2651551/
Cape
Cape
https://www.capesandbox.com/analysis/395357/

Comments


Avatar
zbet commented on 2023-06-03 22:10:54 UTC

url : hxxps://api.filedoge.com/download/7e8e3c8b54a3dd86e1b6afb3300169b0f41449d860921fef25d1038c26215f3f6f88efa1616203fc5b51/