MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63d22571866c5f1d9eedc6ebd283f7a2c657b540c77519b30c9953ec5ac436e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkWatchman


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63d22571866c5f1d9eedc6ebd283f7a2c657b540c77519b30c9953ec5ac436e0
SHA3-384 hash: b77b9478f369a0e7070fc429d815b1f5169e2e29b30b8ae68b95437d8b8aea6a4e42570680d25d43428b7b688c38a2b4
SHA1 hash: b91748417ff1fdc72e61b1176d9e8c9dc8cd75af
MD5 hash: 326cf130af4754ee9c6e6cc8c7e802c8
humanhash: fourteen-harry-london-illinois
File name:Счет 12418-21 от 30.12.2021.exe
Download: download sample
Signature DarkWatchman
Create hunting rule
File size:228'488 bytes
First seen:2022-01-31 04:17:20 UTC
Last seen:2022-01-31 06:17:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9422d8f1b75bb5b0336087bbf87775ee (2 x ArkeiStealer, 1 x RedLineStealer, 1 x DarkWatchman)
ssdeep 3072:ETodjgdfdwkW30jfqg5XPXdXyYOkQCPT3LCKt/t:EToJgtIq5XLQCPqot
Threatray 4'185 similar samples on MalwareBazaar
TLSH T1D324BE42B680C472C44705745974C2226A3EFF361C69C98777AB7E2FAF313C1696AF0A
File icon (PE):PE icon
dhash icon 78d888c898a89098 (4 x QuasarRAT, 4 x DarkWatchman, 1 x Loki)
Reporter abuse_ch
Tags:DarkWatchman exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Счет 12418-21 от 30.12.2021.exe
Verdict:
Malicious activity
Analysis date:
2022-01-31 04:24:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81733600-15c6-43a3-9fd5-d31e7ea016cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/228263/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.38783.16209.1787.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Creating a file
Moving a file to the %temp% directory
Launching a process
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5561/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult exploit greyware overlay packed qbot
Link:
https://www.filescan.io/uploads/61f762fcd7fd65ae55fa58d4/reports/8e7f81a3-2da2-432d-bc3e-ef1f441ee2f6/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9117945b-d2ed-48ca-8419-82ba530728b3
Result
Threat name:
DarkWatchman
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930519
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63d22571866c5f1d9eedc6ebd283f7a2c657b540c77519b30c9953ec5ac436e0/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 01:03:36 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpjck4mgnrpr3hxny3v5fa7xuldfpnkay52rtmymtfj6ywweg3qa._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
DarkWatchman
623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b
DarkWatchman
62540ba573e873b816d3d956132804254a23207e6bfc9f7a371a68f5aa8090ce
DarkWatchman
786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f
DarkWatchman
7d8fcc05f835b1662600c57da1456afe6e10b842db6bb64b4ba8fe92d5e86a18
DarkWatchman
889a99efe47a7cd2f2ee5797086d76e5811f9502047d9be1c6cbc1dc815c57fe
DarkWatchman
8e4ca12811ae20874923d590e85c6e0a4c591fa3dfe754cce7c47433b713b9c8
DarkWatchman
edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0
DarkWatchman
+ 4'175 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware spyware stealer
Link:
https://tria.ge/reports/220131-ewzjhsfeb9/
Behaviour
Interacts with shadow copies
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Deletes itself
Reads user/profile data of web browsers
Blocklisted process makes network request
Deletes shadow copies
Process spawned unexpected child process
Unpacked files
SH256 hash:
a9ca34111c34b02fb19c1a6430f82661f9e2ce3f70a53daf97ed8952cc7602e5
MD5 hash:
d989606e2fea8bf338fd5e97dd8c7e3e
SHA1 hash:
8e40e161e01951c5791a617bad020e4933f253b3
Link:
https://www.unpac.me/results/fdfb20b3-86d7-4dbd-9260-ac00e3d2e9d3/
SH256 hash:
63d22571866c5f1d9eedc6ebd283f7a2c657b540c77519b30c9953ec5ac436e0
MD5 hash:
326cf130af4754ee9c6e6cc8c7e802c8
SHA1 hash:
b91748417ff1fdc72e61b1176d9e8c9dc8cd75af
Link:
https://www.unpac.me/results/fdfb20b3-86d7-4dbd-9260-ac00e3d2e9d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63d22571866c5f1d9eedc6ebd283f7a2c657b540c77519b30c9953ec5ac436e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/228263/

Comments