MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64d0b1816a61739747fc22199afe846b83427afb5a9536ba7d6a03c6d9a5d297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64d0b1816a61739747fc22199afe846b83427afb5a9536ba7d6a03c6d9a5d297
SHA3-384 hash: b6806acf9e7157417d0bf8a5573e1aef3832799d757e55136ccdf9f48ae9d591b762cde9c76153d67e8388b1c526c1d1
SHA1 hash: 02b5f742e88fe37d4f8d3077a6a344c21064a2ce
MD5 hash: 5242a8ffc10eaa5513a180086bc41a2e
humanhash: johnny-asparagus-alaska-venus
File name:NIFnNaANnw.bin
Download: download sample
File size:98'816 bytes
First seen:2022-07-11 12:25:31 UTC
Last seen:2022-07-11 12:55:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f2a0bb1051088a4e0887af51c9a7d646
ssdeep 3072:6KtKRScB+gg1w6wzxTeSAPQ/B8pgujiRQ8Dhy:6KtKR1Bu0zxynp7wJDh
Threatray 3'858 similar samples on MalwareBazaar
TLSH T182A31218A6D0CF42E3E921F8AD6F2A76218AD1F94FE34B475B947347446F970CA6D320
TrID 54.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter KdssSupport
Tags:exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
XvZwUVr.exe
Verdict:
Malicious activity
Analysis date:
2022-07-10 17:32:45 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/41dac24e-c9f5-4d54-83e3-4bc98b485829

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286238/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop20.4730.29860.30609.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Setting a single autorun event
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/25066/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62cc1732bbcf6baf27938f2f/reports/f5c69320-c039-4f17-8ffd-25ce173c3a44/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Apocalypse Clipper
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b22c5b9-7aac-42ea-a04c-28eb18663128
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1028612
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 661111 Sample: NIFnNaANnw.bin Startdate: 11/07/2022 Architecture: WINDOWS Score: 76 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected MicroClip 2->27 29 Sigma detected: Schedule system process 2->29 7 NIFnNaANnw.exe 1 8 2->7         started        11 winlogon.exe 2->11         started        13 winlogon.exe 2->13         started        15 3 other processes 2->15 process3 file4 21 C:\Users\user\AppData\Roaming\winlogon.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\...\winlogon.exe, PE32 7->23 dropped 31 Uses schtasks.exe or at.exe to add and modify task schedules 7->31 17 schtasks.exe 1 7->17         started        33 Multi AV Scanner detection for dropped file 11->33 signatures5 process6 process7 19 conhost.exe 17->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64d0b1816a61739747fc22199afe846b83427afb5a9536ba7d6a03c6d9a5d297/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 12:26:10 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtildalkmfzzor74eimzv7uenobue6x3lkktnot5nib4nwnf2klq._file
Verdict:
malicious
Similar samples:
3e9c014ef2b5fe85fafc698f4b94d18a3f929c0c812157819afe49ed1ebd6d74
6e5ce2c28b65e3f50c89ee799de9c047c07ec4c27b4d4b8b6f4f202b1e8d557a
81fe733026110d1d4ff33cccb9a79a593af2b7db12a4b34f0feab313ab3655a2
8b21d5d222c521b730f85690aa3f88c00b2c9ce7e8b208564509e093b5eed814
963dbb31cbea52bfb5e071a35b2bcb6bf7705f5548fa7827ad9601215268f65c
9d98af7edc7ef9cc5dfc258f11b1795b3ecb74aa613cc14212102d75bbdc8c44
9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b
b11e4827173f942813d0efac847c3446f57c77607d18d3d0933f888839400445
b939033df88adb57f35c2cdd56fbc0cc3d63061d0c93f388f5460e2029620db1
d813644d9387e23efe566919a08f4d43ec3ea7347c7042c0ce5c6703d2afdbd4
+ 3'848 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220711-pl6vyshadn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
2ae8d81d7cdee3cf541bd5d84d19dfd0fca29616325f786bffbd08ec43dfdebe
MD5 hash:
9deeb30a882eeecdebaf97ad2ff15b7e
SHA1 hash:
d737c39d268715651cacb3c38dca75b6d8ff4081
Link:
https://www.unpac.me/results/e53a672b-59f4-4661-b0cb-c8c5883974e9/
SH256 hash:
64d0b1816a61739747fc22199afe846b83427afb5a9536ba7d6a03c6d9a5d297
MD5 hash:
5242a8ffc10eaa5513a180086bc41a2e
SHA1 hash:
02b5f742e88fe37d4f8d3077a6a344c21064a2ce
Link:
https://www.unpac.me/results/e53a672b-59f4-4661-b0cb-c8c5883974e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/64d0b1816a61739747fc22199afe846b83427afb5a9536ba7d6a03c6d9a5d297

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 64d0b1816a61739747fc22199afe846b83427afb5a9536ba7d6a03c6d9a5d297

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/286238/

Comments