MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 673863162674d9787f890c093aa2b5c96e708fda0626ce8d5e1d2f6d9ca6811c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 673863162674d9787f890c093aa2b5c96e708fda0626ce8d5e1d2f6d9ca6811c
SHA3-384 hash: Calculating hash
SHA1 hash: Calculating hash
MD5 hash: f94af679d7eb132f6d0438382848ee7a
humanhash: Calculating hash
File name:ZDQf3gLGE1GPIjK.exe
Download: download sample
File size:522'752 bytes
First seen:2021-12-16 22:53:51 UTC
Last seen:2021-12-17 00:52:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash Calculating imphash
ssdeep Calculating ssdeep hash
Threatray 5 similar samples on MalwareBazaar
TLSH Calculating TLSH
telfhash Calculating telfhash
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214690/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.8222.13528.24767.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61bbc3a28541392eb4eb3a40/reports/3337fabd-350a-49b1-b57d-920baa7853f4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25e11eb8-eee9-4909-9501-7e1c7b0b28a2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/908830
Signature
.NET source code contains potential unpacker
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Gathering data
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m44ggfrgotmxq74jbqetvivvzfxhbd62aytm5dk6duxw3hfgqeoa._file
Verdict:
unknown
Similar samples:
3a361c768a1ebfd17d5b44a2d4915301c9f06640720f0644fd9809b48b12c4c3
68b06b7a02ddedc6cca5e2c9e2f91fe8374440ad93aa04e40a84cde5a76f8234
8cef98761d99141693fba696c8cad2b0b8711c7dd6ca1095b2c328141237c84e
db14f4188f9a9cd454cf4253cefae20a8604499afcaf61e64031f42db6dc8baa
e1a555c5a9574de6448cde29e8cd3f8312d1420e6769a31c58e4d43debad2940
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211216-2vqxbadffm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3e846a88ed20d010b1846ccea7c89859ee0855ca4521ab21e81536097238622c
MD5 hash:
47eedaf74d0e5958333855e8f640b42c
SHA1 hash:
a8fbcc0c48f6a80a8517020655d5cf3a824a64bb
Link:
https://www.unpac.me/results/dc5d0d2b-3b94-496e-aedb-9024be97d640/
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/dc5d0d2b-3b94-496e-aedb-9024be97d640/
SH256 hash:
673863162674d9787f890c093aa2b5c96e708fda0626ce8d5e1d2f6d9ca6811c
MD5 hash:
f94af679d7eb132f6d0438382848ee7a
SHA1 hash:
4fd78ff16169fb1392da2a75087c37938488b307
Link:
https://www.unpac.me/results/dc5d0d2b-3b94-496e-aedb-9024be97d640/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 673863162674d9787f890c093aa2b5c96e708fda0626ce8d5e1d2f6d9ca6811c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/214690/

Comments