MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603
SHA3-384 hash: f2473bec6d24a19c67ac1b6f8096bd2ec29f2795a6a30b08d8dd8d0e1fa22bfb972fd6281eada50404721e14a3afd700
SHA1 hash: d5a5f2b0ac3061553c56f560603ac3df12ee1b17
MD5 hash: 598d16e6316cde59bb452bdd23e91b14
humanhash: finch-fourteen-cola-bakerloo
File name:598d16e6316cde59bb452bdd23e91b14.exe
Download: download sample
File size:488'960 bytes
First seen:2022-12-15 08:01:56 UTC
Last seen:2022-12-15 09:38:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:rayrcoD0+6WB1SXYHeneoxLiG5uBB1waf:GKc+4XRrL7KB1waf
Threatray 3'416 similar samples on MalwareBazaar
TLSH T1ACA423450CB0BF6DE43092B57438CA4A472A653DCDD276EA281B90EEE4CCC7A16736D2
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 336b4a4c463cb466
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
598d16e6316cde59bb452bdd23e91b14.exe
Verdict:
No threats detected
Analysis date:
2022-12-15 08:02:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bceb0123-fcde-4121-b12d-875724fcf4c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346518/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.23561.19365.24597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Sending an HTTP GET request to an infection source
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639ad47d02f399ddcc63e04e/reports/b6106cfa-a7a7-43b2-a33a-02cfb2605283/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9deac29-5c1b-4d1a-b1b9-9387acb984d6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1134811
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 767539 Sample: D7ORFmxN1P.exe Startdate: 15/12/2022 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 3 other signatures 2->46 9 D7ORFmxN1P.exe 14 4 2->9         started        14 puttydata.exe 14 2 2->14         started        16 puttydata.exe 2 2->16         started        process3 dnsIp4 36 179.43.155.202, 49702, 49704, 49705 PLI-ASCH Panama 9->36 38 85.209.134.86, 49703, 49767, 50084 CMCSUS Germany 9->38 34 C:\Users\user\AppData\Local\...\Inimres.exe, PE32+ 9->34 dropped 56 Suspicious powershell command line found 9->56 58 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->60 18 powershell.exe 16 9->18         started        62 Machine Learning detection for dropped file 14->62 file5 signatures6 process7 process8 20 Inimres.exe 15 6 18->20         started        24 conhost.exe 18->24         started        file9 32 C:\Users\user\AppData\...\puttydata.exe, PE32+ 20->32 dropped 48 Machine Learning detection for dropped file 20->48 50 Encrypted powershell cmdline option found 20->50 52 Writes to foreign memory regions 20->52 54 2 other signatures 20->54 26 powershell.exe 15 20->26         started        28 AppLaunch.exe 20->28         started        signatures10 process11 process12 30 conhost.exe 26->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-12-15 08:02:12 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nd422xwchsbvvwkqtwyjcxkamucgsm6qmzjow6lyjjb7xnzjaybq._file
Verdict:
malicious
Similar samples:
33582086a3417a06bb5154cd9e1f878bff0d8717151cbccd539cd0505a8e5fcd
6620065fb747acd80ed59d91d4b76316b9402c739530a8436e36f188e9a3f03f
9fd84c71e3c3c85eb7ef456aa82d68223aa2ba2dfab716f1a34732227d009b6f
a0942d04446fbbb68d5411600d37a6c7a4763cf92329d199ba7a40815f5fb2b0
a2d1c49015b02db66f014da92414d7e000de133f37a81c1d0e3cd6ba6b13ba8f
b37edff0dbb286c487d7a95db2238b22abc5e404cda5480495cbdb77f2788c69
b90b4c71b08339b3ee8faaae122ace0272e360ad6c0147d9e902c0b5bd9b3f57
c180f58783642d9688ad20f32ce72e504accf1d101f1591b39b0d4e0f429fe3f
d265e4a4cad9e1937d41cb1d5f38cb6afe90c429c6b708e01f147d69fd5b6056
e904870d3952bad327314df46c9fa32f9aac69ef0028123515da1cda4c1c6706
+ 3'406 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221215-jw468abh56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9dcde1ea-aba8-49da-ac25-be722df75514
Unpacked files
SH256 hash:
68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603
MD5 hash:
598d16e6316cde59bb452bdd23e91b14
SHA1 hash:
d5a5f2b0ac3061553c56f560603ac3df12ee1b17
Link:
https://www.unpac.me/results/a3338478-e5cb-431c-81aa-5cb16d9f3d4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2463228/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/346518/

Comments