MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Wiper


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
SHA3-384 hash: cfb1f2083d095c528f6081c849c258c2bd275c1589872ab10d24c9f20affa43476914bd4e598035995a3d81f535ac39e
SHA1 hash: af83b938017efd53f95671adc0c6d2aa1088d38e
MD5 hash: 81a7a946456f1f6dae4715b1feb72ed0
humanhash: butter-carbon-august-pasta
File name:ADZP 20 Complex.exe
Download: download sample
Signature Wiper
Create hunting rule
File size:114'688 bytes
First seen:2024-11-18 17:20:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 3072:O7DhdC6kzWypvaQ0FxyNTBfHdIyEGfvBN+:OBlkZvaF4NTB/yyEGfvBQ
TLSH T126B38E41F2E502F7EAE2053100B6722FD73663389764E9DBC74C2E529913AD1A63D3E9
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Anonymous
Tags:exe peexe Shingapi.sk sys files removal Wiper


Avatar
Anonymous
This malware is capable to delete System32 drivers, overwrite MBR, delete BCD, format drives and attack other system files.

Intelligence

File Origin
# of uploads :
1
# of downloads :
515
Origin country :
SV SV
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ADZP 20 Complex.exe
Verdict:
Malicious activity
Analysis date:
2024-11-18 17:42:05 UTC
Tags:
api-base64
Link:
https://app.any.run/tasks/056bf006-51f1-444e-b7bc-9e154c465c2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673b793b5107a56eacc79790
Tags:
autorun extens virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a file
Launching cmd.exe command interpreter
Launching a process
Delayed reading of the file
Creating a window
Creating a process from a recently created file
Searching for the window
Searching for synchronization primitives
Сreating synchronization primitives
Sending a UDP request
Restart of the analyzed sample
Launching a service
Modifying a system file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Rewriting of the hard drive's master boot record
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected purebasic
Link:
https://www.filescan.io/uploads/673b77847a6ae3d44b9f213b/reports/d8c10215-9cef-422e-97c4-e3bcdb58b921/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5d283212-d9e8-443f-9d89-76ccbb2bb4c9
Result
Threat name:
Babadeda, Wiper
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/1557915
Signature
AI detected suspicious sample
Command shell drops VBS files
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Drops PE files to the startup folder
Infects the VBR (Volume Boot Record) of the hard disk
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Add file from suspicious location to autostart registry
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Writes directly to the primary disk partition (DR0)
Yara detected Babadeda
Yara detected Wiper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557915 Sample: ADZP 20 Complex.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 70 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected Babadeda 2->59 61 8 other signatures 2->61 8 ADZP 20 Complex.exe 8 2->8         started        process3 file4 45 C:\Users\user\AppData\Local\Temp\...\C42C.bat, ASCII 8->45 dropped 11 cmd.exe 26 8->11         started        15 conhost.exe 8->15         started        process5 file6 47 C:\Users\user\AppData\...\ADZP 20 Complex.exe, PE32 11->47 dropped 49 C:\Users\user\Desktop\Virus.sys, ASCII 11->49 dropped 51 C:\Users\user\Desktop\Informacion.vbs, ASCII 11->51 dropped 53 4 other malicious files 11->53 dropped 71 Command shell drops VBS files 11->71 73 Uses cmd line tools excessively to alter registry or file data 11->73 75 Drops PE files to the startup folder 11->75 77 2 other signatures 11->77 17 Tasksvc.exe 11->17         started        21 ADZP 20 Complex.exe 11->21         started        23 certutil.exe 3 2 11->23         started        25 31 other processes 11->25 signatures7 process8 file9 37 \Device\Harddisk0\DR0, data 17->37 dropped 63 Machine Learning detection for dropped file 17->63 65 Writes directly to the primary disk partition (DR0) 17->65 67 Infects the VBR (Volume Boot Record) of the hard disk 17->67 69 2 other signatures 17->69 27 conhost.exe 17->27         started        39 C:\Users\user\AppData\Local\Temp\...\F202.bat, ASCII 21->39 dropped 29 conhost.exe 21->29         started        31 cmd.exe 21->31         started        41 C:\Users\user\Desktop\Tasksvc.exe, PE32 23->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\FC92.bat, ASCII 25->43 dropped 33 takeown.exe 1 25->33         started        35 conhost.exe 25->35         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-18 17:21:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=negkbiuoezlykxjof6c2hwqbxzgq5d4xdb4kpej7g6tkb6bxmqea._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit defense_evasion discovery evasion exploit persistence privilege_escalation upx
Link:
https://tria.ge/reports/241118-vwzsaa1drf/
Behaviour
Gathers network information
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
UPX packed file
Adds Run key to start application
Deobfuscate/Decode Files or Information
Enumerates connected drives
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Modifies boot configuration data using bcdedit
Writes to the Master Boot Record (MBR)
Drops startup file
Executes dropped EXE
Modifies file permissions
Disables Task Manager via registry modification
Drops file in Drivers directory
Modifies Windows Firewall
Possible privilege escalation attempt
Verdict:
Malicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/d036ebe9-8d8d-473c-b6a9-37460c3a1d5d
Unpacked files
SH256 hash:
67d316b955454b11d3a8ea52d8b912f7d19b596a4c3c74ce3663376b2e7afa4d
MD5 hash:
31a2094410537adbe2f773213a0d570c
SHA1 hash:
87f2e5f8e9e78c21a5adb7c1ab5067e6cafae2e4
Link:
https://www.unpac.me/results/ac20b67c-28f5-4499-8242-5424a7e236f2/
SH256 hash:
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
MD5 hash:
81a7a946456f1f6dae4715b1feb72ed0
SHA1 hash:
af83b938017efd53f95671adc0c6d2aa1088d38e
Link:
https://www.unpac.me/results/ac20b67c-28f5-4499-8242-5424a7e236f2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/690ca0a28e26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PureBasic4xNeilHodgson
Create hunting rule
Author:malware-lu
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for malicious import combination that ransomware mostly use(can create FP)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Petya

Executable exe d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab

Wiper

Executable exe 690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

(this sample)

  
Dropping
Shingapi.sk
  
Delivery method
Other
  
Dropped by
SHA256 d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab
  
Dropped by
MD5 852656b9342fa5b987d15b6c01565e60

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.DLL::timeBeginPeriod
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleCtrlHandler
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::RemoveDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.DLL::CreateWindowExW

Comments