MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44
SHA3-384 hash:	24a740939895d93d7e38c6b97ccdfc153539bbb59fad1919286a612355dc21a1e37b9c4f7cee180478cd85622ce3b3d7
SHA1 hash:	07d67e498239f1dda98a7b3c863b6abbacf21a5f
MD5 hash:	36041b7e660f1c5572ca812debcb6ef1
humanhash:	missouri-spring-red-delta
File name:	Vzwwqreew.exe
Download:	download sample
File size:	1'838'080 bytes
First seen:	2025-02-03 16:11:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	49152:rJAT+hooP59AKjXP3ud77s7H/L3oxNiDGr:V5B9AwvCsTj3oxNiD6
TLSH	T16A8501E817C47E52C6BF0B37A0F03B548730E9529FF6E35F558009AC0D67BAA9920796
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	TomU
Tags:	exe

TomU

a6948d5a4a9b6b9360d86b92c56aadb3 BL INLU4106073.rar
731946cdeb0a54ef6234c593f1c56d06 BL INLU4106073.img
36041b7e660f1c5572ca812debcb6ef1 Vzwwqreew.exe

dfd99d41098a817875765d2ade997d2ce31c2dbe32b66cf1ad7113da7076e441 BL INLU4106073.rar
6317822ae262d8a5793d2019761694ca5bcb2b833ae172f8a9de87bb0e652e06 BL INLU4106073.img
691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44 Vzwwqreew.exe

Intelligence

File Origin

# of uploads :

# of downloads :

634

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Vzwwqreew.exe

Verdict:

Malicious activity

Analysis date:

2025-02-03 16:15:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/266835ce-f9bf-4dd8-89dc-f4f117d9372e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Msilheracles-10017859-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a0eb742dcee78dd8193d0f

Tags:

smartassembly autorun packed virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated obfuscated packed packed packer_detected smartassembly smart_assembly

Link:

https://www.filescan.io/uploads/67a0eadc0218eb7de8c25e63/reports/76dc6c58-2dc5-46fc-89fb-2461837ca405/overview

Verdict:

Malicious

Labled as:

Trojan.Mardom.PN.Generic

Link:

https://www.hybrid-analysis.com/sample/691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d04cdb73-7e22-402c-9720-42978232d950

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1605760

Signature

.NET source code contains potential unpacker

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44/

Threat name:

Win32.Ransomware.Generic

Status:

Malicious

First seen:

2025-02-03 00:05:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nen5fn3oxuzhq6rgunj4sfpbiof3gf6rzef5uxxk4deqk7hth5ca._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery

Link:

https://tria.ge/reports/250203-tnld9awkew/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Drops startup file

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

Win.Packed.Msilheracles-10017859-0

YARA:

n/a

Link:

https://app.threat.zone/submission/55d12137-7101-4c9e-b3d3-abab84e319b5

Unpacked files

SH256 hash:

691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44

MD5 hash:

36041b7e660f1c5572ca812debcb6ef1

SHA1 hash:

07d67e498239f1dda98a7b3c863b6abbacf21a5f

Link:

https://www.unpac.me/results/ea2bdc7d-1df0-4a12-81dd-eced5a09c08a/

SH256 hash:

156d5d063b86db80b7ce843294202677040573c1d6976e31b5fadbf571f4ec51

MD5 hash:

a9b56d447ce73eb463433839687a9c82

SHA1 hash:

fdbfb26b24151c56a395be230d3369421b15a3b9

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ea2bdc7d-1df0-4a12-81dd-eced5a09c08a/

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/ea2bdc7d-1df0-4a12-81dd-eced5a09c08a/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/ea2bdc7d-1df0-4a12-81dd-eced5a09c08a/

SH256 hash:

c43827af46e16f92825db5576ae6c0b99f07cca698b57f88788b7c189c815049

MD5 hash:

283fca6acca3087dd6cfc19d72567e16

SHA1 hash:

7126da1ad6cee0551dbf568ade90cfca5746c73d

Link:

https://www.unpac.me/results/ea2bdc7d-1df0-4a12-81dd-eced5a09c08a/

SH256 hash:

eaec02be5fc240cfa6103d82c9d65eb637b1d5b42928ba7977b59b14db7a6616

MD5 hash:

3d7f0e04dae9d434a8f105c89e836bc9

SHA1 hash:

c01f6c0e9d7f3c87d3d6e0e027600209b7345c31

Link:

https://www.unpac.me/results/ea2bdc7d-1df0-4a12-81dd-eced5a09c08a/

SH256 hash:

c836de1354ff9caf8d2c8af85604ff4b1b9c14c3e2d503dac94d805d2be7cd6e

MD5 hash:

5e8748c7b6ef0c7a0cad4e3372dc2f46

SHA1 hash:

d785100cff8a7ff174706de07c7a2aba78a40200

Link:

https://www.unpac.me/results/ea2bdc7d-1df0-4a12-81dd-eced5a09c08a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/691bd2b76ebd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 691bd2b76ebd32787a26a353c915e1438bb317d1c90bda5eeae0c9057cf33f44

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample