MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aad3b97852a0606d9dc55ad9ea9d7875e10c92446279cbf8634927046d9cce7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6aad3b97852a0606d9dc55ad9ea9d7875e10c92446279cbf8634927046d9cce7
SHA3-384 hash: 42c87998077bbce8dc5daef0055f3fcf9933f699dc95c4c69f69e7b7ac7eb1f3dfcaf5a94a97d448d60e3cc46e32543b
SHA1 hash: aa9cb7824111ae98104377d5f4f202a147dc1bcb
MD5 hash: 15d662c8c08546225a2cc7aa985e6b99
humanhash: shade-nevada-triple-two
File name:file
Download: download sample
File size:1'762'591 bytes
First seen:2022-08-26 05:02:51 UTC
Last seen:2022-08-26 07:42:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:t4nXubIQGyxbPV0db26WOOqKGa4ZMsv1Et9uGpckT52zedlq89Ws5uIzk5aM/pho:tqe3f66gpSffPMWrQ0Zk+
Threatray 694 similar samples on MalwareBazaar
TLSH T1EC85B03FF268A53EC46E1B3245B39250997BBA60681A8C1F07FC384DCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from http://installtracker.cfd/installer/125480/FamilyTreeMadeSimpleSetup.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-08-26 05:04:48 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e7548cf1-e819-4d14-8250-0d32b1be4e52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301278/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a file in the system32 subdirectories
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30128/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6308540905ef0c24e4270af5/reports/4231252d-5b28-477c-a42c-84e8ed9822d6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5b8f7397-7489-4032-a3a3-33a43cc5ea2b
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1058143
Signature
Antivirus detection for URL or domain
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 690660 Sample: file Startdate: 26/08/2022 Architecture: WINDOWS Score: 32 59 Snort IDS alert for network traffic 2->59 61 Antivirus detection for URL or domain 2->61 8 file.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 8->33 dropped 65 Obfuscated command line found 8->65 12 file.tmp 4 21 8->12         started        signatures5 process6 dnsIp7 55 setuppro.xyz 74.208.236.195, 49719, 80 ONEANDONE-ASBrauerstrasse48DE United States 12->55 57 installtracker.cfd 162.0.229.248, 443, 49720, 49721 NAMECHEAP-NETUS Canada 12->57 45 C:\Users\user\AppData\...\installersetup1.exe, PE32 12->45 dropped 47 C:\Users\...\FamilyTreeMadeSimpleSetup.exe, PE32 12->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->51 dropped 67 Performs DNS queries to domains with low reputation 12->67 17 FamilyTreeMadeSimpleSetup.exe 2 12->17         started        21 installersetup1.exe 2 12->21         started        file8 signatures9 process10 file11 29 C:\Users\...\FamilyTreeMadeSimpleSetup.tmp, PE32 17->29 dropped 63 Obfuscated command line found 17->63 23 FamilyTreeMadeSimpleSetup.tmp 30 21 17->23         started        31 C:\Users\user\AppData\...\installersetup1.tmp, PE32 21->31 dropped 27 installersetup1.tmp 3 12 21->27         started        signatures12 process13 dnsIp14 53 192.168.2.1 unknown unknown 23->53 35 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 23->35 dropped 37 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->37 dropped 39 C:\Program Files\...\unins000.exe (copy), PE32 23->39 dropped 43 3 other files (none is malicious) 23->43 dropped 41 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->41 dropped file15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6aad3b97852a0606d9dc55ad9ea9d7875e10c92446279cbf8634927046d9cce7/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2022-08-26 05:03:09 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
8 of 26 (30.77%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkwtxf4ffidanwo4kwwz5koxq5pbbsjeiytzzp4ggsjharwzzttq._file
Verdict:
unknown
Similar samples:
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4
9bb77fb3b462b7b52694f0326b83b4f0f47969240e296129cd23da3b2fe98fb0
a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
da362dff8b39c6b4b92387f48f5beb91ce55dbdf8bfe6a6ec7b5e6f1aa269010
db4d9628d02ae5e9812156655106fddf94c4f09b2702fea9601596c97b9fdae6
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
+ 684 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220826-fppleaffgk/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/af45e567-db6a-453a-a1c3-624eb4e06a80/
SH256 hash:
c20f32b5dde0bdcb33afb7db1a37b4ec9c3c4ea4c46441bb1fe9c4deee5e838d
MD5 hash:
bfc2674d36fe2c6518cc946f1f120a41
SHA1 hash:
2d5554ed3af15c3c08338eeaf247154796c5fee1
Link:
https://www.unpac.me/results/af45e567-db6a-453a-a1c3-624eb4e06a80/
SH256 hash:
6aad3b97852a0606d9dc55ad9ea9d7875e10c92446279cbf8634927046d9cce7
MD5 hash:
15d662c8c08546225a2cc7aa985e6b99
SHA1 hash:
aa9cb7824111ae98104377d5f4f202a147dc1bcb
Link:
https://www.unpac.me/results/af45e567-db6a-453a-a1c3-624eb4e06a80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6aad3b97852a0606d9dc55ad9ea9d7875e10c92446279cbf8634927046d9cce7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/301278/
  
URLhaus
https://urlhaus.abuse.ch/url/2278945/

Comments