MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b446c595c43f7865d622bbb1fba8a5f9eb29417ad5804eaba868789df87a183. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b446c595c43f7865d622bbb1fba8a5f9eb29417ad5804eaba868789df87a183
SHA3-384 hash: 530fe376be362c1cf8443c501fa661ac97dd9d36bf586cd26537941724c34f2235e0c1fe72d3acb899b150e0784ad5f4
SHA1 hash: 1f2f3eee7722b98f967be77326c2bbe52423284c
MD5 hash: c9143f61e975f257ee9624960e521806
humanhash: lactose-three-purple-fix
File name:c9143f61e975f257ee9624960e521806.exe
Download: download sample
File size:2'253'312 bytes
First seen:2023-01-19 15:24:02 UTC
Last seen:2023-01-19 16:38:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:JqVwHUSFA/yytL73KCYdBzMWyaRyQZzDRP6sZCnaUsgnK2:JqVwHUSFUqCYvg1UifajgnK
TLSH T1FBA523BC12DD5DA0D35E0EBAE4D222148379EC665A91F347B08C7DE88C74FD3981768A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 52b0c8c88cf030e0
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9143f61e975f257ee9624960e521806.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 15:26:47 UTC
Tags:
evasion opendir loader
Link:
https://app.any.run/tasks/be1af411-8d74-483d-95c5-5e0d6fb7f8b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354608/
Detection(s):
SecuriteInfo.com.Variant.Lazy.286623.13355.7645.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63c9658f96add6d1cf47d5e8/reports/166027ee-1d9d-4e9f-b3ce-e758d5f9864a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e361acd6-4ae7-4a4b-938a-fea9df9b58d7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154881
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 787611 Sample: Ad8MI6G4kp.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 121 x.bidswitch.net 2->121 123 www.msn.com 2->123 125 23 other IPs or domains 2->125 139 Antivirus detection for URL or domain 2->139 141 Antivirus / Scanner detection for submitted sample 2->141 143 Multi AV Scanner detection for submitted file 2->143 145 4 other signatures 2->145 11 Ad8MI6G4kp.exe 16 18 2->11         started        16 MicrosoftEdgeUpdateOnDemand.exe 2->16         started        18 MicrosoftEdgeUpdate.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 131 ipapi.co 104.26.8.44, 443, 49705 CLOUDFLARENETUS United States 11->131 133 162.159.135.232 CLOUDFLARENETUS United States 11->133 135 5 other IPs or domains 11->135 109 C:\Users\user\AppData\Local\...\shst.dat.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\Local\...\auth.dat.exe, PE32+ 11->111 dropped 113 C:\Users\user\AppData\...\Ad8MI6G4kp.exe.log, ASCII 11->113 dropped 175 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->175 22 auth.dat.exe 11->22         started        26 shst.dat.exe 7 11->26         started        29 cmd.exe 1 11->29         started        31 chrome.exe 15 1 11->31         started        33 MicrosoftEdgeUpdate.exe 16->33         started        35 MicrosoftEdgeUpdate.exe 18->35         started        file6 signatures7 process8 dnsIp9 97 C:\Users\...\MicrosoftEdgeWebview2Setup.exe, PE32 22->97 dropped 147 Query firmware table information (likely to detect VMs) 22->147 149 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->149 151 Hides threads from debuggers 22->151 153 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->153 37 MicrosoftEdgeWebview2Setup.exe 22->37         started        127 192.168.2.1 unknown unknown 26->127 99 C:\Windows\svchost.exe, PE32 26->99 dropped 155 Multi AV Scanner detection for dropped file 26->155 157 Protects its processes via BreakOnTermination flag 26->157 159 Drops PE files with benign system names 26->159 161 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 26->161 40 cmd.exe 26->40         started        43 cmd.exe 1 26->43         started        163 Uses schtasks.exe or at.exe to add and modify task schedules 29->163 45 conhost.exe 29->45         started        47 choice.exe 1 29->47         started        129 239.255.255.250 unknown Reserved 31->129 49 chrome.exe 31->49         started        52 chrome.exe 31->52         started        54 chrome.exe 31->54         started        56 iexplore.exe 33->56         started        file10 signatures11 process12 dnsIp13 89 C:\...\MicrosoftEdgeUpdate.exe, PE32 37->89 dropped 91 C:\Program Files (x86)\...\psuser_arm64.dll, PE32+ 37->91 dropped 93 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 37->93 dropped 95 97 other files (none is malicious) 37->95 dropped 58 MicrosoftEdgeUpdate.exe 37->58         started        165 Drops executables to the windows directory (C:\Windows) and starts them 40->165 62 svchost.exe 40->62         started        65 conhost.exe 40->65         started        67 timeout.exe 40->67         started        69 conhost.exe 43->69         started        71 schtasks.exe 43->71         started        115 accounts.google.com 142.250.180.173, 443, 49709 GOOGLEUS United States 49->115 117 clients.l.google.com 142.250.184.46, 443, 49710 GOOGLEUS United States 49->117 119 8 other IPs or domains 49->119 73 iexplore.exe 56->73         started        file14 signatures15 process16 dnsIp17 101 C:\...\MicrosoftEdgeUpdate.exe, PE32 58->101 dropped 103 C:\...\psuser_arm64.dll (copy), PE32+ 58->103 dropped 105 C:\...\psuser_64.dll (copy), PE32+ 58->105 dropped 107 98 other files (none is malicious) 58->107 dropped 167 Creates an undocumented autostart registry key 58->167 75 MicrosoftEdgeUpdate.exe 58->75         started        77 MicrosoftEdgeUpdate.exe 58->77         started        79 MicrosoftEdgeUpdate.exe 58->79         started        81 MicrosoftEdgeUpdate.exe 58->81         started        137 stub02.kozow.com 93.147.90.90 VODAFONE-IT-ASNIT Italy 62->137 169 System process connects to network (likely due to code injection or exploit) 62->169 171 Multi AV Scanner detection for dropped file 62->171 173 Protects its processes via BreakOnTermination flag 62->173 file18 signatures19 process20 process21 83 MicrosoftEdgeUpdateComRegisterShell64.exe 75->83         started        85 MicrosoftEdgeUpdateComRegisterShell64.exe 75->85         started        87 MicrosoftEdgeUpdateComRegisterShell64.exe 75->87         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b446c595c43f7865d622bbb1fba8a5f9eb29417ad5804eaba868789df87a183/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-01-18 11:44:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nncgywk4ip3ymxlcfo5r7oukl6plffaxvvmaj2v2q2dytx4hugbq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence trojan
Link:
https://tria.ge/reports/230119-ss2rcsdc9x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Registers COM server for autorun
Sets file execution options in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
347f6f4afc414988d2a929e84b85701d116df9a5b61bd2ab83956a67d3e7535d
MD5 hash:
67c8e0d7be94a4723ed7886e57d0f0a6
SHA1 hash:
6bfa25de3fefd67d8a54b9ea9c7003d352c539c1
Link:
https://www.unpac.me/results/53e4e678-bac2-49fa-b9d5-2d561c1c64e6/
SH256 hash:
c93c0b2624351c062e6ef851bdcf51f8971b26cfef7a939b701611ee6b52e12f
MD5 hash:
2906bd21e41afb31faacd69a11f6f16c
SHA1 hash:
249ec943161d8bf57a749f7691409bbbcd01312a
Link:
https://www.unpac.me/results/53e4e678-bac2-49fa-b9d5-2d561c1c64e6/
Parent samples :
2b6c6b7a7b4ea5723a15a92ce376e7818f7ab58f4dc5944275932440bf4e2b09
db6a0025a6b9a255427019326c28540193c00d671e7120473913bfc88650a614
0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce
SH256 hash:
6b446c595c43f7865d622bbb1fba8a5f9eb29417ad5804eaba868789df87a183
MD5 hash:
c9143f61e975f257ee9624960e521806
SHA1 hash:
1f2f3eee7722b98f967be77326c2bbe52423284c
Link:
https://www.unpac.me/results/53e4e678-bac2-49fa-b9d5-2d561c1c64e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b446c595c43f7865d622bbb1fba8a5f9eb29417ad5804eaba868789df87a183

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6b446c595c43f7865d622bbb1fba8a5f9eb29417ad5804eaba868789df87a183

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2510412/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/354608/

Comments