MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b62f32a20854201a2334ac30b1b04e3f555c2f297c9431ffe3350613bf4b716. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b62f32a20854201a2334ac30b1b04e3f555c2f297c9431ffe3350613bf4b716
SHA3-384 hash: 8c4584523aee40b0685039d0d52ac3f49ec4995ac4d77a13ddac467fe9fc801b1ebcce709725e85d64db544353a6e41d
SHA1 hash: 768ee5612655d963daac1276c0457594a078f369
MD5 hash: 53f63cfeedb41e47fdd3c8fa18f049fd
humanhash: early-violet-montana-montana
File name:6901208.exe
Download: download sample
File size:457'728 bytes
First seen:2022-10-26 15:54:23 UTC
Last seen:2022-10-28 06:30:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:x1dqXFiL0AWTOC2/onUwkvC12obtZ7Kwh:x2FiL0AMD2l5vC123
Threatray 517 similar samples on MalwareBazaar
TLSH T13AA4BEE77CBABA82D2AC583EC705D450BA7E9185B7F41171B4B64E7C424EF8DC078A42
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6901208.exe
Verdict:
No threats detected
Analysis date:
2022-10-26 15:56:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59c818f7-2ad1-4744-94bf-755b84e35fc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324458/
Detection(s):
SecuriteInfo.com.W64.MSIL_Downldr.C.Eldorado.20398.16111.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/60c8d2a6-cd1a-4dcf-92f7-b1f9292c96f2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1098578
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 731235 Sample: 6901208.exe Startdate: 26/10/2022 Architecture: WINDOWS Score: 52 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 6 6901208.exe 1 2->6         started        process3 file4 17 C:\Users\user\AppData\...\6901208.exe.log, CSV 6->17 dropped 9 RegAsm.exe 6->9         started        11 RegAsm.exe 6->11         started        13 RegAsm.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b62f32a20854201a2334ac30b1b04e3f555c2f297c9431ffe3350613bf4b716/
Threat name:
ByteCode-MSIL.Trojan.Witch
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 16:03:24 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnrpgkraqvbadirtjlbqwgye4p2vlqxss7eugh76gnigco7uw4la._file
Verdict:
malicious
Similar samples:
1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b
7157ea22835284e4b38c05ac415ead575656efa2389f74dcfbb8ab910031427c
7b2a751a9af69cdc119755601ee27693dd105aa1702fd5f5cd6fcf697ac47bb6
9316de8b3697c6a6f1fba5bc0b653cfb6202aa7429b5d203523a9768e9a772e9
a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574
b0e9ac1486908cd1351af5f5cb102d16ed197dee031f9f07d996f62248fdd481
b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45
bb06bf5d8b68991bf2545a1b560b535d35ec17f870f4b53f62c31dc3d1148408
ea22f746189bf2d6ad50b7e04bf79cc153ce431f04dd2c5437632949d7eb66d0
+ 507 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221026-tcr3nagcbr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
6b62f32a20854201a2334ac30b1b04e3f555c2f297c9431ffe3350613bf4b716
MD5 hash:
53f63cfeedb41e47fdd3c8fa18f049fd
SHA1 hash:
768ee5612655d963daac1276c0457594a078f369
Link:
https://www.unpac.me/results/4f6b439b-2900-4e3c-a99d-3299f25d6428/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b62f32a20854201a2334ac30b1b04e3f555c2f297c9431ffe3350613bf4b716

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/324458/

Comments