MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
SHA3-384 hash: e5cfc4e25c9b3488178fae6fb55bb5d856afc92fde922f31a3c5e85c616f92f62eb43abf2c6a4004f01a57cbab93ab0a
SHA1 hash: dbec0622b7a0ad34b075818ca9186bb0088ab949
MD5 hash: e0e25450a7f2376cd9ec04ac8b63f6d4
humanhash: two-oscar-kilo-nineteen
File name:Uninstall.exe
Download: download sample
File size:186'142 bytes
First seen:2021-09-27 13:51:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 3072:BAsj8MBX8s0oXJXHobpzvWkKunZejHt3MVHPzoV8fsZjsDBp9CcjS6LtqSE:BAsBZ1HobpElEvkOfYj2BS6gSE
Threatray 545 similar samples on MalwareBazaar
TLSH T1A704E14545C29C1AF81537BE8EB151F2E03AFE40207A83CF2711BE5A6F37B5689593A3
File icon (PE):PE icon
dhash icon b2a2a4b1dadada8e
Reporter MWerken
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Uninstall.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-27 13:54:13 UTC
Tags:
installer
Link:
https://app.any.run/tasks/a08fca63-7536-485b-a1b2-733bff6cab11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192122/
Detection(s):
SecuriteInfo.com.Dropper.Generic_r.FQ.12448.2798.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a window
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b5c4ca15-d407-47aa-90d9-f793681041a0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/859069
Signature
Deletes itself after installation
Modifies existing user documents (likely ransomware behavior)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89/
Verdict:
unknown
Similar samples:
0a93b5aa6842c92672551cd07a323395b628aa6706f4ce7019d3d4391af78e8b
14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f
2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
445bc3da96e63745748cc4d7d14faaa80122f46bc86e2a4628956f5aea4b70f7
66ae6865937b8fe4ba36324e6a5791b764f6e1f1ff58e74b7e0ce6e8059b70e3
66d9612ba9cde67edea09f3482459f3bfe03faaa13eada558cfb294601131eca
bfae4bc772025d9c3b68f74230a937a1bf062c4bb22994ce2606aa785577c2b4
ce78f61027853d32187067837979c084422c5d89e39ec74d3b2c0318e2b5174e
d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
+ 535 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210927-q6esmshbb5/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
MD5 hash:
d9a3fc12d56726dde60c1ead1df366f7
SHA1 hash:
f531768159c14f07ac896437445652b33750a237
Link:
https://www.unpac.me/results/41c976ed-6e65-48c0-a52e-b6fdc237cc63/
SH256 hash:
ed58d0eea00503c73321188111a89d6c256ba1169c75ea6f8e655b2a9df8fa95
MD5 hash:
a0df50278c70fbeb423b0a06ae75c15a
SHA1 hash:
75f3039ae96777047d1d5267024645e9849a2c82
Link:
https://www.unpac.me/results/41c976ed-6e65-48c0-a52e-b6fdc237cc63/
SH256 hash:
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
MD5 hash:
883eff06ac96966270731e4e22817e11
SHA1 hash:
523c87c98236cbc04430e87ec19b977595092ac8
Link:
https://www.unpac.me/results/41c976ed-6e65-48c0-a52e-b6fdc237cc63/
SH256 hash:
e560384c5298ee2123e8340e716b2c4680f51b4d0347995ba3290dbd1130c6c0
MD5 hash:
eee2912bd1ee421cf1f1dfb1cc327d97
SHA1 hash:
c5d3741ddb195718c9b17923eb6abfb7a732bdc1
Link:
https://www.unpac.me/results/41c976ed-6e65-48c0-a52e-b6fdc237cc63/
SH256 hash:
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
MD5 hash:
e0e25450a7f2376cd9ec04ac8b63f6d4
SHA1 hash:
dbec0622b7a0ad34b075818ca9186bb0088ab949
Link:
https://www.unpac.me/results/41c976ed-6e65-48c0-a52e-b6fdc237cc63/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6d43c96f1425/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192122/

Comments


Avatar
MoetGewoonWerken commented on 2021-09-27 13:53:56 UTC

Retrieved file and running manual analysis

1430,The file references string(s) tagged as blacklist,count: 38,1
1525,The file contains another file,signature: Nullsoft, location: overlay, offset: 0x0000C408, size: 135966,1
1266,The file imports symbol(s) tagged as blacklist,count: 34,1
1434,The file references a URL pattern,url: http://nsis.sf.net/NSIS_Error,1
1003,The file-ratio of the overlay is suspicious,ratio: 73.04 %,2
1262,The file imports anonymous function(s),count: 1,2
1153,The file contains a virtualized section,section: .ndata,2
1120,The file is scored by virustotal,score: 0/67,3
1019,The file contains a rich-header,status: yes,3
1241,The manifest identity has been found,name: Nullsoft.NSIS.exehead,3
1261,The file imports deprecated function(s),count: 14,3
1036,The file checksum is invalid,checksum: 0x032AEDBD,3
1634,The file references a group of API,api: file, count: 28,3
1634,The file references a group of API,api: registry, count: 12,3
1634,The file references a group of API,api: dynamic-library, count: 6,3
1634,The file references a group of API,api: execution, count: 10,3
1634,The file references a group of API,api: synchronization, count: 1,3
1634,The file references a group of API,api: memory, count: 5,3
1634,The file references a group of API,api: system-information, count: 8,3
1634,The file references a group of API,api: storage, count: 4,3
1634,The file references a group of API,api: diagnostic, count: 1,3
1634,The file references a group of API,api: windowing, count: 18,3
1634,The file references a group of API,api: keyboard-and-mouse, count: 2,3
1634,The file references a group of API,api: administration, count: 1,3
1634,The file references a group of API,api: resource, count: 1,3
1634,The file references a group of API,api: data-exchange, count: 4,3
1634,The file references a group of API,api: shell, count: 1,3
1634,The file references a group of API,api: security, count: 3,3
1633,The file references a group of hint,hint: dos-message, count: 1,3
1633,The file references a group of hint,hint: utility, count: 3,3
1633,The file references a group of hint,hint: registry, count: 1,3
1633,The file references a group of hint,hint: file, count: 10,3
1633,The file references a group of hint,hint: url-pattern, count: 1,3
1633,The file references a group of hint,hint: privilege, count: 1,3
1268,The file references whitelist string(s),count: 2,4
1050,The file uses Control Flow Guard (CFG) as software security defense,status: no,4
1100,The file opts for Data Execution Prevention (DEP) as software security defense,status: yes,4
1102,The file opts for Address Space Layout Randomization (ASLR) as software security defense,status: yes,4
1043,The file contains a Manifest,status: yes,4
1106,The file opts for Stack Buffer Overrun Detection (GS) as software security defense,status: no,4
1040,The file contains a digital Certificate,status: no,4
1109,The file opts for Code Integrity (CI) a software security defense,status: no,4
1287,The file subsystem has been found,type: GUI,4
1215,The file-ratio of the section(s) has been determined,ratio: 26.41%,4