MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72c22d9c2150b022f3f15e30bfd2d76435d4091b99a0e443c96dcb4c48aa5539. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72c22d9c2150b022f3f15e30bfd2d76435d4091b99a0e443c96dcb4c48aa5539
SHA3-384 hash: d62fe1932dc2c726bb92cafc0b9734ef315aeaed017d69312c7e61a6d31a80d8b9c8f4136030b4de4edda15385b2c550
SHA1 hash: 96fb215bdf206e28107535cb0be7e91c724e8628
MD5 hash: 08848e849c6d54a362b67b9800772466
humanhash: twelve-potato-july-pasta
File name:08848e849c6d54a362b67b9800772466
Download: download sample
File size:1'319'850 bytes
First seen:2021-06-19 11:13:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:ZBq1ZO1DQmhbBRHw1/Qhai/q173lkp2Cc0HBs5yCmF3D1lqAPqViuWJ4Cuj/2X:61ZO1DQmd3QWTS13tzxy7F3TyVGJ4CSE
Threatray 188 similar samples on MalwareBazaar
TLSH 4A552383E7B6C46FF3F60AB15372AD980D77F9912930D225A131CAEE38705428594B8E
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ecb8aac99c1ad1a2aeec5aa3f19ad8c0.exe
Verdict:
Malicious activity
Analysis date:
2021-06-19 09:44:17 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/84da801f-48f3-4813-a17c-723266df33e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Terse
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167035/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/615b55a7-2abf-4ab8-9c1d-43514b99f9b6
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804718
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437129 Sample: URdei0IzsX Startdate: 19/06/2021 Architecture: WINDOWS Score: 100 79 Found malware configuration 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 7 other signatures 2->85 11 URdei0IzsX.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 55 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->55 dropped 57 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->57 dropped 59 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->59 dropped 61 3 other files (none is malicious) 11->61 dropped 18 vpn.exe 7 11->18         started        20 4.exe 4 11->20         started        process5 file6 24 cmd.exe 1 18->24         started        51 C:\Users\user\AppData\...\SmartClock.exe, PE32 20->51 dropped 89 Obfuscated command line found 20->89 27 SmartClock.exe 20->27         started        signatures7 process8 signatures9 91 Submitted sample is a known malware sample 24->91 93 Obfuscated command line found 24->93 95 Uses ping.exe to sleep 24->95 97 Uses ping.exe to check the status of other devices and networks 24->97 29 cmd.exe 3 24->29         started        32 conhost.exe 24->32         started        process10 signatures11 99 Obfuscated command line found 29->99 101 Uses ping.exe to sleep 29->101 34 Veduto.exe.com 29->34         started        37 PING.EXE 1 29->37         started        40 findstr.exe 1 29->40         started        process12 dnsIp13 87 May check the online IP address of the machine 34->87 43 Veduto.exe.com 3 19 34->43         started        65 127.0.0.1 unknown unknown 37->65 67 192.168.2.1 unknown unknown 37->67 53 C:\Users\user\AppData\...\Veduto.exe.com, Targa 40->53 dropped file14 signatures15 process16 dnsIp17 69 ip-api.com 208.95.112.1, 49744, 80 TUT-ASUS United States 43->69 71 htjBKVRBLSDkJHGMuwcYAPI.htjBKVRBLSDkJHGMuwcYAPI 43->71 63 C:\Users\user\AppData\Local\...\omsaljv.vbs, ASCII 43->63 dropped 47 wscript.exe 12 43->47         started        file18 process19 dnsIp20 73 iplogger.org 88.99.66.31, 443, 49747 HETZNER-ASDE Germany 47->73 75 System process connects to network (likely due to code injection or exploit) 47->75 77 May check the online IP address of the machine 47->77 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72c22d9c2150b022f3f15e30bfd2d76435d4091b99a0e443c96dcb4c48aa5539/
Threat name:
Win32.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2021-06-19 11:14:12 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
164f6dd9a77be0fc7425a9f97873435bdade7dc85da44c27474d2187395dfac6
4b21de4f5c03de8e7e85bbdc317bd1050ba7bce099c1ba1cafb949ccadff90a2
6f8ce60168331070f8ca906c9c5e4d53e22b9b72a57c6e0c65bf6f83979d310f
7893541b010d78ca63a1f443f01f7f4100f1782eabfa486d53191d53646dd150
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
e2627edaef3e465cadfb84b250bc0d47cef26af5d2334e5f49ab38d8f919b511
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
+ 178 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210619-smze8vhtbx/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/2dc7a099-338e-4370-b5ed-065d1f840af0/
SH256 hash:
abee7d742bc385cb830674072d722dd01c222b4368991ae65c787b4ca6dd871b
MD5 hash:
ab5dd346737d8344bb7a4f35f7738c3f
SHA1 hash:
96176b4dace87d1578fb86559c3f8e535895a1bd
Link:
https://www.unpac.me/results/2dc7a099-338e-4370-b5ed-065d1f840af0/
SH256 hash:
f364b8d3c1157a6beac0086284ba75ceced01053b72f06dd43931ba38770d8b9
MD5 hash:
e328b543a785f9cbeb7937d02d1fbaef
SHA1 hash:
8cfb1d6a6e07d5688674f44d2bd9c04aa8c2b381
Link:
https://www.unpac.me/results/2dc7a099-338e-4370-b5ed-065d1f840af0/
SH256 hash:
72c22d9c2150b022f3f15e30bfd2d76435d4091b99a0e443c96dcb4c48aa5539
MD5 hash:
08848e849c6d54a362b67b9800772466
SHA1 hash:
96fb215bdf206e28107535cb0be7e91c724e8628
Link:
https://www.unpac.me/results/2dc7a099-338e-4370-b5ed-065d1f840af0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72c22d9c2150b022f3f15e30bfd2d76435d4091b99a0e443c96dcb4c48aa5539

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 72c22d9c2150b022f3f15e30bfd2d76435d4091b99a0e443c96dcb4c48aa5539

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1379176/
Cape
Cape
https://www.capesandbox.com/analysis/167035/

Comments