MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 746f5d251c0d3883fd7a4d5775acdf6c12417f1365fc9db57a549f528ccd91dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 746f5d251c0d3883fd7a4d5775acdf6c12417f1365fc9db57a549f528ccd91dc
SHA3-384 hash: e6477debb68e1959c208a33993e8dc5c028f36b91f20b54b85af314f7c5fa60a5ab4e698bfbaf676313a0ad865ac6e47
SHA1 hash: 53131b7e90cb0891bd5cd43721a0207c0903ea51
MD5 hash: bfabce83cee13bb8b8d72f5c38e2af65
humanhash: sixteen-winter-missouri-violet
File name:bfabce83cee13bb8b8d72f5c38e2af65
Download: download sample
File size:756'736 bytes
First seen:2023-06-25 21:04:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:CrN1NPZhO1obm3aZa/T6ioQ2+6XTNbJy7FF53D6HeHoASstzTTdR62sSwBz8zI2:ozIGO2Uv6jJJ03GBstzTTa6zL
Threatray 615 similar samples on MalwareBazaar
TLSH T1B8F4026433881F12C6AF47B4E4A1974497BAD74FA58FA3BF988054E57883BF09D21363
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bfabce83cee13bb8b8d72f5c38e2af65
Verdict:
Malicious activity
Analysis date:
2023-06-25 21:05:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9909695f-3464-4cf4-ac09-058a8d9e2d0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/402719/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.91081.31546.6680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6498ac04942dd42877bab90b/reports/3912f9fc-c2cd-4f4c-89f5-b26ea16aad30/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/746f5d251c0d3883fd7a4d5775acdf6c12417f1365fc9db57a549f528ccd91dc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5959b11-36f2-453f-a0b8-c65186796408
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1261142
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 894162 Sample: dOeKNIfVhQ.exe Startdate: 25/06/2023 Architecture: WINDOWS Score: 60 36 Multi AV Scanner detection for submitted file 2->36 38 .NET source code contains potential unpacker 2->38 6 dOeKNIfVhQ.exe 1 3 2->6         started        9 Wpiui.exe 3 2->9         started        12 Wpiui.exe 2 2->12         started        process3 file4 32 C:\Users\user\AppData\Roaming\Wpiui.exe, PE32+ 6->32 dropped 34 C:\Users\user\AppData\...\dOeKNIfVhQ.exe.log, CSV 6->34 dropped 14 dOeKNIfVhQ.exe 6->14         started        16 dOeKNIfVhQ.exe 6->16         started        18 dOeKNIfVhQ.exe 6->18         started        26 7 other processes 6->26 40 Multi AV Scanner detection for dropped file 9->40 20 Wpiui.exe 9->20         started        22 Wpiui.exe 9->22         started        24 Wpiui.exe 9->24         started        28 7 other processes 9->28 30 10 other processes 12->30 signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/746f5d251c0d3883fd7a4d5775acdf6c12417f1365fc9db57a549f528ccd91dc/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-06-25 21:05:10 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
9
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=orxv2ji4bu4ih7l2jvlxllg7nqjec7ytmx6j3nl2kspvfdgnshoa._file
Verdict:
malicious
Similar samples:
163f0f159705867530e310ee48ffb66a057fba8a236ca2473c3de1d2f9ea48c9
7cc8ef889a24d8be46158ed9525edb3efe4b872709edfe4c565fb562271969ee
8e81c784f79eb9358991ca3b1bab8c5d1ddaaa70a849fe7527ed005063d6c092
b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424
e62a32a33a570f93a15d0b1d4e8faf1ed30ea1aa15ec3e8bd9a0050cf557675d
ef7534cbfb9701ec011fa5354837d6504aa36631e67ee7e328e33e2b751ba413
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
+ 605 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230625-zw6m2seg26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
746f5d251c0d3883fd7a4d5775acdf6c12417f1365fc9db57a549f528ccd91dc
MD5 hash:
bfabce83cee13bb8b8d72f5c38e2af65
SHA1 hash:
53131b7e90cb0891bd5cd43721a0207c0903ea51
Link:
https://www.unpac.me/results/bc1abf41-8068-482e-a709-49bae5de0ba1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/746f5d251c0d3883fd7a4d5775acdf6c12417f1365fc9db57a549f528ccd91dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 746f5d251c0d3883fd7a4d5775acdf6c12417f1365fc9db57a549f528ccd91dc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/402719/
  
URLhaus
https://urlhaus.abuse.ch/url/2671698/

Comments


Avatar
zbet commented on 2023-06-25 21:04:51 UTC

url : hxxp://179.43.162.58/WARZERO.exe