MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 756c2e4a778391cf046be9510aee12e3a0e6c4dce5ea611e12a8a3dac4036e60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 756c2e4a778391cf046be9510aee12e3a0e6c4dce5ea611e12a8a3dac4036e60
SHA3-384 hash: 3e3ddcf794532a33a5124a93756e8e53c4bd056c7917ae40158cbc3121b8bfd0ee9deb5a95eada91a8c5533cca5419cb
SHA1 hash: 5976517d3b4a995bd12f90941c5784b0a28a31d2
MD5 hash: 475880f172741a930076250ca3f92c41
humanhash: sweet-seven-cup-artist
File name:file
Download: download sample
File size:121'856 bytes
First seen:2022-11-09 22:29:02 UTC
Last seen:2022-11-10 01:01:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cc23d3a92200e5031ef25f5da6b82bb
ssdeep 3072:IzcZu6we3I4pJ7ByhdPqS3TguvqUVd0FRqcpTAdRD4hvH:I4rP25TgEzLMpH
TLSH T1E8C36C017AE2C072D576153504E6EEA18A3DF8340B289EEBBF85153D4E207D17A37E6B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter jstrosch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-09 22:32:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e156cf6-aa52-468d-8082-a16e7a4329f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331492/
Detection(s):
SecuriteInfo.com.Variant.Midie.117938.9855.19664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Downloading the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware rat
Link:
https://www.filescan.io/uploads/636c29b55ae98d5770689f45/reports/dd2a1fe5-a14e-455e-9d40-883c6a50e72a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2ff2e4c9-f7b7-4dfd-9630-ef738cb934b3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1109813
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Powershell Download and Execute IEX
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 742488 Sample: file.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 80 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Sigma detected: Powershell Download and Execute IEX 2->43 45 Machine Learning detection for sample 2->45 9 file.exe 13 2->9         started        process3 dnsIp4 37 vinarijavojnovic.rs 37.48.106.204, 443, 49702, 49703 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 9->37 47 Self deletion via cmd or bat file 9->47 49 Contains functionality to compare user and computer (likely to detect sandboxes) 9->49 13 cmd.exe 1 9->13         started        16 cmd.exe 1 9->16         started        signatures5 process6 signatures7 51 Uses ping.exe to check the status of other devices and networks 13->51 18 PING.EXE 1 13->18         started        21 conhost.exe 13->21         started        23 powershell.exe 14 16 16->23         started        25 conhost.exe 16->25         started        process8 dnsIp9 31 127.0.0.1 unknown unknown 18->31 27 MpCmdRun.exe 1 21->27         started        33 vinarijavojnovic.rs 23->33 35 62.233.57.95, 49710, 80 DivisionWRSBE unknown 23->35 process10 process11 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/756c2e4a778391cf046be9510aee12e3a0e6c4dce5ea611e12a8a3dac4036e60/
Threat name:
Win32.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 22:30:10 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 39 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovwc4stxqoi46bdl5fiqv3qs4oqonrg44xvgchqsvcr5vradnzqa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221109-2d8e2aedhn/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://vinarijavojnovic.rs/assets/js/config_20.ps1
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/65374a0d-1c28-410f-a25c-6d0dcdb79a3e
Unpacked files
SH256 hash:
756c2e4a778391cf046be9510aee12e3a0e6c4dce5ea611e12a8a3dac4036e60
MD5 hash:
475880f172741a930076250ca3f92c41
SHA1 hash:
5976517d3b4a995bd12f90941c5784b0a28a31d2
Link:
https://www.unpac.me/results/34ca68e6-1dcc-4378-bf1f-1fa1aa185291/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/756c2e4a778391cf046be9510aee12e3a0e6c4dce5ea611e12a8a3dac4036e60

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 756c2e4a778391cf046be9510aee12e3a0e6c4dce5ea611e12a8a3dac4036e60

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/331492/
  
URLhaus
https://urlhaus.abuse.ch/url/2406514/

Comments