MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d
SHA3-384 hash: 30ada0ac2a747cc12608aa4011ed3ed99798e4892310d75503abfa70bd4ba9a96f739f1132c064ff7c91f4c0a8c18cea
SHA1 hash: b7e4336cc17d6e982263c7dac0d7441179fcd7d4
MD5 hash: f3696bbcc913c9df56fc660729fc4e80
humanhash: twenty-carpet-bravo-mike
File name:jql.jar
Download: download sample
File size:2'562'873 bytes
First seen:2024-05-09 07:25:56 UTC
Last seen:2024-05-09 07:27:19 UTC
File type:Java file jar
MIME type:application/java-archive
ssdeep 49152:uRwxYxDymqTBaAvJjp9H9wFSCtf+iCk/PCIwcf3GDhO8ZxJDk1Zz9E+yCeaE:mwoymq1zvzbEfhl/PCXcOnxyjBRXE
TLSH T14FC5E137AE9BC478DE7784B351C282826C2FA9A8AD0B90FE13905DD54B60D470752FF9
TrID 72.9% (.JAR) Java Archive (13500/1/2)
21.6% (.ZIP) ZIP compressed archive (4000/1)
5.4% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter CyberRaiju
Tags:CryptoShuffler Downloader jar java TURS


Avatar
CyberRaiju
Java-based Malware Downloader/Backdoor from Fake Wasabi Wallet Installer:
https://bazaar.abuse.ch/sample/fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43/

User Agent: "Mozilla/5.0"
C2: https://dailynewspagechannel[.]com
Persistence: User Run Key
Purpose: Download and run executable or Java Archive tasked to it from the C2

Naming 'TURS Agent' in the absence of any known malware downloader family.

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
AU AU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d.jar
Verdict:
No threats detected
Analysis date:
2024-05-09 07:28:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aea00575-9456-4a5c-9677-3da4033fe1a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin remote
Link:
https://www.filescan.io/uploads/663c7a8c1c9796b80ab7479c/reports/11844945-2e5e-4a9a-ad41-efacfbb9f5ba/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1438802
Signature
Creates autostart registry keys to launch java
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Java Jar creates autostart registry key (Windows persistence behavior)
Sigma detected: Register Jar In Run Key
Sigma detected: Suspicious Processes Spawned by Java.EXE
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1438802 Sample: jql.jar Startdate: 09/05/2024 Architecture: WINDOWS Score: 72 33 dailynewspagechannel.com 2->33 41 Sigma detected: Register Jar In Run Key 2->41 43 Sigma detected: Suspicious Processes Spawned by Java.EXE 2->43 45 Uses cmd line tools excessively to alter registry or file data 2->45 47 3 other signatures 2->47 9 cmd.exe 2 2->9         started        signatures3 process4 process5 11 java.exe 25 9->11         started        16 conhost.exe 9->16         started        dnsIp6 35 dailynewspagechannel.com 191.96.144.23, 443, 49705, 49706 RAINBOWIDC-AS-APrainbownetworklimitedJP Chile 11->35 37 191.101.104.193, 443, 49735, 49736 ASDETUKhttpwwwheficedcomGB Chile 11->37 31 C:\Users\user\...\jna8371311898150714261.dll, PE32 11->31 dropped 49 Uses cmd line tools excessively to alter registry or file data 11->49 18 reg.exe 1 11->18         started        21 icacls.exe 1 11->21         started        23 reg.exe 1 1 11->23         started        file7 signatures8 process9 signatures10 39 Creates autostart registry keys to launch java 18->39 25 conhost.exe 18->25         started        27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        process11
Score:
73%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-05-09 05:02:24 UTC
File Type:
Binary (Archive)
Extracted files:
1147
AV detection:
3 of 38 (7.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=owoy5xfq7r5w5uui2zd4y367swmnsrfzejsu7lrotgos7ckapm6q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240509-h9hdyaff7t/
Behaviour
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Modifies file permissions
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

12aa4b952044a8e06d33e7dfde07bcac940d035b70cfedea0c7eac0de6a5653d

Java file jar 759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d

(this sample)

  
X
https://x.com/CyberRaiju/status/1788466982763012155
  
Dropped by
SHA256 12aa4b952044a8e06d33e7dfde07bcac940d035b70cfedea0c7eac0de6a5653d
  
Dropped by
SHA256 fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2844053/
  
Dropped by
MD5 7341162766507ed42bbc3a37fe72f96d

Comments