MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75a1f0f7f26548f9b76508352ee9a3acd413d9729abb22bde088f9784e6e23f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75a1f0f7f26548f9b76508352ee9a3acd413d9729abb22bde088f9784e6e23f4
SHA3-384 hash: f09aca44e5500ee1bc9fc3a85ea737d8a7198d3dfb4da91c9e0193bbd48c16f48aff4799ff92a3259309ea9b5aabca69
SHA1 hash: 29940bc3ac0dfcfcc27a3094635e76f1895dcca9
MD5 hash: ae3353674bf514175deda25b96496a83
humanhash: william-coffee-spring-california
File name:ae3353674bf514175deda25b96496a83
Download: download sample
Signature Adhubllka
Create hunting rule
File size:627'712 bytes
First seen:2021-12-11 01:21:47 UTC
Last seen:2021-12-11 05:27:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:G5tkTxALxNHCRUPLV6/ILEQlKH6y5hGq:G5ex69CRUPh62EQ26y5
TLSH T1EAD48D1027E88619F2FF2B78D9B115118F72B9C2FC3AD75D1E49D09C28AA790CE64763
Reporter zbetcheckin
Tags:32 Adhubllka exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ae3353674bf514175deda25b96496a83
Verdict:
Suspicious activity
Analysis date:
2021-12-11 01:24:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c90bc3e3-3425-43a2-b488-f4a1fd6c446d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/213266/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.34713.20522.10594.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
DNS request
Moving a recently created file
Changing a file
Searching for synchronization primitives
Modifying an executable file
Creating a file in the Program Files subdirectories
Сreating synchronization primitives
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Modifying a system executable file
Searching for the window
Launching a service
Forced shutdown of a system process
Unauthorized injection to a system process
Encrypting user's files
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61b3fd3c47ed217c013a05fa/reports/9390a890-1935-447d-bc20-a20d6460007a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c328846-19f5-4ec9-96c7-703c634eef14
Result
Threat name:
Cryptolocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/905604
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Drops executable to a common third party application directory
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Cryptolocker ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75a1f0f7f26548f9b76508352ee9a3acd413d9729abb22bde088f9784e6e23f4/
Threat name:
ByteCode-MSIL.Ransomware.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2021-12-11 01:22:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/211211-bq8y8aadg2/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Modifies Installed Components in the registry
Modifies extensions of user files
Unpacked files
SH256 hash:
fd43b492b6e9990901d234a9497e6f0b44b4bec4a37d3620a895740665803679
MD5 hash:
9043039824d34a79ce01f21f411c9598
SHA1 hash:
fbb65849cdfcfd0bdf4e08ba55b4ff235043cb71
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
f190721e8c858ff42ffe205a3cc19efce5b89b88433a2fd622b6a01212768ba4
MD5 hash:
c3c0cd62b065d253994bca6675f9d2c9
SHA1 hash:
c7b76548f854623b49110fdad884c717253b49ab
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
1ab4444527a742a137f8be97d635e1907304e9837bcbd63af809e35e5ce9c9f8
MD5 hash:
bb7207232e4554465fd470a61c534280
SHA1 hash:
568f6748db0ec4ae33943f0694e09510feed5dd3
Detections:
win_adhubllka_a0
Create hunting rule
win_adhubllka_auto
Create hunting rule
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
907f0d5fbd404308faaf932289cd092ac707c02a5ac5556c0ed021f33e513be1
MD5 hash:
36c6941c74185a88c997f4876b425b12
SHA1 hash:
0340d632b67a4e71a669e6992b2c2478deb04880
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
a628884894e0825a4d751acd605bbf4c813587d1bcde4903e22386f9ac4b4ac1
MD5 hash:
44ec932c55971fa0b9883dedf2d4f363
SHA1 hash:
c6cfff265af6fd7022b5dcac86f138969132f1fd
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
a40cba22fdee3d064f052f09709c9f0b74645277fc57da7ae4aa31a0dadc7fad
MD5 hash:
34612f92cbe5f1f674ec8430641997c6
SHA1 hash:
899f8a2b98417fcfb3df0afd4ada5b8887d5eff1
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
c93c4d1201c3997767d547f70386bc20878320cd9b13e326c4cf5306b7689f76
MD5 hash:
fd4449f99ef1d40408123ec1c380cedd
SHA1 hash:
4d350a38fac261091d4706f4d0994cd94fc8315e
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
SH256 hash:
75a1f0f7f26548f9b76508352ee9a3acd413d9729abb22bde088f9784e6e23f4
MD5 hash:
ae3353674bf514175deda25b96496a83
SHA1 hash:
29940bc3ac0dfcfcc27a3094635e76f1895dcca9
Link:
https://www.unpac.me/results/6fd75c86-d3f7-4646-b10d-e856b810e256/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/75a1f0f7f265/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75a1f0f7f26548f9b76508352ee9a3acd413d9729abb22bde088f9784e6e23f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_adhubllka_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.adhubllka.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adhubllka

Executable exe 75a1f0f7f26548f9b76508352ee9a3acd413d9729abb22bde088f9784e6e23f4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1874085/
Cape
Cape
https://www.capesandbox.com/analysis/213266/

Comments


Avatar
zbet commented on 2021-12-11 01:21:49 UTC

url : hxxp://formula-smaku.com/log/101.exe