MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77d1c06b1f52455505ad8e1af3d2182c13682dda7bda13185879c4c4a4018d04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77d1c06b1f52455505ad8e1af3d2182c13682dda7bda13185879c4c4a4018d04
SHA3-384 hash: c5b9450a8ab4a6bbd4980b2cffb871f873254492b928eed4ccd89a7ed866bf10330f734121ddf5e7fc5f5a5f127bb205
SHA1 hash: aab1edfa0a6f54e6df6220bb9baec3362d887999
MD5 hash: 33fbb6a8cbe0d48cb59ba786d8d2854e
humanhash: friend-cold-chicken-august
File name:ees-engineering-equa-77qoTbbjYW.exe
Download: download sample
File size:5'827'365 bytes
First seen:2022-03-07 10:59:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'510 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:3S+4t3eTm2jzqawT2tIDuXxW1eGSlc2UYpgrlGRFyhkdcq3MvOYAW+qAV:ixmm2PBwPKQeGV2yrYjyhGz3MwqAV
Threatray 116 similar samples on MalwareBazaar
TLSH T137463333595A7639C114C278BEB42359CFA7B8A637361A9D727FC3B647322632844372
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter TeamDreier
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247884/
Detection(s):
SecuriteInfo.com.TR.Spy.KGBSpy.1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8476/overview
Behaviour
MalwareBazaar
CheckCmdLine
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2eefd1dc-5bd1-4b3b-a8ac-0c477ed147e5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/951746
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 584226 Sample: ees-usering-equa-77qoTbbjYW.exe Startdate: 07/03/2022 Architecture: WINDOWS Score: 56 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for dropped file 2->54 8 ees-usering-equa-77qoTbbjYW.exe 2 2->8         started        process3 file4 38 C:\Users\user\AppData\Local\...\is-LTGA4.tmp, PE32 8->38 dropped 11 is-LTGA4.tmp 17 23 8->11         started        process5 file6 40 C:\...\DDT - Pen Drive Recovery(Demo).exe, PE32 11->40 dropped 42 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 11->42 dropped 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->44 dropped 46 6 other files (none is malicious) 11->46 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 11->56 15 DDT - Pen Drive Recovery(Demo).exe 11->15         started        18 DDT - Pen Drive Recovery(Demo).exe 1 11->18         started        20 schtasks.exe 1 11->20         started        22 schtasks.exe 1 11->22         started        signatures7 process8 dnsIp9 48 gilbldpi.com 188.114.96.7, 49761, 80 CLOUDFLARENETUS European Union 15->48 50 188.114.97.7, 49788, 80 CLOUDFLARENETUS European Union 15->50 24 WerFault.exe 9 15->24         started        26 WerFault.exe 9 15->26         started        28 WerFault.exe 15->28         started        36 3 other processes 15->36 30 WerFault.exe 20 9 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77d1c06b1f52455505ad8e1af3d2182c13682dda7bda13185879c4c4a4018d04/
Threat name:
Win32.Trojan.Ekstak
Create hunting rule
Status:
Malicious
First seen:
2022-03-07 05:29:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1
1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
2984d41816d24e4f00f4aabead77f558d25134f70099d0da610adcefce82126c
39e9730f6c6877ee45744054953683938481b0312f511495d0cd35710367a8a7
689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1
6c37bb680dc9c51f9c15e988fa3586cb9f0fe8786f2b9c9408aa953894c10180
6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507
c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
ec117203d9cf5a324fdd8ead407b681096e9f60a0916f8316febb76943240b0a
+ 106 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220307-m31ddsdfb4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6afc6bb59a30ea105c7d8713433e7a7598722c269106c96b60b55785bc7a01ae
MD5 hash:
789a1bd0362e41564a1bc5e6dc886c97
SHA1 hash:
75e71afa593bb7655f3d3baeb140fcd98e32000f
Link:
https://www.unpac.me/results/1f9ffdc3-c76c-458f-aba8-77129e71920c/
SH256 hash:
41bbeabbdb9ac202c550e36f45a90a0a33f659289dc5d5376df423a2ef0439ce
MD5 hash:
9fabef880a2797bb27fb4a3a0ede8a5d
SHA1 hash:
603949c132cbc7e0ffbe90d7001e057d8286d9d6
Link:
https://www.unpac.me/results/1f9ffdc3-c76c-458f-aba8-77129e71920c/
SH256 hash:
0c04ccd15ca75564ff877f63adbeb8d957e3566e81218a819f21ade7fb1ab5eb
MD5 hash:
8154fdb2fdbb88c50d9b0a24ef7df298
SHA1 hash:
e04c3629700b3e0903641f50b96c7878d58dd4e0
Link:
https://www.unpac.me/results/1f9ffdc3-c76c-458f-aba8-77129e71920c/
SH256 hash:
434baaf40249bc4731be05b0842226fb2e7846b812e006f6a00a43bb1f7ecbf8
MD5 hash:
eb9ff059374c001bf7ebb0990aa98e1b
SHA1 hash:
0a247f9f34cfbb6811cb0c767cd284ca2a088332
Link:
https://www.unpac.me/results/1f9ffdc3-c76c-458f-aba8-77129e71920c/
SH256 hash:
77d1c06b1f52455505ad8e1af3d2182c13682dda7bda13185879c4c4a4018d04
MD5 hash:
33fbb6a8cbe0d48cb59ba786d8d2854e
SHA1 hash:
aab1edfa0a6f54e6df6220bb9baec3362d887999
Link:
https://www.unpac.me/results/1f9ffdc3-c76c-458f-aba8-77129e71920c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77d1c06b1f52455505ad8e1af3d2182c13682dda7bda13185879c4c4a4018d04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247884/

Comments