MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 788f243c7272debc26bf6d13bad89b2ecdf2e62d95c494f14afe89415e7b7435. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 788f243c7272debc26bf6d13bad89b2ecdf2e62d95c494f14afe89415e7b7435
SHA3-384 hash: 3a3b9fab81f7a5eb1b10477b212d3cc5fae27b179ff328be6ee25bfe90ec80e40904932496e1bd656342484012eff78d
SHA1 hash: 9390bf3a566d731f4158e431ecefe2cbd8d6829e
MD5 hash: 06b0995f7eeca1b735f9fd015f24f5df
humanhash: mississippi-december-saturn-blue
File name:Amidst 4.4 _ 4.5 Beta 1.exe
Download: download sample
File size:765'139 bytes
First seen:2022-02-24 19:19:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 5 x Adware.IObit, 5 x LummaStealer)
ssdeep 12288:uaHc64b888888888888W88888888888UjscV7TdjL47zdU5imIrvx33rD+zG/oBT:F869IW7uvmQvTtezG/aYFkJR30F6rp8S
Threatray 244 similar samples on MalwareBazaar
TLSH T1E0F41213B3C30031F4614A358C668044AD6779B919F550A62FFDEB4E4FBA7C69C7AB22
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter adm1n_usa32
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Amidst 4.4 _ 4.5 Beta 1.exe
Verdict:
Malicious activity
Analysis date:
2022-02-24 19:16:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efa6029b-cf88-4794-924b-69eecce60e0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244428/
Detection(s):
PUA.Win.Malware.Speedingupmypc-6718419-0
Create hunting rule

Win.Packed.Agentino-9863792-0
Create hunting rule

Win.Packed.Agentino-9874843-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
DNS request
Sending an HTTP POST request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7343/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6217da69a6f52d32f183e6b0/reports/40a8c970-b642-46e3-bca7-469bb9be9094/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75414baa-9520-47b3-907d-66a7a521493a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/945993
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicius Schtasks From Env Var Folder
Uses 7zip to decompress a password protected archive
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 578474 Sample: Amidst 4.4 _ 4.5 Beta 1.exe Startdate: 24/02/2022 Architecture: WINDOWS Score: 48 64 Antivirus detection for dropped file 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 6 other signatures 2->70 9 Amidst 4.4 _ 4.5 Beta 1.exe 2 2->9         started        13 explorer.exe 7 10 2->13         started        process3 file4 56 C:\Users\user\...\Amidst 4.4 _ 4.5 Beta 1.tmp, PE32 9->56 dropped 78 Obfuscated command line found 9->78 15 Amidst 4.4 _ 4.5 Beta 1.tmp 3 22 9->15         started        signatures5 process6 dnsIp7 58 avkit.org 188.114.96.7, 49757, 80 CLOUDFLARENETUS European Union 15->58 60 www-google-analytics.l.google.com 15->60 44 C:\Users\user\AppData\Roaming\...\sitool.exe, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 15->46 dropped 48 C:\Users\user\AppData\...\sitool.exe.config, XML 15->48 dropped 50 5 other files (4 malicious) 15->50 dropped 62 Uses 7zip to decompress a password protected archive 15->62 20 sitool.exe 4 15->20         started        24 7za.exe 2 15->24         started        26 7za.exe 2 15->26         started        28 2 other processes 15->28 file8 signatures9 process10 file11 52 C:\Users\user\AppData\Roaming\...\data.xml, XML 20->52 dropped 72 Antivirus detection for dropped file 20->72 74 Machine Learning detection for dropped file 20->74 76 Uses schtasks.exe or at.exe to add and modify task schedules 20->76 30 schtasks.exe 1 20->30         started        32 schtasks.exe 1 20->32         started        54 C:\Users\user\AppData\Local\Temp\...\form.exe, PE32 24->54 dropped 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        signatures12 process13 process14 40 conhost.exe 30->40         started        42 conhost.exe 32->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/788f243c7272debc26bf6d13bad89b2ecdf2e62d95c494f14afe89415e7b7435/
Threat name:
Win32.Trojan.Addrop
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 19:20:15 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04740939cabdb6b6e742cc74d669672eadea15b28f49ecbe598c9400bc830628
066bdbaf5b5526cc3040573bea83da7a384e0c97df13d50a7cc0716b1dd8e6ac
1d75484aa645df348b7832522a8f1f9926549734f92b7398acec5b2c9117d571
1daf191be46f0785f537a84bd80727ee2d8c982ca8647fdfb30bd04459b7ad4c
1f73a9da45f9d484c31eb11b2fc4c2c0c4c8265e1ec511ea855fab7f3a9cbd52
6df77c0f8991ed1bdd9a4a317e54351362037de7ee9d8b3ab978ae0a167c1e36
8b7410e87d3dae734ce56c38b3d8601f5e79549afd5820da9014e93bbb00bc95
9340a56db77e4c22880f197b532e83a29b1b42d7ec13335edc32f64e3a377dcd
b67cf11352111f471f987175eeb1ca017d51b03784e3becd1223867d144aaa6c
f46c908b3e728a16ee971d886207c0288dd82e6528b7b6a18b48d1e5a565ca74
+ 234 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220224-x149nseggm/
Behaviour
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
ab6be861d7f1165fe4790d50dc991f8b9fc34a210a81526a07eefb9a790bb75b
MD5 hash:
ddec2c7d5bbbead74b566cb1532d1c08
SHA1 hash:
e42412b4978698a9767f3ea0e021a060c5fc7fe2
Link:
https://www.unpac.me/results/032c3235-b393-4534-b6f2-a6e351e5ff12/
SH256 hash:
813e785178b6ad12c92556d956f5e593274b8476ace11202be7df7b663a2e9b2
MD5 hash:
ae9034cae4f543b5c16569460d99531c
SHA1 hash:
283b7cacf40283c04b44241a42b606b388026f0f
Link:
https://www.unpac.me/results/032c3235-b393-4534-b6f2-a6e351e5ff12/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/032c3235-b393-4534-b6f2-a6e351e5ff12/
SH256 hash:
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
MD5 hash:
34acc2bdb45a9c436181426828c4cb49
SHA1 hash:
5adaa1ac822e6128b8d4b59a54d19901880452ae
Link:
https://www.unpac.me/results/032c3235-b393-4534-b6f2-a6e351e5ff12/
SH256 hash:
788f243c7272debc26bf6d13bad89b2ecdf2e62d95c494f14afe89415e7b7435
MD5 hash:
06b0995f7eeca1b735f9fd015f24f5df
SHA1 hash:
9390bf3a566d731f4158e431ecefe2cbd8d6829e
Link:
https://www.unpac.me/results/032c3235-b393-4534-b6f2-a6e351e5ff12/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/788f243c7272debc26bf6d13bad89b2ecdf2e62d95c494f14afe89415e7b7435

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 788f243c7272debc26bf6d13bad89b2ecdf2e62d95c494f14afe89415e7b7435

(this sample)

anyrun
any.run
https://app.any.run/tasks/efa6029b-cf88-4794-924b-69eecce60e0a
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/244428/

Comments


Avatar
Adm1n 32 USA commented on 2022-03-03 04:58:07 UTC

likely contains hacktools or PUA