MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7af568820dce904d6b43bd2fb28307749a598338f97773be1992f7afc096f951. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7af568820dce904d6b43bd2fb28307749a598338f97773be1992f7afc096f951
SHA3-384 hash: a705f4706900aa2d6d96af523775bf4566480160a5264010329a121b92d293648f809c1f78389a0194077a541617153b
SHA1 hash: ed0e70d5690b59c134e3efac8a13236d97d3f69e
MD5 hash: c32c1e3c5300a97bd5ba242f240bff64
humanhash: lithium-wisconsin-eight-crazy
File name:yoda.exe
Download: download sample
File size:13'259'647 bytes
First seen:2025-02-21 22:34:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 48aa5c8931746a9655524f67b25a47ef (4 x Adware.Generic, 3 x AsyncRAT, 3 x Vidar)
ssdeep 196608:818GvX7Fdk30JhUFVvHT10xHYKw1RUCEvIbxb51rgmnHjdU6wFewaPo5IhnTB8s:SNX7Fq82bHT1W4KwlGmnGLFe+5snNb
TLSH T194D6236293D14833E0B32F759D7B92845D367A112AA494BE3F79DE0C1F78A42BD31392
TrID 42.0% (.EXE) Inno Setup installer (107240/4/30)
22.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.8% (.EXE) InstallShield setup (43053/19/16)
5.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter skocherhan
Tags:exe opendir


Avatar
skocherhan
https://book.rollingvideogames.com/temp/yoda.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.Unwanted.1514.22016.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b8ffa728ab76d43a5c5721
Tags:
vmdetect autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
Setting a single autorun event
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd embarcadero_delphi evasive expand fingerprint installer invalid-signature lolbin obfuscated overlay packed packed regsvr32 runonce scriptrunner signed stealer
Link:
https://www.filescan.io/uploads/67b8ffa5298112176da0704f/reports/2f61d5bf-b86d-46cf-bf77-4122eec12a65/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7af568820dce904d6b43bd2fb28307749a598338f97773be1992f7afc096f951
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ec1a42ad-800f-45b9-9f83-f071fde3b255
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
27 / 100
Link:
https://www.joesandbox.com/analysis/1621487
Signature
Allocates memory in foreign processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1621487 Sample: yoda.exe Startdate: 21/02/2025 Architecture: WINDOWS Score: 27 9 yoda.exe 2 2->9         started        12 AutoIt3.exe 2->12         started        15 AutoIt3.exe 2->15         started        file3 46 C:\Users\user\AppData\Local\Temp\...\yoda.tmp, PE32 9->46 dropped 17 yoda.tmp 3 14 9->17         started        64 Allocates memory in foreign processes 12->64 20 MSBuild.exe 12->20         started        22 MSBuild.exe 15->22         started        signatures4 process5 file6 36 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->36 dropped 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->38 dropped 40 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 17->40 dropped 42 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 17->42 dropped 24 yoda.exe 2 17->24         started        process7 file8 44 C:\Users\user\AppData\Local\Temp\...\yoda.tmp, PE32 24->44 dropped 27 yoda.tmp 5 32 24->27         started        process9 file10 48 C:\Users\user\AppData\...\AutoIt3.exe (copy), PE32 27->48 dropped 50 microsoft.visualst...graphics.dll (copy), PE32 27->50 dropped 52 C:\Users\user\...\libpcre-1.dll (copy), PE32+ 27->52 dropped 54 31 other files (none is malicious) 27->54 dropped 30 AutoIt3.exe 1 12 27->30         started        process11 file12 56 C:\...\AutoIt3.exe, PE32 30->56 dropped 58 C:\...\microsoft.visualstudio.graphics.dll, PE32 30->58 dropped 60 C:\...\libpcre-1.dll, PE32+ 30->60 dropped 62 6 other files (none is malicious) 30->62 dropped 66 Allocates memory in foreign processes 30->66 34 MSBuild.exe 30->34         started        signatures13 process14
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7af568820dce904d6b43bd2fb28307749a598338f97773be1992f7afc096f951
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7af568820dce904d6b43bd2fb28307749a598338f97773be1992f7afc096f951/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pl2wraqnz2ie222dxux3fayhosnftazy7f3xhpqzsl327qew7fiq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250221-2hryvatnw9/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6355ac86-1af8-453d-9d70-72d3c512fa8a
Unpacked files
SH256 hash:
7af568820dce904d6b43bd2fb28307749a598338f97773be1992f7afc096f951
MD5 hash:
c32c1e3c5300a97bd5ba242f240bff64
SHA1 hash:
ed0e70d5690b59c134e3efac8a13236d97d3f69e
Link:
https://www.unpac.me/results/c44393fc-4e5f-40d2-82d8-fab82227642c/
SH256 hash:
0c5e1b5e9c630795f45f8fd921fb0907009333ff09a8cf817795893cd5e06fa8
MD5 hash:
a098b3aa80d0019cde8f8f714f21c59e
SHA1 hash:
16d2b7e6a385f9111a1d7614f188f395c7be38ac
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/c44393fc-4e5f-40d2-82d8-fab82227642c/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/c44393fc-4e5f-40d2-82d8-fab82227642c/
SH256 hash:
bb7e59c88b2ae1c7c4568b10bbd27d64a7c20ae3696f2fdca32b4acfd8300844
MD5 hash:
019ee894bc84df37fd7d60e4f7080758
SHA1 hash:
f3cc800f3adc6776dd623d13ed26cc971461168d
Link:
https://www.unpac.me/results/c44393fc-4e5f-40d2-82d8-fab82227642c/
SH256 hash:
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
MD5 hash:
a69559718ab506675e907fe49deb71e9
SHA1 hash:
bc8f404ffdb1960b50c12ff9413c893b56f2e36f
Link:
https://www.unpac.me/results/c44393fc-4e5f-40d2-82d8-fab82227642c/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/c44393fc-4e5f-40d2-82d8-fab82227642c/
SH256 hash:
2ffabb0018d335267d2d0101a41cac7ac7d1aa80956fae91825e46aaa85c0787
MD5 hash:
b1f9d665e52c29972b50d7145d88dce1
SHA1 hash:
df2c67a5c32a19bb110ec8372134522c0dab9ac2
Link:
https://www.unpac.me/results/c44393fc-4e5f-40d2-82d8-fab82227642c/
SH256 hash:
811fa1cd3f23ac7f9a5f51c938ff321527b695e35aefc20f57b3ecebf0acc4ee
MD5 hash:
d9d08f3cf61c3a2824f41bd40bcba21e
SHA1 hash:
a2058e3eda7f51d7dac54a2b047221ba71724bf9
Detections:
win_ghostsocks_auto
Create hunting rule
Link:
https://www.unpac.me/results/c44393fc-4e5f-40d2-82d8-fab82227642c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7af568820dce904d6b43bd2fb28307749a598338f97773be1992f7afc096f951

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7af568820dce904d6b43bd2fb28307749a598338f97773be1992f7afc096f951

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3448380/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceW
kernel32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments