MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d99d9dc8e69d9adc8bf0f44170eef5fe06ed8b58560b432c7349924cc74e591. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d99d9dc8e69d9adc8bf0f44170eef5fe06ed8b58560b432c7349924cc74e591
SHA3-384 hash: 7d0b625842144f216755f5561fb7f38ead842bf4e1172248220a09a2b8a17f302ec54c34b911d0629e1cd28387d8d9cd
SHA1 hash: de1c58b8bd9132f05a664dffa781876a3341f5a4
MD5 hash: 97e28bd7e6d9ea7270a59f8fe6db5b6d
humanhash: king-muppet-magnesium-mango
File name:97e28bd7e6d9ea7270a59f8fe6db5b6d.exe
Download: download sample
File size:16'141'328 bytes
First seen:2023-02-12 19:15:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6e51dda1622035b42b177c9afe67c30
ssdeep 393216:MYmOng4xPBM7CG4k2woJuQFkyRmazVNEJ7KJ5DPEmLjJ7:MYmO3xpM2G4kZoFVRw48mt
Threatray 16 similar samples on MalwareBazaar
TLSH T1F8F60217AD69CC28C5E394331092C397D21AE18DAE0DDB9F13B11945CEE096B5F12BEE
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a67662b2b9919a6
Reporter abuse_ch
Tags:exe signed

Code Signing Certificate

Organisation:Neucalion Code Sign
Issuer:Neucalion Root CA
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-20T13:27:00Z
Valid to:2032-01-20T13:27:00Z
Serial number: 283712e24eabd593
Thumbprint Algorithm:SHA256
Thumbprint: 0e3ffc37bae00a74cab15482cdbbb3d42bedb1e04762b6a8fc96552e2885a13f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97e28bd7e6d9ea7270a59f8fe6db5b6d.exe
Verdict:
Malicious activity
Analysis date:
2023-02-12 19:20:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1c61ab8-e980-499e-b8dc-ac19e9918025

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6717506-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68657/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adwind anti-debug javadropper overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e93af719bdad834634f48d/reports/68235017-52ef-4726-9e5a-c93a90edf751/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7d99d9dc8e69d9adc8bf0f44170eef5fe06ed8b58560b432c7349924cc74e591
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0e5c0f08-a3f0-4ada-ac7c-445c3403f02b
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1172732
Signature
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 805523 Sample: 3Y1WOpNdle.exe Startdate: 12/02/2023 Architecture: WINDOWS Score: 28 30 Uses known network protocols on non-standard ports 2->30 8 3Y1WOpNdle.exe 2->8         started        process3 process4 10 javaw.exe 4 8->10         started        process5 12 javaw.exe 47 10->12         started        16 icacls.exe 1 10->16         started        dnsIp6 24 109.248.59.16, 49719, 9274 TEAM-HOSTASRU Russian Federation 12->24 26 127.0.0.1 unknown unknown 12->26 28 192.168.2.1 unknown unknown 12->28 20 C:\Users\user\...\discord_game_sdk_jni.dll, PE32 12->20 dropped 22 C:\Users\user\...\discord_game_sdk.dll, PE32 12->22 dropped 18 conhost.exe 16->18         started        file7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d99d9dc8e69d9adc8bf0f44170eef5fe06ed8b58560b432c7349924cc74e591/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwm5txeonhm23sf7b5cbodxpl7qg5wfvqvqlimwhgsmsjtdu4wiq._file
Verdict:
unknown
Similar samples:
0ead50b6e178331dc5e0ed73d4080afd8682f12358730c0d7ae62a95be167e52
5053f7a18f78763456267484fe3787e2502c64d8a8f2c2036d5bfeca60ca96e2
729e7368bb7e28a5416896392bfed2f738804cb7d957c58e78a90a771ce4f976
767a951ea1f41e10287199d95ffed5a84a94e1d33d82d519c91db89d37941f42
8dc5d35e7f0a75f8a864ce2a569ac1cc3825521bcd269e5bc2ee7e6ce40c3fae
9b1af42072b91c504d9298d5938b8b5976a4ed4326484e9559a931a1173ee466
c2dcc646a68381f519b6461c54129e0b4ec5efc0125c382f75c67341cecd2f2e
db3dec6fc542d0d1e7e00233812984c3698a54bcc2a4d124e0a7075794e162c5
e034f070ece091bfb23daacd153f9121030abd88a2349c00c3f7f4aba176dd8b
fe317007a64424dc6161dae1c8f7a84542170ab100f5bbd12d7c9b995ec0acac
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/230212-xyssvsfh75/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Unpacked files
SH256 hash:
7d99d9dc8e69d9adc8bf0f44170eef5fe06ed8b58560b432c7349924cc74e591
MD5 hash:
97e28bd7e6d9ea7270a59f8fe6db5b6d
SHA1 hash:
de1c58b8bd9132f05a664dffa781876a3341f5a4
Link:
https://www.unpac.me/results/0488cfcd-d993-4e8d-bc18-27334a9fa250/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7d99d9dc8e69d9adc8bf0f44170eef5fe06ed8b58560b432c7349924cc74e591

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments