MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dd43c56ab6c3dd0817b74f7cfd24454a6d622eb37e9dc824a3e57ada642d9ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dd43c56ab6c3dd0817b74f7cfd24454a6d622eb37e9dc824a3e57ada642d9ba
SHA3-384 hash: 0ff906dbedad09b5f943691a256c63ff2e0f5580eee5ac97a38a60d759d95682d5fcb3c16b1ec1c80d422689c70ebbdf
SHA1 hash: 70e8b6547455e43dd25337d7c60359fce3d1a4b5
MD5 hash: 09d775c397e07587e3d31850596464a5
humanhash: utah-lactose-echo-arkansas
File name:09d775c397e07587e3d31850596464a5.exe
Download: download sample
File size:116'224 bytes
First seen:2022-02-01 16:26:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:MPBXZhLEnnaSS6M45vT6RFfju9tYE6z1Bb2wGCYhLeHgzTY70HqwQP:WBX4nz+TuvKZBb2wGPeAzTYrw4
Threatray 387 similar samples on MalwareBazaar
TLSH T1F5B30807738A8711D6681975C1EF183803E2AFC72A33D6967F58778C1E12BE7DE41A89
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://f0624763.xsph.ru/MicrosoftApi.exe
Verdict:
Malicious activity
Analysis date:
2022-01-25 01:17:22 UTC
Tags:
trojan miner
Link:
https://app.any.run/tasks/43ac9f27-120d-4561-a339-507f677ff045

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/229217/
Detection(s):
Win.Dropper.Witch-9936665-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive obfuscated overlay replace.exe schtasks.exe
Link:
https://www.filescan.io/uploads/61f95f6018d1bfdde4e74871/reports/d0c684cb-cf95-4c6c-b22a-1501b1d5e421/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/620aa63c-f7c6-4417-884a-943e024682e2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/931942
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 564416 Sample: b88Jv6LAuj.exe Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 8 b88Jv6LAuj.exe 1 5 2->8         started        12 MicrosoftApi.exe 14 2 2->12         started        15 MicrosoftApi.exe 2 2->15         started        17 2 other processes 2->17 process3 dnsIp4 42 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 8->42 dropped 44 C:\Users\...\MicrosoftApi.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\...\b88Jv6LAuj.exe.log, ASCII 8->46 dropped 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->68 19 MicrosoftApi.exe 1 5 8->19         started        48 62.182.159.87, 49767, 49768, 49771 AutonomousSystemofBaunetworks-SerbiaRS Russian Federation 12->48 file5 signatures6 process7 file8 40 C:\Users\user\AppData\...\tmp1827.tmp.cmd, DOS 19->40 dropped 58 Multi AV Scanner detection for dropped file 19->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->60 62 Machine Learning detection for dropped file 19->62 23 cmd.exe 1 19->23         started        26 cmd.exe 1 19->26         started        signatures9 process10 signatures11 64 Uses schtasks.exe or at.exe to add and modify task schedules 23->64 66 Adds a directory exclusion to Windows Defender 23->66 28 powershell.exe 23 23->28         started        30 conhost.exe 23->30         started        32 timeout.exe 1 23->32         started        34 conhost.exe 26->34         started        36 timeout.exe 1 26->36         started        38 schtasks.exe 1 26->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dd43c56ab6c3dd0817b74f7cfd24454a6d622eb37e9dc824a3e57ada642d9ba/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-25 11:16:48 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
5cbc602e1850dce976f8f5a33a1b97aed7648f409892fc2a0da0900d3d97bb53
6912561e48a62b49018cbed0fda8cdcfcf5afcd16f0a65b49390117b2331ef99
9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d
a32437ab62c0ac90c236c6a8e33bd6b57e661cd83aaae7d6c9f371eefca5a7a5
d1653b5cbbf61f3666ac0c5ac308b75d0d0c5029941ca9efbf37f18b51f9a3a6
d486573a12a0a407b7ae295318b59e750fb63cd9de6d46cceb2c173ae0b6b650
e0453a56a222c1a325d6b9ddc8ce5a692ecfba00664d0e36f9fdad9fde46acfb
fb78e43ae17426eb0f2066a30e1eff92116eff495f10f1789f1f69fab3c377c0
+ 377 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220201-tx31nahgg2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
7dd43c56ab6c3dd0817b74f7cfd24454a6d622eb37e9dc824a3e57ada642d9ba
MD5 hash:
09d775c397e07587e3d31850596464a5
SHA1 hash:
70e8b6547455e43dd25337d7c60359fce3d1a4b5
Link:
https://www.unpac.me/results/01e44f67-84b8-4a3a-ab1d-bc78613693af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7dd43c56ab6c3dd0817b74f7cfd24454a6d622eb37e9dc824a3e57ada642d9ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/229217/

Comments