MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fec2debd3328b70221dc4f0eaeef39845a9a8f8f8aa88ef9ecfc4318ed7a24e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 19 File information Comments

SHA256 hash:	7fec2debd3328b70221dc4f0eaeef39845a9a8f8f8aa88ef9ecfc4318ed7a24e
SHA3-384 hash:	77b959fdb8560246b63283c503a297f732593e373428da92d41862fb3d683e70d48d26b37bd41a396a54df67f047cd81
SHA1 hash:	f02567c1701e8d95c5985a076fe5defb7ed7ee24
MD5 hash:	05da4a766acf1130b94cb97b90ce5020
humanhash:	freddie-indigo-michigan-bakerloo
File name:	05da4a766acf1130b94cb97b90ce5020.exe
Download:	download sample
File size:	5'383'680 bytes
First seen:	2023-08-13 07:38:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61b2f18450b5fa9a3b364671884070dd
ssdeep	98304:rk9lWjFnsh6omk1YbTyGrooDgRQzovwevz0C+vDG6kXF1+y/wFEZ/vFKINzlyOMr:Y8Fn3omk0yGcRwovLwGb/wF6XFKczQS6
Threatray	426 similar samples on MalwareBazaar
TLSH	T1274633627E6209BDECA1D938EA31B58247067C7925523129AF05F0C2CB77FEE5C93847
TrID	52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.EXE) Win32 Executable (generic) (4505/5/1) 4.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	4cb2b271f0ccf003
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

05da4a766acf1130b94cb97b90ce5020.exe

Verdict:

Malicious activity

Analysis date:

2023-08-13 07:40:23 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/316def5e-1a37-471a-920a-92b25f729073

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/442446/

Detection(s):

TwinWave.EvilDoc.XL4MDottedQuadDancingInHeaven.20210421.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Searching for the window

DNS request

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/7fec2debd3328b70221dc4f0eaeef39845a9a8f8f8aa88ef9ecfc4318ed7a24e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cheatengine

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/450dad76-ee5d-4f41-bd47-e8548f524291

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1290599

Signature

Creates files with lurking names (e.g. Crack.exe)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fec2debd3328b70221dc4f0eaeef39845a9a8f8f8aa88ef9ecfc4318ed7a24e/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-08-03 18:11:58 UTC

File Type:

PE (Exe)

Extracted files:

1022

AV detection:

9 of 38 (23.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p7wc326tgkfxaiq5ytyov3xttbc2tkhy7cvir346z7cdddwxujha._file

Verdict:

malicious

461296a57401486240fc1db9501f3f59c6fa612c9cb3b1bb66667263f3aa7cc2

7d048ec8f8cedb15fa7480514b72d10d50a3d1574f7a72e654050c8b7ecc4034

85275f9f81f87b40f3e88caee621349aeb301bdf1237ec1686f21b6309120c1c

8998b9602a8b39d2cd0bfed4c57584244de6c015570ab37e64989cb67e5ecf1e

8e3b8f65024af32a030d39ff2c8cf2283c4e5bb7904f0792e73703e53181f553

96a14d1422dc0f5889cdb4d2e110b5dac6c638167509ddf728b9c84f3af40aae

a6cbb0f97a2c34e7f937717c5562483873acc484526b5cad893243dc7450fcb3

d5c4869ac09853b7b1ee3edc1575dcae6d8326ccfaca54ae471d92ce30303203

e394e7da62d1b272f3bec28cc075485cef04cda0d18c834d7133fbe3cacbb909

+ 416 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

upx

Link:

https://tria.ge/reports/230813-jgyqwshf98/

Behaviour

Looks up external IP address via web service

Loads dropped DLL

UPX packed file

Unpacked files

SH256 hash:

9ce57f1143a05a14464ff633e71fcdc9eede31f995492e581cdf43f92c92cd96

MD5 hash:

88c4dfdddcd1c47d51de249297799809

SHA1 hash:

e23ac26897e5c00142f7098011b6d719acefdf8a

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

SH256 hash:

24947ac446ba05a95909471a3ce425751dea13f217cd4fb2212380da0aee5fee

MD5 hash:

02ce32001e9035e4b0a4a3384a7e5bba

SHA1 hash:

b03a65b51a4c2d6845e851ab8692671e7a2ca6d1

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

SH256 hash:

526fc4480ce4b83cc1d6033352f05a446db047dd6e2351e39ff9dc04470fada4

MD5 hash:

cbc1e7a9c1c2bc144a2166b2ccdc72ae

SHA1 hash:

a2cc5b4139366eff493f02705f21c5a94f178c7e

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

SH256 hash:

2d11228520402ef49443aadc5d0f02c9544a795a4afc89fb0434b3b81ebdd28c

MD5 hash:

284e004b654306f8db1a63cff0e73d91

SHA1 hash:

7caa9d45c1a3e2a41f7771e30d97d86f67b96b1b

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

SH256 hash:

c2054f3041c1f25fc033fee7edd5a78ad8b8687b6bb6d768794dfa776234a08f

MD5 hash:

ecd3baa2f8ce1a23d1137197f71f6b27

SHA1 hash:

7448669bda67bb29421f1d54ea78f9d6cb545d09

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

SH256 hash:

007342c6b9b956f416f556b4bd6f1077e25bd077cc4f4ac136e3fccb803746e3

MD5 hash:

de484d5dafe3c1208da6e24af40e0a97

SHA1 hash:

3e27b636863fefd991c57e8f4657aded333292e1

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

SH256 hash:

dab3fdbcbaf81d692acaf46259c4360baa9bef9b7516d549714c3c42d2c24aac

MD5 hash:

db5281e415c4ca4c1c6353ed7193da7a

SHA1 hash:

00c40ffdf4a71bc83d8aa656adb579850ac71d8f

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

SH256 hash:

d3b219fec34b86f0bea5e3f5fe7e32b05a9e6c98e78510f9ae0c442366e151ec

MD5 hash:

831d4a0212fc63b8a54c76363cdbddc2

SHA1 hash:

9576efee9c9e28aa8803db7147b5804efc96a32b

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

SH256 hash:

7fec2debd3328b70221dc4f0eaeef39845a9a8f8f8aa88ef9ecfc4318ed7a24e

MD5 hash:

05da4a766acf1130b94cb97b90ce5020

SHA1 hash:

f02567c1701e8d95c5985a076fe5defb7ed7ee24

Link:

https://www.unpac.me/results/6d7e7f33-5e53-4d84-8f26-46f7c2cd82df/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.76

Link:

https://yomi.yoroi.company/submissions/7fec2debd3328b70221dc4f0eaeef39845a9a8f8f8aa88ef9ecfc4318ed7a24e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	win_stowaway_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stowaway.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/442446/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample