MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 802ddf30debfce4add361a2926203e00c1a5ca1bb9e131b00507d491b8d5911b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 802ddf30debfce4add361a2926203e00c1a5ca1bb9e131b00507d491b8d5911b
SHA3-384 hash: 5475961bbdbf2b52cab80eb2a2ae47fbae758bd01eab43ab77138746d191f6934985bfd1c37c40709dbed012a86cd800
SHA1 hash: ba6a7eabf7564f60cb35e8b54959fb890e63a617
MD5 hash: 3ab9f05175c2657a3f7d3e6fcfd2a7cb
humanhash: oregon-timing-juliet-nuts
File name:802ddf30debfce4add361a2926203e00c1a5ca1bb9e131b00507d491b8d5911b
Download: download sample
File size:4'665'649 bytes
First seen:2023-01-06 11:54:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'452 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:NSSL/sY2n0p+wH7nECsdEzCaj9yDWgc3PjxDrHkrEvvur:NSP1nknH7UY/MDWgcflDrErEvQ
Threatray 2'612 similar samples on MalwareBazaar
TLSH T1002633926D84D97AD31925F4F62504F4C2EF3E0EC868420F6DA9FD497B3D6E208F9648
TrID 78.6% (.EXE) Inno Setup installer (109740/4/30)
10.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
2.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 4a0c4d454d4d4d0c
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
802ddf30debfce4add361a2926203e00c1a5ca1bb9e131b00507d491b8d5911b
Verdict:
Malicious activity
Analysis date:
2023-01-06 11:54:41 UTC
Tags:
installer
Link:
https://app.any.run/tasks/59ece648-50bc-4cfc-8693-889760ee4c77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/350021/
Detection(s):
SecuriteInfo.com.Trojan.Moneyinst.746.21331.248.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Modifying a system file
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Launching a process
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63b80c170e926711fd773bc9/reports/5f8eebff-e113-4edd-a46c-aa639cedba1d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c935f41a-4c89-4a18-a634-619c75682470
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1146246
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778979 Sample: 4B6NfehNVu.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 68 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Machine Learning detection for dropped file 2->51 8 4B6NfehNVu.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\...\4B6NfehNVu.tmp, PE32 8->33 dropped 53 Obfuscated command line found 8->53 12 4B6NfehNVu.tmp 14 29 8->12         started        signatures5 process6 file7 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->35 dropped 37 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 12->37 dropped 39 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 12->39 dropped 41 14 other files (13 malicious) 12->41 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 12->55 16 Yadjh.exe 12->16         started        19 schtasks.exe 1 12->19         started        21 Yadjh.exe 12->21         started        signatures8 process9 dnsIp10 43 188.114.96.3, 49703, 80 CLOUDFLARENETUS European Union 16->43 45 trusentolisames.ml 188.114.97.3, 49697, 80 CLOUDFLARENETUS European Union 16->45 23 WerFault.exe 9 16->23         started        25 WerFault.exe 20 9 16->25         started        27 WerFault.exe 9 16->27         started        31 7 other processes 16->31 29 conhost.exe 19->29         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/802ddf30debfce4add361a2926203e00c1a5ca1bb9e131b00507d491b8d5911b/
Threat name:
Win32.Trojan.Ekstak
Create hunting rule
Status:
Malicious
First seen:
2022-12-10 09:27:39 UTC
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qaw56mg6x7hevxjwdiusmib6ada2lsq3xhqtdmafa7kjdogvsenq._file
Verdict:
malicious
Similar samples:
093b0f8dda3411c2fbe3d8b04560de7021e8e1c0b43ff08c7296c000a05286da
0d1c199f80c8a231b5c30cc0d6efe1635a15002e5e19267f588e4e4f511757cf
0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98
44d8b3f07dbc58b71d97f02414ddbf0953563556884d09cdf420cca309e187ec
5a6638b1edca711c107d707ee79dd3fd3065b4ba7a799c8cd85dae089a6dcff9
61845568bb072984b6dba5151ede3969440736a7d7d674de0137ca4b7b8ab6e4
77d1c06b1f52455505ad8e1af3d2182c13682dda7bda13185879c4c4a4018d04
7b3abffe466b514c9415b07a58d2903d7d9d7aa4f9471eea8524c90b6b320aa9
98b468e708f22b86af58c0b3157bef6a94e15505170668e4046817edaca31e70
+ 2'602 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/230106-n3fjnabe8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/130c8b80-d4ca-4a0b-8ed8-b18361ae0ee8
Unpacked files
SH256 hash:
590beff18e862e27b2fb92dd65170297c6e6646c960cf6e742dcb8a0fa8c7988
MD5 hash:
e2996dff751f9eb7ed4bd1c4d86b33d6
SHA1 hash:
ed3a1dd17478d510619dcbe01cc138cdd02e3103
Link:
https://www.unpac.me/results/42a8251f-36ee-43bd-a1af-d135d4b036af/
SH256 hash:
eb334a5747792273d11ba63582784b156ab840547d73eaab36af881846f3e7c4
MD5 hash:
d548db9b9f93065f60df8dc7a3b7de2b
SHA1 hash:
d4853d0c417a74e308d114ae1b68e9f0bf02e477
Link:
https://www.unpac.me/results/42a8251f-36ee-43bd-a1af-d135d4b036af/
SH256 hash:
e2fd7f49360fce1c5d31cb07c3a6ea72c76f68a9728ce6ca962fa1bcbf1131f5
MD5 hash:
16e7bd7958aac924177607ec297b9daf
SHA1 hash:
2ba60707b6866ce5fdeb123a7d0f376bd5e08267
Link:
https://www.unpac.me/results/42a8251f-36ee-43bd-a1af-d135d4b036af/
SH256 hash:
8757a3a06dbc76dc75011fb41e4e532288c124b2faa4e8e8cad2ca29ef833a18
MD5 hash:
b5eb8c66c23c53fc6d276e8d341af37a
SHA1 hash:
5ef5c88eca7c974075a41304fcd0f160655e5921
Link:
https://www.unpac.me/results/42a8251f-36ee-43bd-a1af-d135d4b036af/
SH256 hash:
802ddf30debfce4add361a2926203e00c1a5ca1bb9e131b00507d491b8d5911b
MD5 hash:
3ab9f05175c2657a3f7d3e6fcfd2a7cb
SHA1 hash:
ba6a7eabf7564f60cb35e8b54959fb890e63a617
Link:
https://www.unpac.me/results/42a8251f-36ee-43bd-a1af-d135d4b036af/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/802ddf30debf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/802ddf30debfce4add361a2926203e00c1a5ca1bb9e131b00507d491b8d5911b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/350021/

Comments