MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83b68b67c1d8fc1479280abde23fb455b6272740d2abf17f5f13161b1f54e1b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83b68b67c1d8fc1479280abde23fb455b6272740d2abf17f5f13161b1f54e1b3
SHA3-384 hash: 4972076146315e131e6b399b23384b6e47d9c75d4d2d5c9c225edac7afa04afa775c69905c6a858997a71f96af153d38
SHA1 hash: 8a977618d315bfacb16afbe883e04f427311cefb
MD5 hash: a735ff10e359539181c1eca593091ee6
humanhash: cola-ten-alabama-hamper
File name:file
Download: download sample
Signature Adhubllka
Create hunting rule
File size:274'944 bytes
First seen:2022-12-02 16:46:35 UTC
Last seen:2022-12-02 18:32:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:BKUUQRnZTw3dGVMKbDpsZvrC2lOEcyYorNPF0N2q:BKUUYnFTywpsNr5OEcyLf0NN
Threatray 14 similar samples on MalwareBazaar
TLSH T14544AE38A7DACF73FB9E13B4E8315150CB30946229D9E32F444506E4AD023EAA56797F
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c9d4c4cda6a8cec6 (5 x Gh0stRAT, 2 x Formbook, 2 x FatalRAT)
Reporter jstrosch
Tags:.NET Adhubllka exe MSIL

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-02 16:48:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8bd3edc-3254-4158-9b18-a33c6dea9331

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341959/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25580.13314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/638a2c07485d8463dc407b57/reports/b68af4d6-f301-4674-b1ec-b931b370d3eb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c2ac6b5f-3966-4c83-b9a9-8e619c2a5a79
Result
Threat name:
Cryptolocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1126655
Signature
Found ransom note / readme
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Cryptolocker ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83b68b67c1d8fc1479280abde23fb455b6272740d2abf17f5f13161b1f54e1b3/
Threat name:
ByteCode-MSIL.Ransomware.Encoder
Create hunting rule
Status:
Malicious
First seen:
2022-12-02 10:35:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qo3iwz6b3d6bi6jibk66ep5ukw3coj2a2kv7c727cmlbwh2u4gzq._file
Verdict:
malicious
Similar samples:
08e77ab27dbc575f868d1e5bb151fc53ad11a9f25ae39d5cdcf23971568b2e29
Adhubllka
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
Adhubllka
5b49181a0c9c8db56df5027e2faee94fbbadfec20d00bc734f96d6c4c21d3a36
Adhubllka
7e83bbe7896f9f70ef6d4dc7f5909fa03be55123570e67ccf7f1999f790c1f6b
Adhubllka
847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa
Adhubllka
bef238e7a16279f01346139b847faddb6f32f95f53cbd1aecbd549f04be27081
Adhubllka
c0d25313398ba441d25a991187ba627d706b3f108f6f235b28e863648abfbe9b
Adhubllka
d7cea03b365915daca02b65926c2e720838c3ea1166e79ca73ddafd753532174
Adhubllka
db8be4fe45168ba829b3bbb9aa321c71a5d0e89953147a9525e17d9bcd89c555
Adhubllka
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/221202-vakfgaeh28/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Modifies Installed Components in the registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e3b6f95-76d5-49df-b04b-f9293da9b407
Unpacked files
SH256 hash:
89844786bb2290797309c881c49a38f8502c39342bf2d9fecdc4ac5b4735f1d4
MD5 hash:
842d42bb052a77759c8f55d46021b2e0
SHA1 hash:
497403d1ba51ce198a46221395daf240c206bb36
Detections:
win_adhubllka_auto
Create hunting rule
win_adhubllka_a0
Create hunting rule
Link:
https://www.unpac.me/results/c29c9cd7-e223-4fdc-9b61-83b92cb6cb60/
Parent samples :
749b3f20f5f70063a5499dd6a97e04a474e055a8c41422093b88a2a50a9da99c
83b68b67c1d8fc1479280abde23fb455b6272740d2abf17f5f13161b1f54e1b3
89844786bb2290797309c881c49a38f8502c39342bf2d9fecdc4ac5b4735f1d4
SH256 hash:
cc8b2794210079a08ee82099d183b597538818a8abb891718272b03a2d1dbb58
MD5 hash:
bb7efb40665c9584131303f3d18ebc83
SHA1 hash:
e92eb65af6345f4608e0fe6051ce05c03e57fe10
Link:
https://www.unpac.me/results/c29c9cd7-e223-4fdc-9b61-83b92cb6cb60/
SH256 hash:
16c169f1275b01c518680cac0191fe9b192004d1458919ffc591235dea4de9ad
MD5 hash:
b03b2e39e1dd4c1661f63241e458e27a
SHA1 hash:
cfa3e8f11480df59ec3453ff1ae3f26f954aa8f2
Link:
https://www.unpac.me/results/c29c9cd7-e223-4fdc-9b61-83b92cb6cb60/
SH256 hash:
4106a69a771864448667ff933a48f18b62a692ccbf1c13249a3acb8230b58dae
MD5 hash:
9a8d3b6d673e00010b06643f15350bbe
SHA1 hash:
ce1f2fff53b128c85880c623625eb24cfc096f7c
Link:
https://www.unpac.me/results/c29c9cd7-e223-4fdc-9b61-83b92cb6cb60/
SH256 hash:
9f26c64e16b99f2401393f575e697a7b02c24a5b94406ab3aad64ae113ad8270
MD5 hash:
bd0222559e341c29463712b996c3a4dd
SHA1 hash:
8f5c962b356a70744610a3e2cc651722ca7a4523
Link:
https://www.unpac.me/results/c29c9cd7-e223-4fdc-9b61-83b92cb6cb60/
SH256 hash:
c44a017643730a9debb31ce51422089d8e65fd667c24bec063ff2bd046805acf
MD5 hash:
1111c08e1322f68c98b15cdc4ef429ad
SHA1 hash:
68058de631b4790d106c8f25019a69c06525384a
Link:
https://www.unpac.me/results/c29c9cd7-e223-4fdc-9b61-83b92cb6cb60/
SH256 hash:
b6f8f30cd09b5d48a5395e792a2b6ddc941412e4a6c08aa686c42354019a78e7
MD5 hash:
6f94f45da5ba9b2a1e7716490202a8ed
SHA1 hash:
30209b58dd6e9a11dbf450005e87f92814bf62e3
Link:
https://www.unpac.me/results/c29c9cd7-e223-4fdc-9b61-83b92cb6cb60/
SH256 hash:
83b68b67c1d8fc1479280abde23fb455b6272740d2abf17f5f13161b1f54e1b3
MD5 hash:
a735ff10e359539181c1eca593091ee6
SHA1 hash:
8a977618d315bfacb16afbe883e04f427311cefb
Link:
https://www.unpac.me/results/c29c9cd7-e223-4fdc-9b61-83b92cb6cb60/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/83b68b67c1d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83b68b67c1d8fc1479280abde23fb455b6272740d2abf17f5f13161b1f54e1b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOM_win_Adhubllka
Create hunting rule
Author:KrknSec
Description:Detects Adhubllka ransomware.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_adhubllka_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.adhubllka.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adhubllka

Executable exe 83b68b67c1d8fc1479280abde23fb455b6272740d2abf17f5f13161b1f54e1b3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2440838/
Cape
Cape
https://www.capesandbox.com/analysis/341959/

Comments