MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 850ec1ce3298fcef2f348858bb2406afa607c5e6f758e0150912cb092fa4e16d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 850ec1ce3298fcef2f348858bb2406afa607c5e6f758e0150912cb092fa4e16d
SHA3-384 hash: ce7c86e0508890de753d974f61a8cbf958d491e0dac9dde783c31cbffe6b9228e416a25ee66543e15499b8bbaa40b2d0
SHA1 hash: cbcc32a3f2b0005a5f1c925b553e091dd2ac5f32
MD5 hash: 55044ed5d04a20844fcedb17a3f5bb31
humanhash: eleven-yellow-table-thirteen
File name:55044ed5d04a20844fcedb17a3f5bb31.exe
Download: download sample
Signature Adhubllka
Create hunting rule
File size:596'480 bytes
First seen:2023-03-14 18:31:20 UTC
Last seen:2023-03-14 20:29:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:h6Itqnx6LExGGdEFZhCqpnE5BhWH78QM8:g+q7xFE3hbpnE5KbX
Threatray 87 similar samples on MalwareBazaar
TLSH T1F3C428ACF8AF51EDE1ACDDBB6A81C40FABF35C2B76CDF95812923A140211519F8D601D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:Adhubllka exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
55044ed5d04a20844fcedb17a3f5bb31.exe
Verdict:
Malicious activity
Analysis date:
2023-03-14 18:33:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e1b00929-1d6b-4080-9e6f-14d2195b48b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374344/
Detection(s):
SecuriteInfo.com.Variant.Lazy.312509.18840.13759.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Moving a recently created file
Changing a file
Сreating synchronization primitives
Modifying an executable file
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Encrypting user's files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6410bda33ed78da2693df82c/reports/312ea2b8-9e64-4436-8e97-7a0ea08110ec/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/850ec1ce3298fcef2f348858bb2406afa607c5e6f758e0150912cb092fa4e16d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95863ad5-1662-47d7-b08b-85843429fcbe
Result
Threat name:
Cryptolocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193591
Signature
Contains functionality to detect sleep reduction / modifications
Drops executable to a common third party application directory
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes a notice file (html or txt) to demand a ransom
Yara detected AntiVM3
Yara detected Cryptolocker ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/850ec1ce3298fcef2f348858bb2406afa607c5e6f758e0150912cb092fa4e16d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 18:32:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=quhmdtrstd6o6lzurbmlwjagv6taprpg65moafijclfqsl5e4fwq._file
Verdict:
malicious
Similar samples:
0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664
Adhubllka
22d7e40c7ecc7fabf7f7b562e2d476dd0697e0f0482ce646de7771b44c29b1e9
Adhubllka
26fdffa14128573dcdd5d3b64724677e98d7646b623d1e6a7af1a193cca483df
Adhubllka
5c90dc8a2bebed531a198159e4fc02c11aabf4a53eb6ce1036795db807e0fe44
Adhubllka
8ecd99368b83efde6f0d0d538e135394c5aec47faf430e86c5d9449eb0c9f770
Adhubllka
a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4
Adhubllka
d7a78307889ab55af6a1475ef731eaf1b19524601e093220afa3830707ff4810
Adhubllka
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7
Adhubllka
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/230314-w6ltvaba6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
39fd1fa696f3c1845a5c04f15b603d017d4ef9d0bab93a6bc2c1103c1dca7718
MD5 hash:
0bffb261ea28116e90286c5095367f2a
SHA1 hash:
9d35101e2631cae6c724fa20c101a0a1c2ee5adc
Detections:
win_adhubllka_auto
Create hunting rule
win_adhubllka_a0
Create hunting rule
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
Parent samples :
850ec1ce3298fcef2f348858bb2406afa607c5e6f758e0150912cb092fa4e16d
7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f
a2ff2a7de2aa6b33ecf6f63f8e3e8c3fc977ec825036f9fb421064619670924f
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
SH256 hash:
a55b34573343b5bd281a85d4fcf350576e11ac2a18bc92d78d3e0435c8343db6
MD5 hash:
4b77f9e945a4f465c6cc98d2c436b3ef
SHA1 hash:
3acba2b8993afe98af53012cfda6e03f4cd8edb2
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
SH256 hash:
d5d4f296b660a191749083888f77513c78b29c33a6271570d24d270b1eca7ada
MD5 hash:
048a026f76c33239554671955d6c85e7
SHA1 hash:
f0b0c9da0fc9f138fcff5ce323f6c2e7365f2a6f
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
SH256 hash:
b70c4cf34129f4647e016ea8a67b949f69cb1a0739246742511bf2e1995b383d
MD5 hash:
3df24109aa81bf045b95606f3c7b8978
SHA1 hash:
eb96c9d6bc1666db862a2b4288a8b9ed3586e40e
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
SH256 hash:
75edb65d9891f4becb5e595cd8a723d7ea09fcc2c0454896e8532df18a2d2aa6
MD5 hash:
396ec2c3e3c7f7843b4d71c368c0ee8e
SHA1 hash:
b2936427d159fe358db7d4510a7a3bcceddd07c3
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
SH256 hash:
486e66338b39cc3f54420b244efcedc1f9fbb3906cbf7b78624a689aff1c60d8
MD5 hash:
56a7fd860dfe3aa5cdc4c827778e7a9a
SHA1 hash:
4ae5c68021f3b9b7dd385bd02f99469b43720278
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
SH256 hash:
d76b028f20d37be03c2feb91f765ee6f80633e4b91e0c1a4c8c5e9a9f827eab2
MD5 hash:
86435e379553693e04887b8b0b681c5f
SHA1 hash:
47a6142563883b42a9516349fddc04fc56f996f0
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
SH256 hash:
80fe321e3d66df40c141d51ea87b5e0b8295304fd32f8eae5af3cd640e068602
MD5 hash:
f5af1fd2759531e4d8c1705aef04c130
SHA1 hash:
09eecbf6d1029a8b27845fa4bfbc9a62d1bcfe38
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
SH256 hash:
850ec1ce3298fcef2f348858bb2406afa607c5e6f758e0150912cb092fa4e16d
MD5 hash:
55044ed5d04a20844fcedb17a3f5bb31
SHA1 hash:
cbcc32a3f2b0005a5f1c925b553e091dd2ac5f32
Link:
https://www.unpac.me/results/69072338-c6e9-444a-a3e8-3ea86f29972c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/850ec1ce3298/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/850ec1ce3298fcef2f348858bb2406afa607c5e6f758e0150912cb092fa4e16d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374344/

Comments