MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e
SHA3-384 hash:	9e72283266fce6513d56decb7dca8e21b809feb5465bf18381ca41b82102ae5b97e7c0b0f2cc819c1c8319f74020aaab
SHA1 hash:	53572347e926f7dfa5d261634f59b2f2d997dcf5
MD5 hash:	86943c185f22b6db86f992ee7e98ed6b
humanhash:	avocado-grey-stairway-seventeen
File name:	86943c185f22b6db86f992ee7e98ed6b.exe
Download:	download sample
File size:	2'849'697 bytes
First seen:	2023-08-31 06:24:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fa8d20faea9ef7b4e2b7fbfe93442593 (17 x RedLineStealer, 4 x CoinMiner, 3 x AgentTesla)
ssdeep	49152:qDkUjjLte/HmWJfK565eiZloo3i1Sld7WDn9O/5k+qcIUwsUtBOI7AXCSreCFaTI:q4UjQ/H/J/5eibYMqD9O/e+qczUteCSb
Threatray	88 similar samples on MalwareBazaar
TLSH	T106D523217EC08432D8A6193A26B1A7357775BD301B36CFDB53981E6D8F251C0AA367B3
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

86943c185f22b6db86f992ee7e98ed6b.exe

Verdict:

Suspicious activity

Analysis date:

2023-08-31 06:29:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/78afa634-7c4b-497f-a0da-e707dc66a158

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/445432/

Detection(s):

SecuriteInfo.com.Trojan.Uztuby.4.19274.32072.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Launching a process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware lolbin overlay packed replace setupapi shdocvw shell32

Link:

https://www.filescan.io/uploads/64f03241b3b7d7c782d1a046/reports/69ca72a7-34de-4e52-896b-e1624fb09fe7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1a3a960a-d78a-43d8-863c-a9dbab28da03

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1300850

Signature

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2023-08-31 06:25:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 23 (56.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qzoospbt7vnjjwqg6ith2piic64vykxubjx4ms5z3yazdltnze7a._file

Verdict:

malicious

1b57f88dd88cf59b0f9aa09f1f4dd393c6b787f70afa9b6b111861d1a10af6a7

2646dd01581c1813f0478a25051ca4edac5e5c4fedcbd1ac0b4ca758426ec52d

63c4a15cd773f238eff00aa96951811734883b01d9460389aee9cdbe3edc437b

71a7be17ce0aa73dc1b2a2e353bc5ac7bc8e401f74c2681b4348650caf13d82b

8ee0b8f40e58ae7ff46cb2779d8b0796071873d554d9d6ec4ae7207c9e26b865

9caad784222d3fb486822446983ef20eb408845146c9bf954bf2e185fb4e35d1

b4c2ff718a6f5c872387c54960848ea4798b78ac9ea50928106cf66a4bdffeb1

df4f2bd477daed3aa0c4665f2b989157fa971af504981ebd35c4af660d82ccb1

ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

+ 78 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230831-g6mc2sdf73/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e

MD5 hash:

86943c185f22b6db86f992ee7e98ed6b

SHA1 hash:

53572347e926f7dfa5d261634f59b2f2d997dcf5

Link:

https://www.unpac.me/results/1058eb1f-96f4-404b-83f2-2ffd8cf1c038/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e

(this sample)

Cape

https://www.capesandbox.com/analysis/445432/

URLhaus

https://urlhaus.abuse.ch/url/2708245/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample