MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8781cd59723f044fecce1d4e3199798be5db1ab06f8da8c16544a451b434ef0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8781cd59723f044fecce1d4e3199798be5db1ab06f8da8c16544a451b434ef0a
SHA3-384 hash: fe8f4c5e5bb2776165016d3bf2e2820db4d0b7b0133870c84bdc0449b2a223265afc01df0204febbd0aa190b243b7363
SHA1 hash: 3756799f9d6166f6e2f402f8368002d1f27cda93
MD5 hash: 0ba5752ca4089e3f230636c566143244
humanhash: mountain-comet-carbon-pluto
File name:file
Download: download sample
File size:1'074'176 bytes
First seen:2022-09-25 10:25:44 UTC
Last seen:2022-09-28 18:43:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2339ac77bf9371500ebbf86df3a10d43 (8 x njrat, 4 x LgoogLoader, 3 x RedLineStealer)
ssdeep 12288:YLowy90Yvw0+m+0s1KzXN+QNWPRCGRhP0Yt1zqpR8q6+0r4sGXEwFbH6aNmkxhs:wyxsmts1oNNIXpU0ZOXEwFbHdNjxh
TLSH T17D35F1D1B059442BE5A366F15C5E55A131227EAA9138D30D2287FE0F49F339304BFBEA
TrID 42.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
14.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d486b2b2aaaa96c4
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from http://79.110.62.249/files/Une.exe

Intelligence

File Origin
# of uploads :
519
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
File.zip
Verdict:
Malicious activity
Analysis date:
2022-09-26 05:11:09 UTC
Tags:
stealer opendir loader ransomware stop evasion redline
Link:
https://app.any.run/tasks/b40814b7-4ccb-4128-83d6-f60d45222843

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313153/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.14372.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38968/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63302cfb4207caabde63bfb0/reports/01241ffb-fcb7-40b5-9f05-23b890d24542/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cef7597c-b964-4068-b347-9ce3704f840a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1076829
Signature
DLL reload attack detected
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Renames NTDLL to bypass HIPS
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 709371 Sample: file.exe Startdate: 25/09/2022 Architecture: WINDOWS Score: 84 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 10 file.exe 1 5 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 cmd.exe 1 10->14         started        17 bitsadmin.exe 1 10->17         started        signatures5 60 Obfuscated command line found 14->60 62 Uses ping.exe to sleep 14->62 64 Drops PE files with a suspicious file extension 14->64 66 Uses ping.exe to check the status of other devices and networks 14->66 19 cmd.exe 2 14->19         started        23 conhost.exe 14->23         started        25 PING.EXE 1 14->25         started        27 conhost.exe 17->27         started        process6 file7 46 C:\Users\user\AppData\...\Comparisons.exe.pif, PE32 19->46 dropped 56 Obfuscated command line found 19->56 58 Uses ping.exe to sleep 19->58 29 Comparisons.exe.pif 1 19->29         started        34 findstr.exe 1 19->34         started        36 tasklist.exe 1 19->36         started        38 4 other processes 19->38 signatures8 process9 dnsIp10 50 CcgFZRZvUErxdKdSHzyvek.CcgFZRZvUErxdKdSHzyvek 29->50 48 C:\Users\user\AppData\...\YLbRRgdjnpNj.dll, PE32 29->48 dropped 68 DLL reload attack detected 29->68 70 Renames NTDLL to bypass HIPS 29->70 72 Injects a PE file into a foreign processes 29->72 40 Comparisons.exe.pif 29->40         started        42 conhost.exe 34->42         started        file11 signatures12 process13 process14 44 WerFault.exe 6 11 40->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8781cd59723f044fecce1d4e3199798be5db1ab06f8da8c16544a451b434ef0a/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-25 10:26:10 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6a42wlsh4ce73godvhddglzrps5wgvqn6g2rqlfissfdnbu54fa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220925-mghw8afeeq/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/85df6176-d8f3-4b5a-986e-b706aba54825
Unpacked files
SH256 hash:
054f315be4b2d5bd2c66b5010406559db70c178967b4fd58a33f71ea3ae094f3
MD5 hash:
bcdeaecb33c78ec35787099ca44a610d
SHA1 hash:
58ec4bb6d2b158746c441844b364eb322b5f0df5
Link:
https://www.unpac.me/results/3f605580-c2c4-41eb-929f-35d4dff13bcd/
SH256 hash:
8781cd59723f044fecce1d4e3199798be5db1ab06f8da8c16544a451b434ef0a
MD5 hash:
0ba5752ca4089e3f230636c566143244
SHA1 hash:
3756799f9d6166f6e2f402f8368002d1f27cda93
Link:
https://www.unpac.me/results/3f605580-c2c4-41eb-929f-35d4dff13bcd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8781cd59723f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8781cd59723f044fecce1d4e3199798be5db1ab06f8da8c16544a451b434ef0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2307332/
Cape
Cape
https://www.capesandbox.com/analysis/313153/

Comments