MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 885e0a44035c45c8643139acac60e5f8ca2ada3218bda9691dcbd98602653703. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 885e0a44035c45c8643139acac60e5f8ca2ada3218bda9691dcbd98602653703
SHA3-384 hash: c5416e76fec7200e15f64ef9b560f43c263c03c59a54ab270c4d2aafaa3b436d37dd465c7b8f7ccb342b17db135144f1
SHA1 hash: 05d4bc0fd714b0ca5927659bc3eaa6de9a6852e2
MD5 hash: f59160f8bf6d380cdecbd2db94c61deb
humanhash: florida-bakerloo-july-ten
File name:file
Download: download sample
File size:389'935 bytes
First seen:2022-12-07 12:46:31 UTC
Last seen:2022-12-09 20:12:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'511 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXC8km+ksmpk3U9j0IkGOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi38P6m6UR0IkGlL//plmW9bTXeVhD4
Threatray 315 similar samples on MalwareBazaar
TLSH T1AD841243F3E15839E073CEB02CA0E961493F79255DBC650836ECAD8E9F3B5829256793
TrID 75.1% (.EXE) Inno Setup installer (109740/4/30)
9.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://punch-annannase.s3.pl-waw.scw.cloud/TUN3.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-07 12:47:09 UTC
Tags:
installer loader
Link:
https://app.any.run/tasks/91ca1ac6-8bc7-4ff9-b78e-c7242eaf37ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343932/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Connecting to a non-recommended domain
Creating a file in the Program Files subdirectories
Sending an HTTP POST request
Creating a file
Searching for the window
Searching for synchronization primitives
Moving a file to the Program Files subdirectory
Modifying a system file
Adding an access-denied ACE
Launching a process
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Searching for the browser window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63908b479a505ad9423ddc87/reports/e3704648-aa0e-47e0-af32-f22f4d5d6350/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cac998c1-7226-492d-8e62-d07467706ee0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129904
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Obfuscated command line found
Snort IDS alert for network traffic
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 762624 Sample: file.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 100 89 xv.yxzgamen.com 2->89 91 www.profitabletrustednetwork.com 2->91 93 26 other IPs or domains 2->93 111 Snort IDS alert for network traffic 2->111 113 Antivirus detection for URL or domain 2->113 115 Antivirus detection for dropped file 2->115 117 7 other signatures 2->117 11 file.exe 2 2->11         started        15 Vozhymacyby.exe 2->15         started        18 Vozhymacyby.exe 2->18         started        signatures3 process4 dnsIp5 75 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 11->75 dropped 125 Obfuscated command line found 11->125 20 file.tmp 3 19 11->20         started        105 s3.pl-waw.scw.cloud 15->105 107 uchiha.s3.pl-waw.scw.cloud 15->107 109 2 other IPs or domains 15->109 file6 signatures7 process8 dnsIp9 95 s3.pl-waw.scw.cloud 151.115.10.1, 443, 49695, 49701 OnlineSASFR United Kingdom 20->95 97 5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud 20->97 51 C:\Users\user\AppData\Local\...\zizou.exe, PE32 20->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 20->53 dropped 55 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->57 dropped 24 zizou.exe 22 19 20->24         started        file10 process11 dnsIp12 99 s3.pl-waw.scw.cloud 24->99 101 connectini.net 37.230.138.123, 443, 49698, 49708 ROCKETTELECOM-ASRU Russian Federation 24->101 103 5 other IPs or domains 24->103 67 C:\Users\user\AppData\...\ZHydybyxaemi.exe, PE32 24->67 dropped 69 C:\Users\user\AppData\...\ZHydybyxaemi.exe, PE32 24->69 dropped 71 C:\Program Files\UNP\...\poweroff.exe, PE32 24->71 dropped 73 4 other malicious files 24->73 dropped 119 Multi AV Scanner detection for dropped file 24->119 121 Machine Learning detection for dropped file 24->121 123 Drops executable to a common third party application directory 24->123 29 poweroff.exe 2 24->29         started        33 ZHydybyxaemi.exe 14 17 24->33         started        36 ZHydybyxaemi.exe 4 24->36         started        file13 signatures14 process15 dnsIp16 77 C:\Users\user\AppData\Local\...\poweroff.tmp, PE32 29->77 dropped 127 Obfuscated command line found 29->127 38 poweroff.tmp 29->38         started        79 www.google.com 172.217.23.100, 443, 49714, 49743 GOOGLEUS United States 33->79 81 connectini.net 33->81 129 Antivirus detection for dropped file 33->129 131 Multi AV Scanner detection for dropped file 33->131 133 Machine Learning detection for dropped file 33->133 41 chrome.exe 33->41         started        43 chrome.exe 33->43         started        45 chrome.exe 33->45         started        47 5 other processes 33->47 83 google.com 142.250.186.110 GOOGLEUS United States 36->83 85 192.168.2.1 unknown unknown 36->85 87 connectini.net 36->87 file17 signatures18 process19 file20 59 C:\...\unins000.exe (copy), PE32 38->59 dropped 61 C:\Program Files (x86)\...\is-TVB2P.tmp, PE32 38->61 dropped 63 C:\Program Files (x86)\...\is-KSCV2.tmp, PE32 38->63 dropped 65 3 other files (1 malicious) 38->65 dropped 49 Power Off.exe 38->49         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/885e0a44035c45c8643139acac60e5f8ca2ada3218bda9691dcbd98602653703/
Threat name:
Win32.Trojan.Manuscrypt
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 12:47:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbpauradlrc4qzbrhgwkyyhf7dfcvwrsdc62s2i5zpmymatfg4bq._file
Verdict:
malicious
Similar samples:
1449e7a3111fdfb697c631367fcbc08eb0ab911bc280fd0c3d132cc3918d1da6
6b314655dd710e2b4bee14402e4c0320aafd5faadcea6ddb16b01cfc049f6ccf
6be048992227daa3e44558b5e8b342f3f153eb0ff535ab399f4cd4ae3e4345bb
8b1813aef6ef673d4a0973bbf426857d251c21e71889376ba581652b5e56e4f3
ad8e32c58c848eb03c4414224e74530dab7ea632229d704fc888a7a843396650
d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1
f8904db64b83e85ee7ec0747230c18a8cd6d28a05e5784be796182fa4ea79b0d
+ 305 additional samples on MalwareBazaar
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim evasion persistence trojan
Link:
https://tria.ge/reports/221207-pz7peaaa8s/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
NyMaim
Malware Config
C2 Extraction:
45.139.105.171
85.31.46.167
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e6bac3d5-49bd-465a-8e58-e109613d9dfb
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/a434f2f2-7bdd-42c8-add4-628f96d3ad07/
SH256 hash:
3a0a6a55bc33f45a9dbbdf5e1b13bea50020d72e2c6d0c004cb4e9a7b7c3378a
MD5 hash:
c4bbac25e6a49caf8d4ad05a10059a06
SHA1 hash:
0fd1dab99e4a011e8c16ed5732b4c2ab388fd822
Link:
https://www.unpac.me/results/a434f2f2-7bdd-42c8-add4-628f96d3ad07/
SH256 hash:
885e0a44035c45c8643139acac60e5f8ca2ada3218bda9691dcbd98602653703
MD5 hash:
f59160f8bf6d380cdecbd2db94c61deb
SHA1 hash:
05d4bc0fd714b0ca5927659bc3eaa6de9a6852e2
Link:
https://www.unpac.me/results/a434f2f2-7bdd-42c8-add4-628f96d3ad07/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/885e0a44035c45c8643139acac60e5f8ca2ada3218bda9691dcbd98602653703

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/343932/
  
URLhaus
https://urlhaus.abuse.ch/url/2449576/

Comments