MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88ab7da3c5b023decb5236bd3e5dbaff82b6f23da74b1c0025d459b7570c995d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 10 File information Comments

SHA256 hash:	88ab7da3c5b023decb5236bd3e5dbaff82b6f23da74b1c0025d459b7570c995d
SHA3-384 hash:	f55446d4a1c9639d210c7ec8efffe9a423202b851e9e678f60030f9a627bf6119e36a0b5c5d783f1ded61eb2a24514ef
SHA1 hash:	a25cb1da85c5230b294695a920def9e9d1c2aba5
MD5 hash:	a76f2f4b188ae4c173e5a211d91bc98d
humanhash:	lake-don-asparagus-magnesium
File name:	ES Manual Global del Programa de Complimiento de Agentes 2022.pdf.exe
Download:	download sample
File size:	2'738'821 bytes
First seen:	2022-09-27 12:37:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	49152:zZlds6CXSYte31V0uG7oIYgceyfbNVtgboAIRy64ov+4DXNvh:zZldsbUkn7o2yp8yRL4o24D9vh
Threatray	1'857 similar samples on MalwareBazaar
TLSH	T1FAC52341B5DA88B0D5231B311936A620167FBD648A35890F63EC7E2BBB732827534F77
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter	JAMESWT_WT
Tags:	Anyplace anyplace-gateway-work exe

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ES Manual Global del Programa de Complimiento de Agentes 2022.pdf.rar

Verdict:

Malicious activity

Analysis date:

2022-09-27 12:42:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/116c2fab-c9e7-4bf9-a7ea-602d4f30a6c7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/313969/

Detection(s):

SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Creating a process from a recently created file

Creating a file

Creating a service

Launching a service

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun for a service

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39481/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/6332eeac95b5342f6cbdbf96/reports/7571adc6-cf12-442c-adf0-648b15bfd65c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/61d456e2-cbea-493f-bb80-82fb20346e1f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1078303

Signature

Antivirus detection for dropped file

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Contains functionalty to change the wallpaper

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Uses an obfuscated file name to hide its real file extension (double extension)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/88ab7da3c5b023decb5236bd3e5dbaff82b6f23da74b1c0025d459b7570c995d/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-09-27 12:38:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rcvx3i6fwar55s2sg26t4xn276bln4r5u5fryabf2rm3ovymtfoq._file

Verdict:

malicious

0e3854e6b691065b05fd143d9a67ccbc7869ccfce719b09d9443b7166f5ec61b

267c37f15594e1b55c509e743784ba4e05a7f2d5aa554a55a9357d1fc45b74f4

41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db

50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419

61640080e5604b1f88734d5d6d4dc118a79f3670053d5b297e0353dce9fa60bb

ae6e498c8c5441ea32f11e33f00a73446a429aa601c2eccefbc4c40561481a2c

bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38

ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33

+ 1'847 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

bootkit persistence upx

Link:

https://tria.ge/reports/220927-pt2wzaddh6/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Writes to the Master Boot Record (MBR)

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Unpacked files

SH256 hash:

f15b0408096eafc700fe069b716ffa921854b4e95bed33ad08524a59cc8ad57b

MD5 hash:

9a8608bb0b654c650743221914d87ac2

SHA1 hash:

bc4dde9361fe4170a93e6e9af80cb8a2aaf70f66

Link:

https://www.unpac.me/results/7a66bcee-9f76-4f82-ba00-aaec884021be/

SH256 hash:

2fafb2a5116b640a09804bb5e2f04b843a00d7b70ed73b60d0ed5068aad28bc9

MD5 hash:

c374e81222e06289a2a28aaa160b0a35

SHA1 hash:

a872dbaf117dad990371445bfd637c90b87fea8a

Link:

https://www.unpac.me/results/7a66bcee-9f76-4f82-ba00-aaec884021be/

SH256 hash:

65a9bbd5b3b9161c0dd61a9e185e391cfa68f31171e1a5fcfad20bcc9eb09480

MD5 hash:

e10db82c997a756a01b6f954e86b83e0

SHA1 hash:

411fca36d8639b0ba78d8b3cfe1421626a33e6b4

Link:

https://www.unpac.me/results/7a66bcee-9f76-4f82-ba00-aaec884021be/

SH256 hash:

42a485bc0295d1136858db0959cc03042a9fd1b1ebb9d5cf34e6f21bc07778b9

MD5 hash:

1b0dc2b9c0952492feca5c84c6934da0

SHA1 hash:

9a9ca03f81cc38429ca1c38283a8c8385ff830cf

Link:

https://www.unpac.me/results/7a66bcee-9f76-4f82-ba00-aaec884021be/

SH256 hash:

88ab7da3c5b023decb5236bd3e5dbaff82b6f23da74b1c0025d459b7570c995d

MD5 hash:

a76f2f4b188ae4c173e5a211d91bc98d

SHA1 hash:

a25cb1da85c5230b294695a920def9e9d1c2aba5

Link:

https://www.unpac.me/results/7a66bcee-9f76-4f82-ba00-aaec884021be/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/88ab7da3c5b0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/88ab7da3c5b023decb5236bd3e5dbaff82b6f23da74b1c0025d459b7570c995d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RansomwareTest2 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest3 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest7 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/313969/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample