MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a859913b508241b9c2843bd988a5dc64795ee59c553013663d9b9d5c58589d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cutwail

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	8a859913b508241b9c2843bd988a5dc64795ee59c553013663d9b9d5c58589d8
SHA3-384 hash:	e774a0f480d7908571e182857cad0c58a7f811b70f2c0801c77bf0e01a88a9b059446024166ce824cde5730ccbaba903
SHA1 hash:	4f78665e6bb2c828f7a373281a858265afef07cc
MD5 hash:	af25bd810507b72f444c8160f2042128
humanhash:	april-seventeen-shade-sink
File name:	af25bd810507b72f444c8160f2042128.exe
Download:	download sample
Signature	Cutwail Create hunting rule
File size:	305'664 bytes
First seen:	2022-08-31 18:05:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4e4ac8ce1e119b957e1ec71265bc4120 (6 x Smoke Loader, 3 x RedLineStealer, 1 x TeamBot)
ssdeep	6144:+UfeUgusPhAWvTslMS/cj358WCJl04AuJJcDdSJy1z:reUIPqo4aS/cj35eJ64A2JSgwZ
TLSH	T1D1547C00AB90D039E5F715F8417A8769A53C7EB1A77440CFA2D42BEE5B386E0AD3171B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	2dec1378399b9b91 (25 x Smoke Loader, 22 x RedLineStealer, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	Cutwail exe

Intelligence

File Origin

# of uploads :

# of downloads :

328

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cutwail.zip

Verdict:

Malicious activity

Analysis date:

2022-09-01 03:12:52 UTC

Tags:

trojan sinkhole

Link:

https://app.any.run/tasks/8ae94f2b-8696-4506-a1e3-0efb837a5fd2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/306956/

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.40981.6968.17590.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

DNS request

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/630fa31e3e9e50b1baf0e435/reports/ceddc071-ec48-4fdc-9279-46503ef3986b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cutwail

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/07e949b2-9163-4b8d-9bbd-4e895c5b8f34

Result

Threat name:

Pushdo

Detection:

malicious

Classification:

spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1061845

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8a859913b508241b9c2843bd988a5dc64795ee59c553013663d9b9d5c58589d8/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-08-31 10:23:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rkczse5vbasbxhbiio6zrcs5yzdzl3szyvjqcntd3g45lrmfrhma._file

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence upx

Link:

https://tria.ge/reports/220831-wprc1abeh6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

UPX packed file

Unpacked files

SH256 hash:

b09b696f004f12700aeeb3a0b0cf51edfd929e28544e914864c594f8cab8230f

MD5 hash:

46c3f1b67361d87cd156691f84266d06

SHA1 hash:

72639db91282adaf93cfe1bb8f3cfdac35e11643

Detections:

win_pushdo_auto

Link:

https://www.unpac.me/results/ded09538-e78a-4787-b1da-0265af8eb3e9/

Parent samples :

777cae39a76b463d30086fb1b826491e53b3277293a49c7bfc3ffbe568e420f5
adfcc71b9cb01a17514ad232717198d9a11b67009bffe59e50e79714c6118b01
017a551be1e7927b1ec9f6dbe3af83682424f449b73bf2fde61f26773a01d16b
fef56ad19ebb148fa9b561e111ef6d6049a4fd801e88f3944359f8537bd624cf
230a439a85a69876aa7444cf6f218009c88b021704411bd247567e961e62b243
181e69353ba4190572b8ab171545452cf9ad4dac32c0c2c2c6716853fc604c88
0adca2341c0ab6a5e4ae2677a50a05cf8a302052f083bf7b12117cc7e3c3b059
d506e86ce47aac97e41a8b49a5dc4c410a3d9a86721264077a5f47adf5abc26b
e067dd49b60cb082d0f0a78bbc6139c494f2c3cf0f157f7041c98c58c070fa12
3506cb5aede37423e0c1542075d889ce8884edcc9bd7031a7fe54211d43e36c1
377b6494504cb789a2ea6c43f1cec155d92b3af9ad4a18a1d833e553e0cc6a68
7a9938273e502427d127d1aced6f9fe7fd25c7fdffe5319788f1e0588280734b
9933468292efeb6b2c9d2c8e36bbe818aebe7e46eeb6d7e25a8299b4e90f3ab6
02fe1e05ca2f07215863e2a1fb3b5a00964ed07ffa2ddee45cf6ee8af10aff90
5b3a8ff94b27ba20933e4850821591f20b6c1bf2d9141bb3870d81b8a457ed83
095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28
dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e
8a859913b508241b9c2843bd988a5dc64795ee59c553013663d9b9d5c58589d8

SH256 hash:

2667c1ba9a3c1f4b69b0adc75c2ce242373823927b3e5c94d5cb670274c28c93

MD5 hash:

8dbe23493c7ca72a67185942a642a211

SHA1 hash:

aab74fa20f0c9b641755cfc45d3c3df62928b78c

Link:

https://www.unpac.me/results/ded09538-e78a-4787-b1da-0265af8eb3e9/

SH256 hash:

8a859913b508241b9c2843bd988a5dc64795ee59c553013663d9b9d5c58589d8

MD5 hash:

af25bd810507b72f444c8160f2042128

SHA1 hash:

4f78665e6bb2c828f7a373281a858265afef07cc

Link:

https://www.unpac.me/results/ded09538-e78a-4787-b1da-0265af8eb3e9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8a859913b508/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8a859913b508241b9c2843bd988a5dc64795ee59c553013663d9b9d5c58589d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	win_pushdo_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.pushdo.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cutwail

exe 8a859913b508241b9c2843bd988a5dc64795ee59c553013663d9b9d5c58589d8

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2287011/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/306956/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample