MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 901ec2f017d11c1569c211c3a3279c5f613d117e349c5a1efe881a5003ec6b17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 901ec2f017d11c1569c211c3a3279c5f613d117e349c5a1efe881a5003ec6b17
SHA3-384 hash: 7c24849f6fb51c237cfcf0e23b2a183524a6f9330be431a3596406da4a0b90e208c605ee7710c8afd04674dd0b262b6c
SHA1 hash: 30f49d1a6a85525290fbccfc5dd4436e5cafc26d
MD5 hash: 4767ba2f13005ca6a74c994b0ebe33dd
humanhash: kitten-emma-three-pip
File name:4767ba2f13005ca6a74c994b0ebe33dd
Download: download sample
File size:1'840'848 bytes
First seen:2021-12-30 20:52:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23a6f7b455b4639b7e61f1e5210339a4
ssdeep 49152:27QzrciQ+dagX06dt7r/PDAqGiVXOPrfaiY7jUNUTJn1vPLFjp:2m7X06dt7r/P8ZykrfaiY7INSnPNp
Threatray 20 similar samples on MalwareBazaar
TLSH T1C6853C65FC8C6D89ED526133CD7078A6632BFDA231686CC0E5FC3933AB2AD954473864
File icon (PE):PE icon
dhash icon eef0f8f87363e3da
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4767ba2f13005ca6a74c994b0ebe33dd
Verdict:
Malicious activity
Analysis date:
2021-12-30 20:54:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/016a2588-b299-4753-a578-6b3492320e43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216874/
Detection(s):
Win.Malware.Generic-9918574-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Launching a process
Creating a process with a hidden window
Creating a file
Forced system process termination
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit overlay packed
Link:
https://www.filescan.io/uploads/61ce1c32ec6c6c14a9fec925/reports/f916b025-b740-46e6-9eaa-94ca4e908f92/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ae1a10b6-bfd9-48b6-bbe4-5efc652fd7e9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/914151
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/901ec2f017d11c1569c211c3a3279c5f613d117e349c5a1efe881a5003ec6b17/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-30 06:37:00 UTC
File Type:
PE (Exe)
Extracted files:
94
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10eb78f5a36f8ca290bf100f6f05d7a04489cef0023e86860062d6d03e6fa9ed
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
35d04737f87fbd1cb97d05dda7d795b419ddc767131034a0d00193b8f68f3330
6e662c3d403396c5bfec2b051dd49b39662c3ff80f39c16ece3ebc2e1c469208
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
8385eb7b18a881dcfdb87406a92c19b5b39676f5de60859a4a4034cf91e21c6d
8393c3c10fcfaad79ef8ae38575d1b26aa2d3ae45fb6ed47b4f506f7abda6b1b
d68d7178b780c1d80256fe6e2b42659f22c3c24f11280a4eb488a06f59e044b9
e8d880461c3ab9be4842d3789e06b557ae2c5316cc486036e11d72502752b64a
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211230-zpaxssegck/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/d3093c52-86a3-48a7-ba41-d055c8cd7467/
SH256 hash:
ffa8794a2ddc3643951b6b35b6c070b5e2f29c4acc560659e27a9bc7c09654f3
MD5 hash:
0eba70b0a1496445440aff9f974c4812
SHA1 hash:
a8ffaebc8372b21e502d279e7f359eca8bb3d00d
Link:
https://www.unpac.me/results/d3093c52-86a3-48a7-ba41-d055c8cd7467/
SH256 hash:
0f54c904eaef0852155477ed242b87ed7df7f1241b3fde336fc4f56f54914252
MD5 hash:
98bf18b57637311f5525862db87146b6
SHA1 hash:
884983b2e0a0479cdfdd5a622e03c385a97b2a35
Link:
https://www.unpac.me/results/d3093c52-86a3-48a7-ba41-d055c8cd7467/
SH256 hash:
6ddeca467e8b9d6f4f8deca74574adcb9d7ea029b1fcf5ba677b4ece34b22b15
MD5 hash:
4fe470b56280cbfd3732a284c7810851
SHA1 hash:
08c50c2358b41b3dcf362257accfb1b12ba57174
Link:
https://www.unpac.me/results/d3093c52-86a3-48a7-ba41-d055c8cd7467/
SH256 hash:
0a314fe20ca71ac51dab76c3684e09c500d59a56b8aa35b764e662418f6e7f48
MD5 hash:
1b3ee97dee632741ca3e9b440aa36477
SHA1 hash:
678705f887a76b23eaeb1bd7c65210f57ea5c9f0
Link:
https://www.unpac.me/results/d3093c52-86a3-48a7-ba41-d055c8cd7467/
SH256 hash:
901ec2f017d11c1569c211c3a3279c5f613d117e349c5a1efe881a5003ec6b17
MD5 hash:
4767ba2f13005ca6a74c994b0ebe33dd
SHA1 hash:
30f49d1a6a85525290fbccfc5dd4436e5cafc26d
Link:
https://www.unpac.me/results/d3093c52-86a3-48a7-ba41-d055c8cd7467/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/901ec2f017d11c1569c211c3a3279c5f613d117e349c5a1efe881a5003ec6b17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 901ec2f017d11c1569c211c3a3279c5f613d117e349c5a1efe881a5003ec6b17

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1937007/
Cape
Cape
https://www.capesandbox.com/analysis/216874/

Comments


Avatar
zbet commented on 2021-12-30 20:52:40 UTC

url : hxxp://91.243.44.128/hv/hv.exe