MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91bedde298120f2112051018910a77a8672687917722e9a4aba692ec312bf4b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	91bedde298120f2112051018910a77a8672687917722e9a4aba692ec312bf4b2
SHA3-384 hash:	b970cde8ccb5f6b3c61d0538b8e0ce8a533adef8aa0352557bc1acab9e8f6d87e3b7c73b20e1974f5dd49740e3c2d77e
SHA1 hash:	b2fb11f5eb37ea6ef0cc03f39b4824e81ffa1cfb
MD5 hash:	002ea05ce596760723b0787ee4bfbbcb
humanhash:	purple-hawaii-freddie-dakota
File name:	168726657698b1d94e482e96168370f0a24749cf0ceaeef19ff5502ce20e1cabd4b9539b93625.dat-decoded
Download:	download sample
File size:	3'254'272 bytes
First seen:	2023-06-20 13:09:40 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	49152:PkD/BI8szy/fieUebMNeyW6e4CwPZJ8y/nKbYv3I5ctnnEpmQO:Pg7MNTNPZJKb15cupm
Threatray	21 similar samples on MalwareBazaar
TLSH	T11AE5BE0DBA96EE67D3A6273FA02741289631D2523713BB1F0B7D46B43D923F40A417E9
TrID	80.3% (.DLL) Generic .NET DLL/Assembly (236632/4/32) 4.4% (.SCR) Windows screen saver (13097/50/3) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 3.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	abuse_ch
Tags:	base64-decoded dll

abuse_ch

Malware dropped as base64 encoded payload

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/401008/

Detection(s):

SecuriteInfo.com.Variant.Zusy.472162.26091.21438.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6491a52c5b95f851940438b8/reports/6f80fba6-d9db-43ed-bc32-2d91a1f9987f/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/91bedde298120f2112051018910a77a8672687917722e9a4aba692ec312bf4b2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b1d09191-8653-4644-80fa-739e8e8e09da

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1258226

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Multi AV Scanner detection for submitted file

Sigma detected: Execute DLL with spoofed extension

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/91bedde298120f2112051018910a77a8672687917722e9a4aba692ec312bf4b2/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2023-06-20 13:10:07 UTC

File Type:

PE (.Net Dll)

Extracted files:

AV detection:

4 of 37 (10.81%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sg7n3yuycihsceqfcamjcctxvbtsnb4ro4rotjflu2joymjl6sza._file

Verdict:

malicious

32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db

470c984d8e1d9413b351c38a01827c7386fd15aef28681559df36574908f7088

6234c83cf8e46f8e09fed9cbf0456be735dc8640c2df0ee4734b7fa730e0b8eb

7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9

8cfab1a4c573103b5b39aed0c2cb8fbcd76d246d7bc106fd0ad1fa6adeff91b9

d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15

e75e7b4f4db640c54deb092dd373afa2b692a2078461cd0193e2b54b84c8250c

f3adace9b9f1d61d8752f65c0418a49595e347c417a17b14655d838993b74229

f86962682a031e037476ea11e8f19b584e0cb19ef80da2af997e0aa64e13b586

+ 11 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230620-qectzacb37/

Unpacked files

SH256 hash:

91bedde298120f2112051018910a77a8672687917722e9a4aba692ec312bf4b2

MD5 hash:

002ea05ce596760723b0787ee4bfbbcb

SHA1 hash:

b2fb11f5eb37ea6ef0cc03f39b4824e81ffa1cfb

Link:

https://www.unpac.me/results/d6a811c0-3487-40bf-ab08-b790f3236abc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/91bedde298120f2112051018910a77a8672687917722e9a4aba692ec312bf4b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

98b1d94e482e96168370f0a24749cf0ceaeef19ff5502ce20e1cabd4b9539b93

DLL dll 91bedde298120f2112051018910a77a8672687917722e9a4aba692ec312bf4b2

(this sample)

Dropped by

SHA256 98b1d94e482e96168370f0a24749cf0ceaeef19ff5502ce20e1cabd4b9539b93

Dropped by

MD5 0035f37a05156861f47f53dc8d2ba243

Cape

https://www.capesandbox.com/analysis/401008/

URLhaus

https://urlhaus.abuse.ch/url/2666889/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample