MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 972d533e4df0786799c0e7c914aa6c04870753c10757c5d58cd874b92a7f4739. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 972d533e4df0786799c0e7c914aa6c04870753c10757c5d58cd874b92a7f4739
SHA3-384 hash: e59510a6438b00b44068d452c2162808e196d4bbe41a530db7e50f99b6da36a4548917332c1258ca39210b2bdb316b78
SHA1 hash: 158936951114b6a76d665935ad34f6581556fcdf
MD5 hash: 6e7430832c1c24c2bf8be746f2fe583c
humanhash: lake-october-gee-potato
File name:6e7430832c1c24c2bf8be746f2fe583c.exe
Download: download sample
File size:356'864 bytes
First seen:2022-01-16 12:53:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 6144:v5aWbksiNTBiNg5/dEQECtD2YajndnU4aomwStqUJE0ra7yswH:v5atNTMNg5eQX2BdUcDStq+J4bwH
Threatray 96 similar samples on MalwareBazaar
TLSH T1F5740145B2D542F7E6F2053201E6B12EAB77A735872198EBC34C6D029503AD1AB3D3F9
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6e7430832c1c24c2bf8be746f2fe583c.exe
Verdict:
Malicious activity
Analysis date:
2022-01-16 13:04:22 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/c58972fd-f2ce-4823-afaa-aeea86a29e68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219600/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.41903412.23037.4057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Searching for synchronization primitives
Searching for the window
Forced system process termination
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4344/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61e4156ef2e8ec86fe06dd07/reports/e259a2f4-355b-442e-ae95-bae303f8a634/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/471d88ec-9ed7-498c-84f3-33b268aff43f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921374
Signature
Command shell drops VBS files
Creates HTML files with .exe extension (expired dropper behavior)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553852 Sample: QQhgg2sQI1.exe Startdate: 16/01/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Machine Learning detection for sample 2->39 41 Sigma detected: WScript or CScript Dropper 2->41 43 2 other signatures 2->43 7 QQhgg2sQI1.exe 10 2->7         started        process3 file4 27 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\Temp\...\421E.bat, ASCII 7->29 dropped 53 Potential malicious VBS script found (suspicious strings) 7->53 11 cmd.exe 5 6 7->11         started        15 conhost.exe 7->15         started        signatures5 process6 file7 31 C:\Users\user\AppData\Local\Temp\...\123.vbs, ASCII 11->31 dropped 55 Potential malicious VBS script found (suspicious strings) 11->55 57 Command shell drops VBS files 11->57 59 Uses BatToExe to download additional code 11->59 17 wscript.exe 11->17         started        21 extd.exe 1 11->21         started        23 extd.exe 2 11->23         started        25 3 other processes 11->25 signatures8 process9 dnsIp10 33 iplogger.org 148.251.234.83, 443, 49759 HETZNER-ASDE Germany 17->33 45 System process connects to network (likely due to code injection or exploit) 17->45 47 May check the online IP address of the machine 17->47 49 Multi AV Scanner detection for dropped file 21->49 51 Creates HTML files with .exe extension (expired dropper behavior) 21->51 35 a0621298.xsph.ru 141.8.194.74, 49760, 49761, 80 SPRINTHOSTRU Russian Federation 23->35 signatures11
Gathering data
Threat name:
Win32.Trojan.Scar
Create hunting rule
Status:
Malicious
First seen:
2022-01-16 12:54:10 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
6fc704900ddda4e22fd10ae2bf066c403a2567ce830d1b8fe7721231414382b7
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
83b1180e8794a4d719586d4f5fe237b37167ef93c186d3c0976a70d39541c72f
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
+ 86 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/220116-p476qsfdf5/
Behaviour
Checks processor information in registry
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
a08d2b11558b6e883571fff987d04c35ef27accd4fd2561adfad290c95ca6531
MD5 hash:
67aa4920b3c598bcfd4088dbbc13977b
SHA1 hash:
3b54128f44ca48ef5873ab50a624c1b6f6e201c1
Link:
https://www.unpac.me/results/03a72d5d-6721-446f-841f-74e27ae48b62/
SH256 hash:
972d533e4df0786799c0e7c914aa6c04870753c10757c5d58cd874b92a7f4739
MD5 hash:
6e7430832c1c24c2bf8be746f2fe583c
SHA1 hash:
158936951114b6a76d665935ad34f6581556fcdf
Link:
https://www.unpac.me/results/03a72d5d-6721-446f-841f-74e27ae48b62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/972d533e4df0786799c0e7c914aa6c04870753c10757c5d58cd874b92a7f4739

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219600/

Comments