MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 995f60fa20fabc4943aaae2cc8c906eace61fc2d2940642c16dda037f5575e60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 995f60fa20fabc4943aaae2cc8c906eace61fc2d2940642c16dda037f5575e60
SHA3-384 hash: 31ae76928b97233660645136103348d86c85d41780f396acd701a9cf23c1dd4a1484ac265ef4b7259f2e48bd1da15e3c
SHA1 hash: 46f128cb98d95fac7d88c397d032ba84e6a2d0fe
MD5 hash: d10eecb5cc502806778888a887b81c55
humanhash: kitten-massachusetts-hotel-saturn
File name:imagedisk.exe
Download: download sample
File size:531'968 bytes
First seen:2021-12-31 16:06:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6efe717c6d1ba1e8476234661c7c7fc
ssdeep 12288:DFlrb4eWr1aeMl2yxgVTpQmjJz2n9Pqu8iqRo4T:5B1SRMwyxgVFJ6n9V8J
Threatray 225 similar samples on MalwareBazaar
TLSH T115B44A09E6A844E5E963B239B95EC206D3B1BC1F4B61C74F03A47E6B3F336904D29716
File icon (PE):PE icon
dhash icon 429d9e1796470b34 (3 x IcedID, 1 x LaplasClipper)
Reporter TheWit0k
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216953/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3581/overview
Behaviour
CheckScreenResolution
CursorPosition
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61cf2aaa4ab5c44cbf58fd92/reports/6633cfb3-8760-4ab5-96f0-886b57e8561e/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89696f90-c71f-4561-ac88-0227807291a5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/914341
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546819 Sample: imagedisk.exe Startdate: 31/12/2021 Architecture: WINDOWS Score: 60 44 Multi AV Scanner detection for submitted file 2->44 46 Initial sample is a PE file and has a suspicious name 2->46 9 imagedisk.exe 2->9         started        11 imagedisk.exe 2->11         started        13 imagedisk.exe 2->13         started        process3 process4 15 cmd.exe 1 9->15         started        signatures5 50 Uses ping.exe to sleep 15->50 52 Uses ping.exe to check the status of other devices and networks 15->52 18 imagedisk.exe 15->18         started        20 conhost.exe 15->20         started        22 choice.exe 1 15->22         started        process6 process7 24 cmd.exe 1 18->24         started        27 cmd.exe 1 18->27         started        signatures8 48 Uses ping.exe to sleep 24->48 29 PING.EXE 1 24->29         started        32 conhost.exe 24->32         started        34 imagedisk.exe 24->34         started        36 conhost.exe 27->36         started        38 reg.exe 1 1 27->38         started        process9 dnsIp10 40 192.0.2.222 unknown Reserved 29->40 42 192.168.2.1 unknown unknown 29->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/995f60fa20fabc4943aaae2cc8c906eace61fc2d2940642c16dda037f5575e60/
Threat name:
Win64.Spyware.Bazarloader
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 02:49:00 UTC
File Type:
PE+ (Exe)
Extracted files:
42
AV detection:
17 of 27 (62.96%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
08340c953247df216a72580f2a5aa24f6688a24e2316ed4ea62b863dbc252d3e
1c620f5c3a65d09cd30671a6ea697b47247f9df687ce9ff748ffb7dab9e92dd4
46a4adff398701be12f12d6c971eb2725eeb9503bdcf7d260459cd086ea58eb5
55732e1d96679acdfe0fffd6c28165aabbdb1f7a1d2e8541bb00d1a8ac8b68bc
cdc70b4553a9b4ac1916c0a9c9ea05db3e5cf28119432dbd244e37d6c0ca87a1
cffd82a25e87c9fff7695581d72521fb1bc65ab1b616c0639e36689ae0494d38
d4032fbbc8d1d4d11c98b1b85801a5b5ce36042ef09b0f3118e7770827f160d8
e8cfbe425f68faba79342ad20a6a0039c602c67626c91cb8164cb08319c58a57
e96721c0194fef754b28344960a41649914e1eaf6a43588e9d9018104b80ecea
ee9a8a1a2081e841af1c0895e2cae936cb38231af59426d54c68d6a2357ac236
+ 215 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211231-tkm4nshaf3/
Behaviour
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
995f60fa20fabc4943aaae2cc8c906eace61fc2d2940642c16dda037f5575e60
MD5 hash:
d10eecb5cc502806778888a887b81c55
SHA1 hash:
46f128cb98d95fac7d88c397d032ba84e6a2d0fe
Link:
https://www.unpac.me/results/cf3f2ea1-1948-43fc-8438-6a57860aa8b6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/995f60fa20fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/995f60fa20fabc4943aaae2cc8c906eace61fc2d2940642c16dda037f5575e60

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216953/

Comments