MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9aaa46606f36b7f4b26420e95a75090d1a933356e994ca69d3af6bb4c3774430. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9aaa46606f36b7f4b26420e95a75090d1a933356e994ca69d3af6bb4c3774430
SHA3-384 hash: f896be9a922ddcf673a2540ebfd5324e8e20fcfe00b6b3eb1ee6c60925a6a7f1e58348663202411882ca591588b92eda
SHA1 hash: 06f3bc15608ac732cdb9070a4be9d763bed6cc7d
MD5 hash: a3eb530244aa24e71ff88a633afd6c6c
humanhash: aspen-don-delta-india
File name:9aaa46606f36b7f4b26420e95a75090d1a933356e994ca69d3af6bb4c3774430
Download: download sample
File size:4'435'968 bytes
First seen:2022-08-03 10:28:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5120f42cb7f6bfbea2075ae8b646c8dc
ssdeep 98304:Do/knCgX0MLIx3dV+4qjulk52bDu2MBW6H+25+ifWByEvwSPKPj6ee55+c:DoMnV8dV+4qjIEaq2YFe25+8Evb7eo+c
Threatray 14'032 similar samples on MalwareBazaar
TLSH T1D02602E8B54067ADC11F0130A03379D8F2744D5E5F9AC667B2EB7B957EBB0A09A03907
TrID 30.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
26.8% (.EXE) UPX compressed Win32 Executable (27066/9/6)
16.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 4d55214949410727 (1 x RedLineStealer, 1 x AsyncRAT)
Reporter JAMESWT_WT
Tags:exe Hangzhou Saifan Technology Co. Ltd.

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9aaa46606f36b7f4b26420e95a75090d1a933356e994ca69d3af6bb4c3774430
Verdict:
Suspicious activity
Analysis date:
2022-08-03 10:30:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/572ef1d5-7800-450b-9382-81513f6b320b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296152/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the Program Files subdirectories
Creating a file in the Windows directory
Creating a service
Launching a service
Loading a system driver
Searching for the window
Creating a file in the Windows subdirectories
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/62ea4e31d40ca366615aeb03/reports/6a144ec4-5509-4cdc-9898-72197da14962/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e481b8e8-3adc-4805-baf3-855cadef212e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045532
Signature
Antivirus detection for dropped file
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected unpacking (changes PE section rights)
Found driver which could be used to inject code into processes
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample is not signed and drops a device driver
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9aaa46606f36b7f4b26420e95a75090d1a933356e994ca69d3af6bb4c3774430/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2022-08-03 10:29:17 UTC
File Type:
PE (Exe)
Extracted files:
121
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tkvemydpg237jmteeduvu5ijbunjgm2w5gkmu2otv5v3jq3xiqya._file
Verdict:
malicious
Similar samples:
5450806ae37bf26fc3d0db2190b03f0d74c032c3f9a2c91b7870e354992c6e35
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
8ec16e4c4fd0a80322418ea661e4dd3b427f7369078d85f64069588624752bdc
97bd84d68cdb1c875b45f735ab621aed8a0c717e56a7c8337532dabcad5c20a6
9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
ab631126a17db88906bb50154d9f7c064a3fb8d4d2ff29863705786bca72e30f
ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc
ae0a99c5cc44699f19c5967df89e034876b214da707275a33bcf7298697ac184
df50e9ae62a46bda93ff03d76b707d574a3803754a782e21e4b9ef547f7ca32e
+ 14'022 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220803-mh8t2abbhm/
Behaviour
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
ef3b8d9461dc4fb5ce0e4aa4440ec8ae616912f256305c0f61723f03631626f0
MD5 hash:
ffcc0c20805be38df41bf1d5d147d169
SHA1 hash:
b6d1794ea4ac51de575f0a80c282b2c2e22599a7
Link:
https://www.unpac.me/results/9842a449-f35b-4d01-8a5f-d9a52972a710/
SH256 hash:
9aaa46606f36b7f4b26420e95a75090d1a933356e994ca69d3af6bb4c3774430
MD5 hash:
a3eb530244aa24e71ff88a633afd6c6c
SHA1 hash:
06f3bc15608ac732cdb9070a4be9d763bed6cc7d
Link:
https://www.unpac.me/results/9842a449-f35b-4d01-8a5f-d9a52972a710/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/9aaa46606f36b7f4b26420e95a75090d1a933356e994ca69d3af6bb4c3774430

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296152/

Comments