MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9acefbb6638612b03847da2c1652e3a1aae9d677b22f5c5d0e43022d8d08c6bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9acefbb6638612b03847da2c1652e3a1aae9d677b22f5c5d0e43022d8d08c6bb
SHA3-384 hash: 3449e3cf2facd9f488d0d5adeb3791f251afa7550ab14662491702d99e7b15fbbd2322bcbe34c6e234f99d8c168694d9
SHA1 hash: 31e6be8418af94b99b1773d9703e287008c24985
MD5 hash: 578ca89033b2f223c5d4ca74e4df561f
humanhash: hot-mobile-low-nevada
File name:hydroneer-build-Zck7TKVtpaVL.exe
Download: download sample
File size:5'678'593 bytes
First seen:2023-08-22 12:02:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e92b45c54aa05ec107d5ef90662e6b33 (363 x GCleaner, 38 x Socks5Systemz, 3 x Backdoor.TeamViewer)
ssdeep 98304:KiqIfLwU9FcfbE/98lDxNw1vB7B2Eaj8vDPb58JYGUXHCzG3eXY3XkvjSsxQsoHK:fqIfLwU9FcfK6NNw1v9LbWJqizG3eo3q
Threatray 791 similar samples on MalwareBazaar
TLSH T1EF463330E459CCF4F9298D3CEB1DCC24C176643E0CB9B5AAA99E2B7BBF22419C811557
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter smica83
Tags:exe HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hydroneer-build-Zck7TKVtpaVL.exe
Verdict:
Malicious activity
Analysis date:
2023-08-22 12:05:47 UTC
Tags:
adware DownloadAssistant
Link:
https://app.any.run/tasks/07913cba-33cd-4a30-b423-8621b060c5aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444145/
Detection(s):
PUA.Win.Packer.Overlay-1
Create hunting rule

SecuriteInfo.com.Downloader.Generic7.ITV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Modifying a system file
Launching a process
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108292/overview
Behaviour
MalwareBazaar
CheckCmdLine
Gathering data
Verdict:
Malicious
Labled as:
Trojan/Malware
Link:
https://www.hybrid-analysis.com/sample/9acefbb6638612b03847da2c1652e3a1aae9d677b22f5c5d0e43022d8d08c6bb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a6d5bcb-af6c-48e7-8a02-7bb8d6a16e90
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1295127
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1295127 Sample: hydroneer-build-Zck7TKVtpaVL.exe Startdate: 22/08/2023 Architecture: WINDOWS Score: 72 54 Multi AV Scanner detection for submitted file 2->54 56 Detected unpacking (changes PE section rights) 2->56 58 Detected unpacking (overwrites its own PE header) 2->58 60 Machine Learning detection for dropped file 2->60 8 hydroneer-build-Zck7TKVtpaVL.exe 2 2->8         started        process3 file4 42 C:\Users\user\AppData\Local\...\is-ME1ER.tmp, PE32 8->42 dropped 11 is-ME1ER.tmp 12 87 8->11         started        process5 file6 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->44 dropped 46 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->46 dropped 48 C:\...\unins000.exe (copy), PE32 11->48 dropped 50 39 other files (26 malicious) 11->50 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 11->62 15 SubtitleExtractor.exe 11->15         started        18 SubtitleExtractor.exe 1 11->18         started        20 net.exe 1 11->20         started        22 2 other processes 11->22 signatures7 process8 dnsIp9 52 millionjobs.works 172.67.186.89, 49710, 49715, 80 CLOUDFLARENETUS United States 15->52 40 8 other processes 15->40 24 WerFault.exe 9 18->24         started        26 WerFault.exe 20 9 18->26         started        28 WerFault.exe 9 18->28         started        30 WerFault.exe 18->30         started        32 conhost.exe 20->32         started        34 net1.exe 1 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 22->38         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9acefbb6638612b03847da2c1652e3a1aae9d677b22f5c5d0e43022d8d08c6bb/
Threat name:
Win32.Trojan.Synder
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 12:02:30 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tlhpxntdqyjlaoch3iwbmuxdugvotvtxwixvyxioimbc3diiy25q._file
Verdict:
malicious
Similar samples:
708d6fa8d0f5cb40efb1f7bd168cdc52737d99e3fdd17d6cb9d14dfc8da59deb
751bac1e9305d5ee6fa68f8e1c9cc23775062207c92fd5bf595a09ceea1aa2a0
8ed637482a01e981c9cb40a2cfb9e33b46a14339e128191359b2844de410b3d8
9208e906eeb23ee392919954cc64260ccb3e57160fb720a13524821c4e09f5e2
9258e73ead7e385de4fb9b51981c7f6cfe643b949483702a54454cb20d39a36a
e5447818976ad7af2ae55ccee4baab64d2a76ce8bcd43654ca8361dc19c91ad4
+ 781 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230822-n7116ade7v/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
830b44faed20258ecf40cf34a483739d46bd52a0b254a0dbf3f354bbc4137a17
MD5 hash:
9ed6b204bcb7a475668be7fa0471bda1
SHA1 hash:
9efcfda8a332e0c6be9518a3f5e108ec2e76050a
Link:
https://www.unpac.me/results/63223c90-cb17-4996-b51d-f1bc89748f59/
SH256 hash:
f024705c33d55247378f63f1b6e14ec8bfff3c9b46ce867e14ef60f1c187a9d1
MD5 hash:
6ee10f5b87c6710fa4df71cae219e3bc
SHA1 hash:
619b646df2c7115574c7729093020ba81d3348f7
Link:
https://www.unpac.me/results/63223c90-cb17-4996-b51d-f1bc89748f59/
SH256 hash:
8a1cf532f7392eef1b97503e6cfad6e1e89cee7934f9a27e3f187d2dfcfa86c0
MD5 hash:
d53e2d1c2ec92598ac6eff578bcd5e97
SHA1 hash:
c8db9a3d021c459c03fc039454dfaf97ac79bb3f
Link:
https://www.unpac.me/results/63223c90-cb17-4996-b51d-f1bc89748f59/
SH256 hash:
9acefbb6638612b03847da2c1652e3a1aae9d677b22f5c5d0e43022d8d08c6bb
MD5 hash:
578ca89033b2f223c5d4ca74e4df561f
SHA1 hash:
31e6be8418af94b99b1773d9703e287008c24985
Link:
https://www.unpac.me/results/63223c90-cb17-4996-b51d-f1bc89748f59/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9acefbb66386/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9acefbb6638612b03847da2c1652e3a1aae9d677b22f5c5d0e43022d8d08c6bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444145/

Comments