MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dd2beb7cc84848cd0555fa33febf4d06d7b81e8f6927d0df074cb26559a21e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dd2beb7cc84848cd0555fa33febf4d06d7b81e8f6927d0df074cb26559a21e4
SHA3-384 hash: 64f6b4e6a4f4a914b0ee357f96a68e9085fefc4e9a5fb3ef38531dc91eabb1621e0d23a9bb56871c67840c98cfc30644
SHA1 hash: 3ebb57d920491096906818e6be6c76f16b1bdd07
MD5 hash: a3920cedee2704c0654b894e9cc3eb56
humanhash: apart-michigan-johnny-india
File name:Enemy_Forest.exe
Download: download sample
File size:35'138'560 bytes
First seen:2023-02-25 19:57:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0486e7e054aa57188c99b0f71783b75 (3 x NodeLoader, 2 x LummaStealer, 1 x DiscordTokenStealer)
ssdeep 393216:kQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgS96l+ZArYsFRlmoy:k3on1HvSzxAMNSFZArYsC47SH
Threatray 4 similar samples on MalwareBazaar
TLSH T15F779D03B2A601D5E4B7D1388AA74103D7B2B8674731DACF325D02161FBBAE09A7F765
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter JaffaCakes118
Tags:exe signed

Code Signing Certificate

Organisation:TestCert
Issuer:TestCert
Algorithm:sha1WithRSA
Valid from:2019-12-30T06:22:24Z
Valid to:2039-12-31T23:59:59Z
Serial number: 39059e0ec525d6aa43746a661e974b23
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 495e04d7c5c0f090a9f3a9deaa27859b7108e96e49763787b2bb9c4adf72c654
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Enemy_Forest.exe
Verdict:
No threats detected
Analysis date:
2023-02-25 19:57:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b71ec74-1aca-4e3f-ba8c-0927b7222e67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug greyware overlay packed
Link:
https://www.filescan.io/uploads/63fa684d2313ffd5d3187378/reports/01b9d512-d891-4a26-9302-d1915bd6e0bf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9dd2beb7cc84848cd0555fa33febf4d06d7b81e8f6927d0df074cb26559a21e4
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.expl.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1182404
Signature
Found potential ransomware demand text
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 11753 Sample: Enemy_Forest.exe Startdate: 25/02/2023 Architecture: WINDOWS Score: 64 47 cruyff.tk 2->47 51 Snort IDS alert for network traffic 2->51 53 Sigma detected: Dot net compiler compiles file from suspicious location 2->53 55 Found potential ransomware demand text 2->55 9 Enemy_Forest.exe 1 2->9         started        signatures3 process4 dnsIp5 49 cruyff.tk 188.114.97.3, 443, 49868, 49869 CLOUDFLARENETUS European Union 9->49 12 powershell.exe 26 9->12         started        16 cmd.exe 1 9->16         started        18 cmd.exe 1 9->18         started        20 11 other processes 9->20 process6 file7 45 C:\Users\user\AppData\...\3s42u05e.cmdline, Unicode 12->45 dropped 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->57 22 csc.exe 3 12->22         started        25 conhost.exe 16->25         started        27 chcp.com 1 16->27         started        29 conhost.exe 18->29         started        31 findstr.exe 1 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 20->35         started        37 conhost.exe 20->37         started        39 7 other processes 20->39 signatures8 process9 file10 43 C:\Users\user\AppData\Local\...\3s42u05e.dll, PE32 22->43 dropped 41 cvtres.exe 1 22->41         started        process11
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-25 19:59:06 UTC
File Type:
PE+ (Exe)
Extracted files:
23
AV detection:
3 of 25 (12.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=txjl5n6mqscizucvl6rt727u2bwxxapi62jh2dpqotfsmvm2ehsa._file
Verdict:
unknown
Similar samples:
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
8120be0c1f1898fd6e923efbc135e96c60136219790c0b69714e9d9468906a86
9365c34ac64bccdf316421eb7036d4e8ff8f928161423fae14f1dc5bfda48b66
e2d63f9f87c6a50b4c63d2a4d5620ad81e9438278883f8de7c92ca2204e753bb
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230225-yptjgaeb4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dd2beb7cc84848cd0555fa33febf4d06d7b81e8f6927d0df074cb26559a21e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Pkg
Create hunting rule
Author:nwunderly
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9dd2beb7cc84848cd0555fa33febf4d06d7b81e8f6927d0df074cb26559a21e4

(this sample)

  
Delivery method
Distributed via web download

Comments