MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a19a815334bc102e30d5cb5ea57264a3e9cfccd3dfdc05dddd91a44a5ccdbcd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a19a815334bc102e30d5cb5ea57264a3e9cfccd3dfdc05dddd91a44a5ccdbcd4
SHA3-384 hash: 136d3ce15c2996e2a3d5b554d14fbbdf9db42143c5bc4bc0414dcb3454d0d0c0a5c9934f3e4cbd795b54dd4bffa9a834
SHA1 hash: 475fa22387e3ff8185f7b8571856a2a71990c1ef
MD5 hash: 159d982a1c9f64571b149b57ca358821
humanhash: hotel-hydrogen-twelve-hawaii
File name:MsSpellCheckingFacility.dll
Download: download sample
File size:852'480 bytes
First seen:2024-07-24 02:12:50 UTC
Last seen:2024-07-24 03:17:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 135ca7d06969afcb84fbfaefd128a9d7
ssdeep 24576:35SRiYTVyr3vQZkghvkiMLNMAVlG1tKCH:I8YTtRvkx3A
TLSH T12805E14629A15DE6CE37473450520D26EF703C2B8374E3FF532492F59BAAFC4443AAA9
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter 1ZRR4H
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
CL CL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Win64.Krypt.65.15108.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a063306f74caeb2f89a935
Tags:
Generic
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade microsoft_visual_cc
Link:
https://www.filescan.io/uploads/66a0632fdfa8b2fced4db3c9/reports/be261307-bc0a-4933-856c-da138dea88cb/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a19a815334bc102e30d5cb5ea57264a3e9cfccd3dfdc05dddd91a44a5ccdbcd4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/571cf0d3-170b-4b24-8d08-6a13a2d78913
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1479790
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Found direct / indirect Syscall (likely to bypass EDR)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479790 Sample: MsSpellCheckingFacility.dll.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 92 26 d2a2fdiel3bz4e.cloudfront.net 2->26 30 Multi AV Scanner detection for submitted file 2->30 32 Sigma detected: Potentially Suspicious Child Process Of Regsvr32 2->32 34 AI detected suspicious sample 2->34 8 loaddll64.exe 1 2->8         started        signatures3 process4 signatures5 50 Changes memory attributes in foreign processes to executable or writable 8->50 52 Injects code into the Windows Explorer (explorer.exe) 8->52 54 Writes to foreign memory regions 8->54 56 2 other signatures 8->56 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process6 signatures7 58 Changes memory attributes in foreign processes to executable or writable 11->58 60 Injects code into the Windows Explorer (explorer.exe) 11->60 62 Writes to foreign memory regions 11->62 20 explorer.exe 40 7 11->20 injected 24 rundll32.exe 14->24         started        64 Allocates memory in foreign processes 16->64 process8 dnsIp9 28 d2a2fdiel3bz4e.cloudfront.net 18.245.62.95, 443, 49730, 49731 AMAZON-02US United States 20->28 36 System process connects to network (likely due to code injection or exploit) 20->36 38 Sets debug register (to hijack the execution of another thread) 20->38 40 Modifies the context of a thread in another process (thread injection) 20->40 42 Changes memory attributes in foreign processes to executable or writable 24->42 44 Injects code into the Windows Explorer (explorer.exe) 24->44 46 Writes to foreign memory regions 24->46 48 Allocates memory in foreign processes 24->48 signatures10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a19a815334bc102e30d5cb5ea57264a3e9cfccd3dfdc05dddd91a44a5ccdbcd4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a19a815334bc102e30d5cb5ea57264a3e9cfccd3dfdc05dddd91a44a5ccdbcd4/
Threat name:
Win64.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 02:13:06 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugnicuzuxqic4mgvznpkk4teupu47tgt37oalxo5sgseuxgnxtka._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/240724-cneg9sseln/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/48a7d21c-8eec-44a9-9525-5f8f9bd824db
Unpacked files
SH256 hash:
a19a815334bc102e30d5cb5ea57264a3e9cfccd3dfdc05dddd91a44a5ccdbcd4
MD5 hash:
159d982a1c9f64571b149b57ca358821
SHA1 hash:
475fa22387e3ff8185f7b8571856a2a71990c1ef
Link:
https://www.unpac.me/results/f38cf6fc-0b3d-4a36-a19b-5aa41c13506b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments