MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1acbfdb969b2bcae7cee1f6baeb93a66e795cf14afe34afcd74f4d3ab4fd276. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1acbfdb969b2bcae7cee1f6baeb93a66e795cf14afe34afcd74f4d3ab4fd276
SHA3-384 hash: bd0f8168199b7384e668ba76ceef392325c8a839e5db9eb79dc815cfb0bd4db78626e9dd81f387f1bcb4e2b267b933b9
SHA1 hash: 7fd9b8acc4d9add055e034b3ad4781bcd1ec0253
MD5 hash: 5509d072e2aaf44677987a8cfadb566d
humanhash: maryland-harry-muppet-thirteen
File name:173201772712e4bb8ad8eb72a600dac23f23aa360b0be54a87f0a8621109394148b17117c0474.dat-decoded
Download: download sample
File size:136'942 bytes
First seen:2024-11-19 12:02:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bfb29b927a1f40b5aa6bd78bd884cc53
ssdeep 3072:3LVoDvPd+A4WhkhXDl+i1lApwH08TdpIIIIIIIIIIIIIIIII/IIIIIIIIIIIIIIR:ZopGGgbiwU8Je
TLSH T1D5D38F7AF6D1C6B2D46419BC9C46C2E9A476B7302D192867B3F90F0C98BB2C2657D1C3
TrID 34.2% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
22.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win32 Executable (generic) (4504/4/1)
7.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon aab2606469f096b3
Reporter abuse_ch
Tags:base64-decoded exe


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
463
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
173201772712e4bb8ad8eb72a600dac23f23aa360b0be54a87f0a8621109394148b17117c0474.dat-decoded
Verdict:
Malicious activity
Analysis date:
2024-11-19 12:04:40 UTC
Tags:
torvil worm
Link:
https://app.any.run/tasks/f709f156-6cd9-4a0d-9885-1802575a7ec5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

PUA.Win.Packer.Aspack-29
Create hunting rule

PUA.Win.Packer.Aspack-30
Create hunting rule

Win.Trojan.JS-37
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673c7fff5107a56eacc7f3f1
Tags:
dropper virus smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the Windows directory
Reading critical registry keys
Creating a process from a recently created file
Creating a process with a hidden window
Creating a service
Launching a service
Searching for synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Enabling autorun for a service
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi explorer fingerprint lolbin overlay packed packed packed packer_detected
Link:
https://www.filescan.io/uploads/673c7e81aec40b7c5c47c91d/reports/67171664-8b6e-4760-a29b-57b3360614e1/overview
Verdict:
Malicious
Labled as:
Worm.Torvil
Link:
https://www.hybrid-analysis.com/sample/a1acbfdb969b2bcae7cee1f6baeb93a66e795cf14afe34afcd74f4d3ab4fd276
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4189c10-dd26-47a9-8da7-bf00558830b4
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558419
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Disables the Windows registry editor (regedit)
Drops executables to the windows directory (C:\Windows) and starts them
Drops HTML or HTM files to system directories
Drops PE files with benign system names
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1558419 Sample: 173201772712e4bb8ad8eb72a60... Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 66 Antivirus detection for dropped file 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 5 other signatures 2->72 7 173201772712e4bb8ad8eb72a600dac23f23aa360b0be54a87f0a8621109394148b17117c0474.dat-decoded.exe 4 5 2->7         started        11 svchost.exe 2->11         started        13 SMSSkh.exe 22 13 2->13         started        15 3 other processes 2->15 process3 file4 44 C:\Windows\svchost.exe, PE32 7->44 dropped 46 C:\Windows\SMSSkh.exe, PE32 7->46 dropped 48 C:\Windows\svchost.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Windows\SMSSkh.exe:Zone.Identifier, ASCII 7->50 dropped 74 Found evasive API chain (may stop execution after checking mutex) 7->74 76 Creates an undocumented autostart registry key 7->76 78 Found API chain indicative of debugger detection 7->78 92 3 other signatures 7->92 17 SMSSkh.exe 1 1 7->17         started        80 Antivirus detection for dropped file 11->80 82 Multi AV Scanner detection for dropped file 11->82 84 Machine Learning detection for dropped file 11->84 20 SMSSkh.exe 11->20         started        22 SMSSkh.exe 11->22         started        24 SMSSkh.exe 11->24         started        52 C:\Windows\message.htm, MIME 13->52 dropped 54 C:\Windows\Temp\grmPVMwt.tMW\message.htm, MIME 13->54 dropped 86 Tries to steal Mail credentials (via file / registry access) 13->86 88 Changes the view of files in windows explorer (hidden files and folders) 13->88 90 Drops HTML or HTM files to system directories 13->90 26 WerFault.exe 21 12 13->26         started        28 SMSSkh.exe 15->28         started        30 SMSSkh.exe 15->30         started        32 WerFault.exe 2 15->32         started        34 SMSSkh.exe 15->34         started        signatures5 process6 signatures7 56 Antivirus detection for dropped file 17->56 58 Multi AV Scanner detection for dropped file 17->58 60 Found evasive API chain (may stop execution after checking mutex) 17->60 64 3 other signatures 17->64 36 SMSSkh.exe 20->36         started        38 SMSSkh.exe 20->38         started        62 Drops executables to the windows directory (C:\Windows) and starts them 28->62 40 SMSSkh.exe 28->40         started        42 SMSSkh.exe 28->42         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a1acbfdb969b2bcae7cee1f6baeb93a66e795cf14afe34afcd74f4d3ab4fd276
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1acbfdb969b2bcae7cee1f6baeb93a66e795cf14afe34afcd74f4d3ab4fd276/
Threat name:
Win32.Worm.Torvil
Create hunting rule
Status:
Malicious
First seen:
2024-11-17 14:16:25 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugwl7w4wtmv4vz6o4h3lv24tuzxhsxhrjl7djl6not2nhk2p2j3a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence
Link:
https://tria.ge/reports/241119-n71qdswakg/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Modifies system executable filetype association
Disables RegEdit via registry modification
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Verdict:
Malicious
Tags:
Win.Trojan.JS-37
YARA:
n/a
Link:
https://app.threat.zone/submission/9aa05fd6-a686-4bfb-95c9-fdb3d1dfa11c
Unpacked files
SH256 hash:
a1acbfdb969b2bcae7cee1f6baeb93a66e795cf14afe34afcd74f4d3ab4fd276
MD5 hash:
5509d072e2aaf44677987a8cfadb566d
SHA1 hash:
7fd9b8acc4d9add055e034b3ad4781bcd1ec0253
Link:
https://www.unpac.me/results/c26fb76f-b530-4673-ab1d-f9a09337f865/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1acbfdb969b2bcae7cee1f6baeb93a66e795cf14afe34afcd74f4d3ab4fd276

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 12e4bb8ad8eb72a600dac23f23aa360b0be54a87f0a8621109394148b17117c0

Executable exe a1acbfdb969b2bcae7cee1f6baeb93a66e795cf14afe34afcd74f4d3ab4fd276

(this sample)

  
Dropped by
SHA256 12e4bb8ad8eb72a600dac23f23aa360b0be54a87f0a8621109394148b17117c0
  
Dropped by
MD5 5bd29a809f2395a20ff96e8b874810ec
  
URLhaus
https://urlhaus.abuse.ch/url/3296052/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::GetTokenInformation
SHELL_APIManipulates System Shellshell32.dll::SHFileOperationA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
WIN_NETWORK_APISupports Windows Networkingmpr.dll::WNetAddConnection3A
mpr.dll::WNetEnumResourceA
mpr.dll::WNetOpenEnumA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryInfoKeyA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::ControlService
advapi32.dll::OpenSCManagerA
advapi32.dll::OpenServiceA
advapi32.dll::QueryServiceStatus
advapi32.dll::StartServiceA
WIN_USER_APIPerforms GUI Actionsuser32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments