MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1e4ff4872bf84892104f616bf8e9c294f68559000b21cf1f257dd6611be4c74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1e4ff4872bf84892104f616bf8e9c294f68559000b21cf1f257dd6611be4c74
SHA3-384 hash: 769d1b0a8433485710b1d05b35b91a09d191cd078840c0abc7341c9212622c1c19359b333d9da2a51bfafa152ee742a4
SHA1 hash: 82ff737bf651bf0e42209a00ac5048cceb51529c
MD5 hash: 4740c5f24d23eb1b1f886b4aa708af0a
humanhash: delta-failed-rugby-michigan
File name:file
Download: download sample
File size:6'422'528 bytes
First seen:2022-11-16 21:20:39 UTC
Last seen:2022-11-16 22:45:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29c17aa1f75d5ec7b02c9207993a6c14
ssdeep 98304:Sx+dbd33oSpsJu9oR+bY11UhoIwBOqF85EiqrvBb2s4U5OoNkI9xFvPrBtOsVQa:g+BzpWu891ZDBOr+iqrpbTLp/w
Threatray 29 similar samples on MalwareBazaar
TLSH T199562310B2599966E2139130881BC9F6432B7D7DD74389BB32D9BF4F3AB23D0417BA16
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 68d4aa888c8ac460 (2 x AgentTesla, 2 x SnakeKeylogger, 2 x AsyncRAT)
Reporter jstrosch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-16 21:25:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8ad21039-5685-4e76-bec5-b35981688492

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335079/
Detection(s):
SecuriteInfo.com.Variant.Lazy.260895.20483.26006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug greyware packed
Link:
https://www.filescan.io/uploads/637554466fda73cab64e1e30/reports/54fe10e9-84b6-410f-9cc8-9c6475c1895d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/70bff006-2902-459a-9425-666a882e6e8c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115314
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748011 Sample: file.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 2 other signatures 2->68 8 file.exe 1 2->8         started        12 file.exe 2->12         started        14 file.exe 2->14         started        process3 file4 46 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 8->46 dropped 70 Encrypted powershell cmdline option found 8->70 72 Drops executables to the windows directory (C:\Windows) and starts them 8->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 4 other signatures 8->76 16 GoogleUpdate.exe 12 8->16         started        20 powershell.exe 21 8->20         started        22 powershell.exe 20 8->22         started        24 2 other processes 8->24 signatures5 process6 dnsIp7 48 api.peer2profit.com 172.66.43.60, 443, 49699, 49701 CLOUDFLARENETUS United States 16->48 50 141.95.93.188, 443, 49700, 49702 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 16->50 52 192.168.2.1 unknown unknown 16->52 54 Detected unpacking (changes PE section rights) 16->54 56 Detected unpacking (overwrites its own PE header) 16->56 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->58 60 3 other signatures 16->60 26 netsh.exe 3 16->26         started        28 netsh.exe 3 16->28         started        30 netsh.exe 3 16->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 24->38         started        signatures8 process9 process10 40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1e4ff4872bf84892104f616bf8e9c294f68559000b21cf1f257dd6611be4c74/
Threat name:
Win32.Virus.Floxif
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 21:21:50 UTC
File Type:
PE (Exe)
Extracted files:
138
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhsp6sdsx6cisiie6yll7du4ffhwqvmqaczbz4psk7owmen6jr2a._file
Verdict:
malicious
Similar samples:
050505c077b590adaa0dde0669639616828ffd3e5ced0cba3a94d3c13633195d
086896ba131161dac8f232478d8d9167f33fd81a02271f49fa0a362aa236c8ca
55af8940100b432c2873c1b4ec0068516ec9459ae313fd1d3ac2957ef7abe033
99574d9f64bd750fd89fedefe1dce8bbbd81eeaf740140f7887e92aaf5fea53b
9aabc9de4fbef67b8b8596428afa7dfa2754ac84e492b3d1f0a945b941fbac96
a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e
b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
bee97bf24d36f6b85ab369e34ceb639d703dc61e8e012bbc781d69f1dd695ff0
cffe6e5ff4988a9aa30fcce3f005db402986bf5689516976fca483310265a2a4
f1c1af96a8dfced4f2e4d4fc80e9c65d73a1b52d589d46400acea02a7f9694fa
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion vmprotect
Link:
https://tria.ge/reports/221116-z7a1hsda46/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6ee7ff35-990e-42c7-ba77-d7058c4a909f
Unpacked files
SH256 hash:
a1e4ff4872bf84892104f616bf8e9c294f68559000b21cf1f257dd6611be4c74
MD5 hash:
4740c5f24d23eb1b1f886b4aa708af0a
SHA1 hash:
82ff737bf651bf0e42209a00ac5048cceb51529c
Link:
https://www.unpac.me/results/0414e4e1-3cc2-40b5-8c9a-9c57fe6cb26e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a1e4ff4872bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1e4ff4872bf84892104f616bf8e9c294f68559000b21cf1f257dd6611be4c74

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a1e4ff4872bf84892104f616bf8e9c294f68559000b21cf1f257dd6611be4c74

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/335079/
  
URLhaus
https://urlhaus.abuse.ch/url/2422309/

Comments