MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692
SHA3-384 hash: ddf270ab4d543e52aad4b7d1c78ed508c382cbf745ce44cfd0a4048a707ff1df7c37d1a68d81c22154c337c9afdb8e3f
SHA1 hash: 742bd1aea5c374b792649217d8a79a8191de2091
MD5 hash: c5d0790f653d7922b4723bdd6737f3a7
humanhash: failed-rugby-two-mango
File name:163.exe
Download: download sample
File size:1'664'512 bytes
First seen:2024-06-29 04:50:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 24576:9nsJ39LyjbJkQFMhmC+6GD9m2ZcyAhzf5dan9Mgifjv4oNfJHy:9nsHyjtk2MYC5GDDg5NgiLPZJS
Threatray 169 similar samples on MalwareBazaar
TLSH T14A75B022F6C280B3C1221A344C7BA7759836BF511F359F8777F8DE1C9E362816926297
TrID 81.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
7.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
5.2% (.EXE) InstallShield setup (43053/19/16)
1.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.EXE) Win64 Executable (generic) (10523/12/4)
dhash icon 9633c3cc2cce2b9a (3 x BlackMoon, 1 x XWorm, 1 x Neshta)
Reporter mautshim
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
490
Origin country :
ID ID
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667f92f017db6c2841b22e15win10vpnfull_triage
Tags:
Execution Generic Infostealer Network Static Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
DNS request
Connection attempt
Creating a file in the %temp% directory
Sending a custom TCP request
Moving a file to the %temp% directory
Modifying an executable file
Running batch commands
Creating a process with a hidden window
Sending an HTTP GET request
Launching a process
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
borland_delphi cmd dropper evasive fingerprint hacktool keylogger lolbin macros macros-on-close macros-on-open remote shell32
Link:
https://www.filescan.io/uploads/667f92b69fd5f9d59210e968/reports/71be89aa-14e7-43ab-86d0-d0b305eeb1ee/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3d172a8-6f02-437f-95bc-007ee69acd41
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1464586
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Gathers network related connection and port information
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses netstat to query active network connections and open ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464586 Sample: 163.exe Startdate: 29/06/2024 Architecture: WINDOWS Score: 100 51 freedns.afraid.org 2->51 53 xred.mooo.com 2->53 55 6 other IPs or domains 2->55 71 Snort IDS alert for network traffic 2->71 73 Multi AV Scanner detection for domain / URL 2->73 75 Antivirus detection for URL or domain 2->75 79 11 other signatures 2->79 9 163.exe 1 6 2->9         started        12 EXCEL.EXE 180 65 2->12         started        15 Synaptics.exe 2->15         started        signatures3 77 Uses dynamic DNS services 51->77 process4 dnsIp5 35 C:\Users\user\Desktop\._cache_163.exe, PE32 9->35 dropped 37 C:\ProgramData\Synaptics\Synaptics.exe, PE32 9->37 dropped 39 C:\ProgramData\Synaptics\RCXBA55.tmp, PE32 9->39 dropped 41 C:\...\Synaptics.exe:Zone.Identifier, ASCII 9->41 dropped 17 ._cache_163.exe 9->17         started        21 Synaptics.exe 514 9->21         started        57 s-part-0014.t-0009.t-msedge.net 13.107.246.42, 443, 65463, 65464 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->57 file6 process7 dnsIp8 43 smtp163.mail.ntes53.netease.com 103.129.252.45, 25 NETEASE-AS-APNETEASEHONGKONGLIMITEDHK Hong Kong 17->43 59 Multi AV Scanner detection for dropped file 17->59 61 Machine Learning detection for dropped file 17->61 63 Gathers network related connection and port information 17->63 65 Contains functionality to detect sleep reduction / modifications 17->65 24 cmd.exe 1 17->24         started        45 freedns.afraid.org 69.42.215.252, 49714, 80 AWKNET-LLCUS United States 21->45 47 drive.usercontent.google.com 142.250.186.129, 443, 49152, 49159 GOOGLEUS United States 21->47 49 docs.google.com 216.58.206.46, 443, 49154, 49155 GOOGLEUS United States 21->49 33 C:\Users\user\Documents\BJZFPPWAPT\~$cache1, PE32 21->33 dropped 67 Antivirus detection for dropped file 21->67 69 Drops PE files to the document folder of the user 21->69 27 WerFault.exe 21->27         started        file9 signatures10 process11 signatures12 81 Uses netstat to query active network connections and open ports 24->81 83 Gathers network related connection and port information 24->83 29 conhost.exe 24->29         started        31 NETSTAT.EXE 24->31         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692/
Threat name:
Win32.Trojan.Synaptics
Create hunting rule
Status:
Malicious
First seen:
2024-06-27 16:02:53 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uiun6umeula2fbsorz4hfqvltbyyukd772rnnqwe3vs3vblve2ja._file
Verdict:
malicious
Similar samples:
069d0eb7f3e3d5bda86b1b2782d6a0cbf16da50a28b2738c0e91252a3ed34eba
192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98
1c0810c9351e73650066ce431603eb2b586f28ef39cedbe53103e2b3e727840b
23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
62f1922f673fdb34aea18eac783649154f1bdc646410052e3b72c4ebe6c78f37
85789e8cfddea18201a13e3c953229ed1b03db7455208a398bb2268a39258354
c7b06e2840e703c98fbe1fbfd9f33f5478e58840112d85c1e94c27a34474c95f
f080bf1c00fb050cc2a92fb17c08cd22d427782c6f47c532a2462ce3325905f0
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
+ 159 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240629-fgtkdsvalj/
Behaviour
Gathers network information
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a3ed76fd-203e-40e6-95fb-24ee3ead3f66
Unpacked files
SH256 hash:
5d848ee2b1eaecd92b894352b8ae27844337614f6495ece350fcaf46773fb836
MD5 hash:
d58e1c01761c06499e7ce539360a9ec8
SHA1 hash:
27cb599880fa47bfae5db8d141fa2bea0f2a0df3
Link:
https://www.unpac.me/results/1b28b009-c081-4776-9e5b-87ca4f911860/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/1b28b009-c081-4776-9e5b-87ca4f911860/
SH256 hash:
a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692
MD5 hash:
c5d0790f653d7922b4723bdd6737f3a7
SHA1 hash:
742bd1aea5c374b792649217d8a79a8191de2091
Detections:
mal_xred_backdoor
Create hunting rule
Link:
https://www.unpac.me/results/1b28b009-c081-4776-9e5b-87ca4f911860/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a228df5184a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:Hacktools_CN_Panda_andrew
Create hunting rule
Author:Florian Roth
Description:Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
wininet.dll::InternetCloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegNotifyChangeKeyValue
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments