MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a29cba8815bdc0aab28a09cc85a604d0782948c3fb95ee0e2220b1f0b9ea2954. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cutwail


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a29cba8815bdc0aab28a09cc85a604d0782948c3fb95ee0e2220b1f0b9ea2954
SHA3-384 hash: d011aa25af4b24608ab810879b99d96fa4b2096e7dc07d5e29c24018da3d234b73e46f20f7d3829b423f11dc9f1b62db
SHA1 hash: 1be3f0bc23dd82d790cf55bd4c5632351fa8e036
MD5 hash: f35c8b2eaf42000f42de35bb26ea5ada
humanhash: solar-artist-glucose-july
File name:f35c8b2eaf42000f42de35bb26ea5ada
Download: download sample
Signature Cutwail
Create hunting rule
File size:741'376 bytes
First seen:2022-12-04 05:15:46 UTC
Last seen:2022-12-04 06:27:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 64b505b6e54a008a3856cc909eb7da13 (1 x Cutwail)
ssdeep 12288:8kzTl3d0xLQK6jvgXpkd9p8ZOtFCdzwbss24eS:Jz5aZEvgXpkd9pW2sd0oae
Threatray 13 similar samples on MalwareBazaar
TLSH T1E5F4C0F83E2C6973D82BA375662A335D5CA6B422036BB7DF11711034FC169FB81B0A65
TrID 51.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
14.0% (.EXE) Win32 Executable (generic) (4505/5/1)
6.3% (.EXE) OS/2 Executable (generic) (2029/13)
6.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Cutwail exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f35c8b2eaf42000f42de35bb26ea5ada
Verdict:
Malicious activity
Analysis date:
2022-12-04 05:21:40 UTC
Tags:
trojan sinkhole
Link:
https://app.any.run/tasks/1d03ac4d-fe23-4836-8fda-81feaa57f0f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342440/
Detection(s):
SecuriteInfo.com.Trojan.DownLoad.64914.5564.32150.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/638c2d3d04e0e79bdf40b91c/reports/afebd52d-ed46-4769-8d9a-2acedc03471e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cutwail
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f5adfe7-f794-4669-a87b-b56a22f051f7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127320
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Send many emails (e-Mail Spam)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 760044 Sample: 3ts2As2Bkm.exe Startdate: 04/12/2022 Architecture: WINDOWS Score: 100 45 canmore.com 2->45 47 jsaps.com 2->47 49 351 other IPs or domains 2->49 83 Snort IDS alert for network traffic 2->83 85 Antivirus detection for URL or domain 2->85 87 Multi AV Scanner detection for submitted file 2->87 93 2 other signatures 2->93 8 3ts2As2Bkm.exe 3 68 2->8         started        13 pigalicapi.exe 49 2->13         started        15 pigalicapi.exe 48 2->15         started        signatures3 89 Tries to resolve many domain names, but no domain seems valid 45->89 91 System process connects to network (likely due to code injection or exploit) 47->91 process4 dnsIp5 51 mackusick.de 8->51 59 181 other IPs or domains 8->59 35 C:\Users\user\pigalicapi.exe, PE32 8->35 dropped 37 C:\Users\...\pigalicapi.exe:Zone.Identifier, ASCII 8->37 dropped 95 Drops PE files to the user root directory 8->95 97 Writes to foreign memory regions 8->97 99 Allocates memory in foreign processes 8->99 17 svchost.exe 8->17         started        53 www.valselit.com 13->53 55 www.tyrns.com 13->55 61 146 other IPs or domains 13->61 101 Multi AV Scanner detection for dropped file 13->101 103 Machine Learning detection for dropped file 13->103 105 Injects a PE file into a foreign processes 13->105 21 svchost.exe 13->21         started        57 www.wnsavoy.com 15->57 63 135 other IPs or domains 15->63 23 svchost.exe 15->23         started        file6 107 System process connects to network (likely due to code injection or exploit) 57->107 signatures7 process8 dnsIp9 39 smtp.mail.global.gm0.yahoodns.net 17->39 41 mail.airmail.net 66.226.70.66 INFB2-ASUS United States 17->41 43 smtp.mail.yahoo.com 17->43 79 System process connects to network (likely due to code injection or exploit) 17->79 81 Injects a PE file into a foreign processes 17->81 25 svchost.exe 12 17->25         started        29 svchost.exe 12 17->29         started        31 svchost.exe 2 12 17->31         started        33 svchost.exe 12 17->33         started        signatures10 process11 dnsIp12 65 fr-dat.com 25->65 67 semuk.com 25->67 71 129 other IPs or domains 25->71 109 System process connects to network (likely due to code injection or exploit) 25->109 73 112 other IPs or domains 29->73 75 110 other IPs or domains 31->75 69 www.muhr-soehne.de 33->69 77 39 other IPs or domains 33->77 signatures13 111 Tries to resolve many domain names, but no domain seems valid 65->111
Gathering data
Threat name:
Win32.Trojan.Cutwail
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 12:25:17 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukolvcavxxakvmukbhgiljqe2b4cssgd7ok64drcecy7bopkffka._file
Verdict:
malicious
Similar samples:
095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28
Cutwail
3506cb5aede37423e0c1542075d889ce8884edcc9bd7031a7fe54211d43e36c1
Cutwail
74b4a1409e686d9b8743ba282776b5498084cd4cecc1e10f1d2fde3ee5f3f401
Cutwail
9933468292efeb6b2c9d2c8e36bbe818aebe7e46eeb6d7e25a8299b4e90f3ab6
Cutwail
b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961f
Cutwail
dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e
Cutwail
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/221204-fyjfraeb5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/44b70e1c-b44f-4ee1-9537-3c86f7924519
Unpacked files
SH256 hash:
f812cff25ac78391ad0621231aa8556d459a3cea3205a04b097744f1e0116a60
MD5 hash:
ab0fa68fdf4a67b3a404250f073e15ba
SHA1 hash:
7eb499acfbe7a3d4d536ab2de8e95be4d7234bbf
Link:
https://www.unpac.me/results/b0a6d482-0015-4f72-88ba-86a6f968aa7a/
SH256 hash:
d484030ca893d7566258b87b99b89052aaeb83b92d65a2e3673c4bc868a6c518
MD5 hash:
ee0854f836f9114ea112fd147c8f5219
SHA1 hash:
4eec6f01dc82d942bc4b44670f7cf6aef81cbf9c
Detections:
win_pushdo_auto
Create hunting rule
Link:
https://www.unpac.me/results/b0a6d482-0015-4f72-88ba-86a6f968aa7a/
SH256 hash:
a29cba8815bdc0aab28a09cc85a604d0782948c3fb95ee0e2220b1f0b9ea2954
MD5 hash:
f35c8b2eaf42000f42de35bb26ea5ada
SHA1 hash:
1be3f0bc23dd82d790cf55bd4c5632351fa8e036
Link:
https://www.unpac.me/results/b0a6d482-0015-4f72-88ba-86a6f968aa7a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a29cba8815bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cutwail
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a29cba8815bdc0aab28a09cc85a604d0782948c3fb95ee0e2220b1f0b9ea2954

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Raspberry_Robin_DLL_MAY_2022
Create hunting rule
Author:CD_R0M_
Description:Detects DLL dropped by Raspberry Robin.
Reference:https://redcanary.com/blog/raspberry-robin/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cutwail

Executable exe a29cba8815bdc0aab28a09cc85a604d0782948c3fb95ee0e2220b1f0b9ea2954

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2443527/
Cape
Cape
https://www.capesandbox.com/analysis/342440/

Comments


Avatar
zbet commented on 2022-12-04 05:15:51 UTC

url : hxxp://h166135.srv12.test-hf.su/1.exe