MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
SHA3-384 hash: 94aaecca9c29ba25775b1b21eb6c99a6a17965e1d1bbddecde4ae258a32a0d26c6975b80c55e2814fd2cb6b1ab52ec28
SHA1 hash: 05c5b77be77902569dcb54d3c63af683fe23804d
MD5 hash: 7e7fdba873e8ebc6200a15c48736b4fe
humanhash: skylark-enemy-tango-king
File name:7e7fdba873e8ebc6200a15c48736b4fe.exe
Download: download sample
File size:299'008 bytes
First seen:2022-01-01 17:51:00 UTC
Last seen:2022-01-01 19:37:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b0970b24479b7204f8a08125c90d8d3d
ssdeep 3072:nc8eBeFV6T8qf8eZLzZ2DnFhGQkFOttS6:c8rVC8eNZ2lmO3D
Threatray 388 similar samples on MalwareBazaar
TLSH T1F154B4D662D08C96D519413A88E18D30E73FEFAD072DD2E72A81131BC65BE993C3592F
File icon (PE):PE icon
dhash icon 71d8265b7b5b328e
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7e7fdba873e8ebc6200a15c48736b4fe.exe
Verdict:
No threats detected
Analysis date:
2022-01-01 17:55:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/071084a8-9c50-4296-af9e-66704b82acbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217017/
Detection(s):
SecuriteInfo.com.Variant.Tedy.66707.12377.9865.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request
DNS request
Creating a process from a recently created file
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3635/overview
Behaviour
MalwareBazaar
LanguageCheck
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61d0948c8991ba72b3a4659b/reports/877ed528-748a-44f1-b5b9-b2f10649eda1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f32828d-a074-452d-8de8-b591b94a3099
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914494
Signature
.NET source code references suspicious native API functions
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Encrypted powershell cmdline option found
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses cmd line tools excessively to alter registry or file data
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 546972 Sample: RvJzWm3dK4.exe Startdate: 01/01/2022 Architecture: WINDOWS Score: 100 109 yur0ive64pfs.xyz 2->109 111 raw.githubusercontent.com 2->111 113 8 other IPs or domains 2->113 121 Antivirus detection for dropped file 2->121 123 Multi AV Scanner detection for submitted file 2->123 125 .NET source code references suspicious native API functions 2->125 127 8 other signatures 2->127 14 RvJzWm3dK4.exe 1 2->14         started        17 cmd.exe 2->17         started        20 cmd.exe 2->20         started        22 5 other processes 2->22 signatures3 process4 file5 103 C:\Users\user\AppData\Local\...\44M4H9V9.bat, ASCII 14->103 dropped 24 cmd.exe 1 14->24         started        119 Adds a new user with administrator rights 17->119 27 net.exe 17->27         started        29 conhost.exe 17->29         started        31 net.exe 20->31         started        33 conhost.exe 20->33         started        35 net.exe 22->35         started        37 net.exe 22->37         started        39 net.exe 22->39         started        41 5 other processes 22->41 signatures6 process7 signatures8 131 Wscript starts Powershell (via cmd or directly) 24->131 133 Encrypted powershell cmdline option found 24->133 135 Adds a new user with administrator rights 24->135 43 powershell.exe 14 23 24->43         started        48 conhost.exe 24->48         started        50 net1.exe 27->50         started        52 net1.exe 31->52         started        54 net1.exe 35->54         started        56 net1.exe 37->56         started        58 net1.exe 39->58         started        process9 dnsIp10 115 192.153.57.215, 49783, 80 OARNET-ASUS United States 43->115 101 C:\Users\user\AppData\Local\Temp\start.vbs, Little-endian 43->101 dropped 143 Uses cmd line tools excessively to alter registry or file data 43->143 145 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 43->145 147 Powershell drops PE file 43->147 60 wscript.exe 1 43->60         started        file11 signatures12 process13 signatures14 137 Wscript starts Powershell (via cmd or directly) 60->137 139 Bypasses PowerShell execution policy 60->139 141 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 60->141 63 powershell.exe 51 60->63         started        process15 file16 105 C:\Windows\Branding\mediasvc.png, PE32+ 63->105 dropped 107 C:\Windows\Branding\mediasrv.png, PE32+ 63->107 dropped 117 Uses cmd line tools excessively to alter registry or file data 63->117 67 reg.exe 63->67         started        70 cmd.exe 63->70         started        72 cmd.exe 63->72         started        74 9 other processes 63->74 signatures17 process18 file19 129 Creates a Windows Service pointing to an executable in C:\Windows 67->129 77 cmd.exe 70->77         started        79 cmd.exe 72->79         started        97 C:\Users\user\AppData\Local\...\5wrvguln.dll, PE32 74->97 dropped 99 C:\Users\user\AppData\Local\...\20vlvxxs.dll, PE32 74->99 dropped 81 cvtres.exe 74->81         started        83 cvtres.exe 74->83         started        85 conhost.exe 74->85         started        87 3 other processes 74->87 signatures20 process21 process22 89 net.exe 77->89         started        91 net.exe 79->91         started        process23 93 net1.exe 89->93         started        95 net1.exe 91->95         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d/
Threat name:
Win64.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2022-01-01 17:51:12 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
043d74057370b18ec933764ae5c0fa80be90af1d41761c0a2f34f9d8c56542e5
255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5
273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735
58514fa7288607858aae17799ded4bb96d5f9b78733ad1ca2cece597d5516d44
5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133
efa22ab0015899c95aa6582cc90314de8d4cf2f52d3267eba50482b75d060ac5
ff257a7b22badf7948f21dd5dfaf008dd72895aa63bc6a1c5838cbe26036bbe7
+ 378 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220101-we6d6sgcgr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Unpacked files
SH256 hash:
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
MD5 hash:
7e7fdba873e8ebc6200a15c48736b4fe
SHA1 hash:
05c5b77be77902569dcb54d3c63af683fe23804d
Link:
https://www.unpac.me/results/8a2828ca-683c-4d2c-966f-e008ab666805/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a3fa04d27872/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1939016/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217017/

Comments