MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a62d084b20038628de0a95906a8e9fed08ef5d345de795bc438eaeacbd6123af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PoisonIvy


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a62d084b20038628de0a95906a8e9fed08ef5d345de795bc438eaeacbd6123af
SHA3-384 hash: cb1121ae7c547ce92e74de41934c42f6bd394c169b29ca65a3c32295919f4a0cc7049098afdfecc01a21458aaee21b8f
SHA1 hash: 76be1b09a5e382e1f4eba7986d00e7407811cda7
MD5 hash: c616002f3cce0fd52d6ead8621a9f1f1
humanhash: finch-five-butter-november
File name:a62d084b20038628de0a95906a8e9fed08ef5d345de795bc438eaeacbd6123af
Download: download sample
Signature PoisonIvy
Create hunting rule
File size:2'290'878 bytes
First seen:2022-10-03 12:21:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:WBXUfWcKn0q+ZMEqSkn8/Vw15W78PThyLIfUhBcLG6FritD49e2R1rGovy:IkWcKn0qYMNMtq5WGU8CcNsv2jTy
Threatray 33 similar samples on MalwareBazaar
TLSH T119B5220F75D4C932C066397273E9AAE55F2FAA101A6D8BCE73810D2DEB27DC09731616
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b0aab23296cce0f8 (1 x PoisonIvy)
Reporter JAMESWT_WT
Tags:exe PoisonIvy

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a62d084b20038628de0a95906a8e9fed08ef5d345de795bc438eaeacbd6123af.exe
Verdict:
Malicious activity
Analysis date:
2022-10-03 13:26:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d30adf2-68ef-46e7-b0f6-94e6ac6fdaa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316086/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40850/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/633ad3ec49c58ce767c5b623/reports/001eafd6-5b8d-4f8c-93fd-d3260af82934/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
PivNoxy
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8133d1ad-d7f6-44f8-b46a-d2d9492e7be1
Result
Threat name:
Poisonivy
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
44 / 100
Link:
https://www.joesandbox.com/analysis/1082442
Signature
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Poisonivy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 714999 Sample: s4y9hhQwWm.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 44 57 graduate.kozow.com 2->57 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected Poisonivy 2->77 9 s4y9hhQwWm.exe 5 2->9         started        12 MSBlueTooth.exe 2->12         started        signatures3 process4 dnsIp5 47 C:\ProgramData\WebComponents.exe, PE32 9->47 dropped 49 C:\ProgramData\BsTool.exe, PE32 9->49 dropped 15 WebComponents.exe 2 9->15         started        19 BsTool.exe 5 9->19         started        59 192.168.2.1, 1080 unknown unknown 12->59 61 graduate.kozow.com 12->61 file6 process7 file8 51 C:\Users\user\AppData\...\WebComponents.tmp, PE32 15->51 dropped 63 Obfuscated command line found 15->63 21 WebComponents.tmp 12 19 15->21         started        53 C:\ProgramData\MsBlueTooth\MSBlueTooth.exe, PE32 19->53 dropped 55 C:\ProgramData\MsBlueTooth\LBTServ.dll, PE32 19->55 dropped 65 Antivirus detection for dropped file 19->65 67 Multi AV Scanner detection for dropped file 19->67 69 Submitted sample is a known malware sample 19->69 24 cmd.exe 1 19->24         started        27 cmd.exe 1 19->27         started        signatures9 process10 file11 39 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->39 dropped 41 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 21->41 dropped 43 C:\...\unins000.exe (copy), PE32 21->43 dropped 45 18 other files (15 malicious) 21->45 dropped 29 regsvr32.exe 36 2 21->29         started        79 Uses schtasks.exe or at.exe to add and modify task schedules 24->79 31 conhost.exe 24->31         started        33 schtasks.exe 1 24->33         started        35 conhost.exe 27->35         started        37 schtasks.exe 1 27->37         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a62d084b20038628de0a95906a8e9fed08ef5d345de795bc438eaeacbd6123af/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-29 10:26:47 UTC
File Type:
PE (Exe)
Extracted files:
78
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uywqqszaaodcrxqkswigvdu75ueo6xjulxtzlpcdr2xkzplbeoxq._file
Verdict:
malicious
Similar samples:
467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee
PoisonIvy
6bcf5705424ff9935c6dfd886e666af3cb2da930cfe82b0924b599f682b8f9bf
PoisonIvy
9ad275ee92086bd7851865d47f89253b32da528bd8e9b8df7797070291ea90d3
PoisonIvy
af60abc8f32a47fe154e7f5a9e6910200f944524f437f45686f53ad4c49b0098
PoisonIvy
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
PoisonIvy
cac59279f0105fd7c477abf07944c910a02735517efc7e4d10ae0669c336daeb
PoisonIvy
d2aa29362262c00f854304c67882511f3b4262c7a8e696b737f2e92c24631fb7
PoisonIvy
f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a
PoisonIvy
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221003-pjw8qsfbh4/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5b956a07-6701-4be7-a48d-81d1c0b99ee7
Unpacked files
SH256 hash:
232eb1614f15071b7fb0a8496e5e99765d97c100883b3bf3fb756b3f19711ea7
MD5 hash:
7332149e1e8f6f9bce87851c6c841fa9
SHA1 hash:
2ed599837e10a8ca023893e77349a1fb15c7393c
Link:
https://www.unpac.me/results/617de3c4-119f-4339-97ca-08b394395652/
SH256 hash:
5749c8ac72cd636b654971835cad7c96bc0454ebb3d2ac809a0a8ccac035eb6a
MD5 hash:
de25753fddbb2eadd5a07776205fe075
SHA1 hash:
7435740c0709d4773c87830a4a32bf76802753cd
Link:
https://www.unpac.me/results/617de3c4-119f-4339-97ca-08b394395652/
SH256 hash:
4edf56047c6ac53086f43c9c2811309b612061d5329c5b7cad6a86da2366012d
MD5 hash:
d1a11ee11c4d984129bcc8a3294376c9
SHA1 hash:
59076b03f8efccdc04dfad0c062170fe4269b180
Link:
https://www.unpac.me/results/617de3c4-119f-4339-97ca-08b394395652/
SH256 hash:
a62d084b20038628de0a95906a8e9fed08ef5d345de795bc438eaeacbd6123af
MD5 hash:
c616002f3cce0fd52d6ead8621a9f1f1
SHA1 hash:
76be1b09a5e382e1f4eba7986d00e7407811cda7
Link:
https://www.unpac.me/results/617de3c4-119f-4339-97ca-08b394395652/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a62d084b20038628de0a95906a8e9fed08ef5d345de795bc438eaeacbd6123af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316086/

Comments