MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7
SHA3-384 hash: 3ff4cd961499cb8c891db06332a6ab0aae0cbad3ed5c7397aa5ec66b22a3469947b29aef8b5978cec5e57d06400425a4
SHA1 hash: e6da7d600eac4f5cf517d0ee5ba103ffbc7ba660
MD5 hash: d497e0332e88341bd5ddbaa326cab977
humanhash: jig-april-victor-social
File name:EZUpdate.exe
Download: download sample
File size:1'193'440 bytes
First seen:2020-10-25 10:38:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 24576:w2O/GlJWlc3iY587dtvUu1FGVb1vEpvI9ZRiL9:wGiYWJdUu1Fon96L9
Threatray 30 similar samples on MalwareBazaar
TLSH DF45AEDDD33406FCD6365131F97A35D66804B820BA6F16E8EE453D0825B7AA3231F98E
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75679/
Detection(s):
SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Sending a UDP request
Launching a process
Moving a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/509511
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303875 Sample: EZUpdate.exe Startdate: 25/10/2020 Architecture: WINDOWS Score: 80 26 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->26 28 Multi AV Scanner detection for dropped file 2->28 30 Sigma detected: Scheduled temp file as task from temp location 2->30 32 3 other signatures 2->32 8 EZUpdate.exe 12 2->8         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\...\d948, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\...\conf3234.dll, PE32 8->22 dropped 11 rundll32.exe 1 2 8->11         started        process5 file6 24 C:\Users\user\AppData\Local\...\sduchxll.tmp, XML 11->24 dropped 14 cmd.exe 1 11->14         started        process7 process8 16 conhost.exe 14->16         started        18 schtasks.exe 1 14->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7/
Threat name:
Win32.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-01 01:16:57 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67
6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da
702221e0753dc7bdae96ab782721c0e3a58d5d51d15f74af56c662f92f120125
87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201025-3p67gfelya/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Loads dropped DLL
Unpacked files
SH256 hash:
a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7
MD5 hash:
d497e0332e88341bd5ddbaa326cab977
SHA1 hash:
e6da7d600eac4f5cf517d0ee5ba103ffbc7ba660
Link:
https://www.unpac.me/results/0a5d8612-8d50-4f7d-b3db-34833a8b4e81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/75679/

Comments