MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a65a1e352683e6567ce28623fee75c48d5b9b62f33e5af9b3f9372de2df5d6f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 11
| SHA256 hash: | a65a1e352683e6567ce28623fee75c48d5b9b62f33e5af9b3f9372de2df5d6f1 |
|---|---|
| SHA3-384 hash: | adf6658cc8e71a501589be2fe09da7f7f2724945b61509ddc52a27a7f0b59662a46f81b5694f24a005b3b6061ce367c9 |
| SHA1 hash: | 800150cae4b49a6d76b6769789d17166f7398116 |
| MD5 hash: | 50c49646b874ece55c1e614250202db4 |
| humanhash: | seven-early-blossom-zulu |
| File name: | a65a1e352683e6567ce28623fee75c48d5b9b62f33e5af9b3f9372de2df5d6f1.exe |
| Download: | download sample |
| File size: | 11'219'960 bytes |
| First seen: | 2023-03-30 14:05:25 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader) |
| ssdeep | 196608:mlnp060SgEhXHyrWvhLz+RuddiQV9mTZoScJB0K47GigYfCITFwNHsE4CSF1E1q:mlm8XyrwvEK9mlonz0x7GMfJwNHsPo1q |
| TLSH | T1B6B6336E4A81C714F4C210FFA259C94F07EF03A4612EAA27F73736BE27615C19C36269 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | f0d2e6ce88ccc6c4 |
| Reporter |  0x746f6d6669 |
| Tags: | exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a65a1e352683e6567ce28623fee75c48d5b9b62f33e5af9b3f9372de2df5d6f1.exe
Verdict:
Malicious activity
Analysis date:
2023-03-30 14:08:47 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Launching a process
Searching for the window
Using the Windows Management Instrumentation requests
Moving a recently created file
Creating a window
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
clipbanker overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Result
Threat name:
Keyzetsu Clipper, Xmrig
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Creates files in the system32 config directory
Creates processes via WMI
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Keyzetsu Clipper
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Generic
Status:
Suspicious
First seen:
2023-03-27 00:02:09 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
21 of 37 (56.76%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
n/a
Score:
10/10
Tags:
evasion persistence
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
13e88f56601af4508d848e1965b949bf173e11f31db439cac8b3e7e33ccd49f1
MD5 hash:
2b9437a647cb2a6e258ca447e9581e04
SHA1 hash:
dbc30c6045bc40489e6d305a186b4bf7a4d539b0
SH256 hash:
971eb647606b25c1c94ffc696c4b0ee05ed7fb9effdb1683b7e11330e8ff2d78
MD5 hash:
e7497db725ae67c6c124f4b3bc712076
SHA1 hash:
d173ef5ce13da75a8a7ba20b0edc1c8665803d26
SH256 hash:
222ea8892ddaf8ba0869f298d71b5b79ed14767a5502347e83d2d9592df8036d
MD5 hash:
785950a750535453f72f18ac6a120ddf
SHA1 hash:
cca4044bac202355bb7ca13124e411250428bb83
SH256 hash:
4ffe953761f82673a6748f4b5309bdb9e50d84eed1cb62110524a9b3b6e753a9
MD5 hash:
4f5a0c3d5e5de384b2cb69080c9fa4c3
SHA1 hash:
8ccc97c3d7187bf0b924ad6f258479ff64545679
SH256 hash:
e38d15e9d8b1fc91b75471bd8a34b5deb570d948b16e7be417e1d344148a3740
MD5 hash:
6fd193dff4ee0ab815331cd4cddf7e75
SHA1 hash:
799df5e83aec5c1aec20dec3d9567e560e4ff250
SH256 hash:
ba36587fbda534e6784890683ddb9c8e21a65573099cfe1e0082c7136a592d0d
MD5 hash:
a6424598c755a09a64765e7e3819ecee
SHA1 hash:
723f89b6c7d7d33fe680d1c377dcce414ea8bc03
SH256 hash:
2bc769b92ac5bdcb7c5a4aa8fe77890f969e71c7b20d79da54b3ee86d19498c4
MD5 hash:
095a6700d87ea01bbb90e9cb2f35017e
SHA1 hash:
6d5d814bd532621f7ded4b61b7df18fc66bec79b
SH256 hash:
721e79c16bd97f94d4e3d92fd24b0d958ce85c0234118eaee1ac7e8864368823
MD5 hash:
f92719c763778c362ece5f55647e0592
SHA1 hash:
6d017cf2478314fc8b861283f3e60e8b2c6b9015
SH256 hash:
dc2056c7c9a9147679072836b79d76bc5bf8e76ef9464d4adce9ad102dccff82
MD5 hash:
15c1173b76500d950802f6f7d9333fd0
SHA1 hash:
6721875eaa509f50bcfc2aea62269bf56cdd37a0
SH256 hash:
65f808262fe8f4bba813defc5c85eb09902478bcfa8884a09f0e494796e5003d
MD5 hash:
3ecca86b8802d7a0dd63f92c4ae7dbff
SHA1 hash:
5df1a063c8d771f60aa2f194d36cc2a06ebc121f
SH256 hash:
7dabc2974ddd9419170ef802f3b8fbe28720a6c1eccc19fff136cbbeec10b819
MD5 hash:
3fc3c07d402f7c6f4ff3fda837917931
SHA1 hash:
4de4c8c1883f9e0f32f2bfec8da07305a13843a1
SH256 hash:
d2abfd848708cb77a5c1dd8cbc045f1a55c7b266cb5eef55c9b1be5c6ac395c9
MD5 hash:
28f7c7639e3a452ed4b545f66823b970
SHA1 hash:
4665ca696ab349d3ee669186e10d89877348c95b
SH256 hash:
f5ad0935a5433fbbc358c704f451103f7ec689350bb0c83bba1a5579a0f07564
MD5 hash:
8e6e1c17105e5ed411504391629f5981
SHA1 hash:
3bcae0dfa7e6b39be12ce65ff4a7c75437203b53
SH256 hash:
ea9f994417590f20d1183e279f95834102bb2f2fb471b260e436c098e482040b
MD5 hash:
abc69f6cffcce05b4d5d436bf4069aa4
SHA1 hash:
3457a4101993f446f78be9a71d8004af2e8d34b7
SH256 hash:
9a41e47e1cdb29e84858fd8af5195b8ec24ba55d0f6733ae6cb75a0f87ae915c
MD5 hash:
9aa0b9f52b9f3ef5d824b4ad82c23bbf
SHA1 hash:
311273d480f0b05579e81822ab227b78b7474f44
SH256 hash:
a03450c0bf1d6111d601c4571ecc7a3b33007d889986f83dadce92b37403e91a
MD5 hash:
3887fb5b009f669ebf5a9f4fc5934b10
SHA1 hash:
14a9e154ac485c742903a20094fe95ac9c6985de
SH256 hash:
419e8ea244840a649e6c323765a20a7b9d5f3b2a5dc3cfc42c39acdd961e60a6
MD5 hash:
b6238246f1da39332b2de42d65f77f30
SHA1 hash:
f06af3f04f2c2e2aac0d4a081469c7dc00526463
SH256 hash:
837f8c3011299ab6ad08300dd6cbf080e21dea37afaa979a831c66e184d53655
MD5 hash:
75b77f3047062ec116a5f31e04c68771
SHA1 hash:
d1d5114005c08646b88f014c0cde7267c0fc6050
SH256 hash:
e31f899684498d0505ebaae6012ba0490a50652dd78358fa9429234d59e049fd
MD5 hash:
f79434ef6324d965be813da53158ff01
SHA1 hash:
59e573ddf77c115d544ff63a90105aff2237aa38
SH256 hash:
4ae8e02bdba9d71ed91365bb7d5001499bd2456cc45018ef24e8f99b58e1d9cc
MD5 hash:
0090d4c0a3306048cf260df8a9f65d26
SHA1 hash:
fec8390d003bf052cab1642591dd0a4be72c7115
SH256 hash:
30efc690fd54780d68ee096806c75cbc74dc78a0514006d444998c7b753af9e7
MD5 hash:
519e1dd3eecc576f33ba272ff2ec3632
SHA1 hash:
81dfe563d347033343728aee43c219f1dcde5554
SH256 hash:
c6a4cb96631881013cc1fed15c113bf7292c97e351b6534327e41348dc34928d
MD5 hash:
e41f3939f75eb3a7bbf911dabc1b1e07
SHA1 hash:
136cb06da16f64065d5ea3188c27bf2b1771e0ef
SH256 hash:
4611faabac6c9783973880235c0428c8b68e38128c778f9440c9b8506e96af88
MD5 hash:
172d80c0b8ad4fc852f4758a7d995f39
SHA1 hash:
81051ea52e475a0cec971746d3f9c1750d0adb71
SH256 hash:
a65a1e352683e6567ce28623fee75c48d5b9b62f33e5af9b3f9372de2df5d6f1
MD5 hash:
50c49646b874ece55c1e614250202db4
SHA1 hash:
800150cae4b49a6d76b6769789d17166f7398116
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). |
| Rule name: | cobalt_strike_tmp01925d3f |
|---|---|
| Author: | The DFIR Report |
| Description: | files - file ~tmp01925d3f.exe |
| Reference: | https://thedfirreport.com |
| Rule name: | pdb_YARAify |
|---|---|
| Author: | @wowabiy314 |
| Description: | PDB |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.