MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279
SHA3-384 hash: 8baec05d12ebe4b7e5b520f1236ffe680ad46f69166dc4d0d462f5b12a60b655329b014d80c93b0af3ee9628803d54d0
SHA1 hash: 38f56daaa3dc98c233c1abcce1a5a864a49da66b
MD5 hash: 3b21c52f7bf1f84b356020af8c9b3c45
humanhash: pizza-single-illinois-yellow
File name:chrome.exe
Download: download sample
File size:742'400 bytes
First seen:2022-10-24 12:01:20 UTC
Last seen:2022-10-24 13:21:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 79b3362178937bf9559741c46bb9e035 (18 x LaplasClipper, 9 x RaccoonStealer, 8 x ArkeiStealer)
ssdeep 12288:z3g7N8dPwA7+hGG0+62Aw3CtJsZQ1qRXs2J2Jc/kXRl0xy:8J8dtiwH2Aw3CknXspJc8X70xy
Threatray 5 similar samples on MalwareBazaar
TLSH T11CF4DF52F259DE9AD2438034D41BC2F00266BCBDD217862735D6BF1B3AF23C5119BB9A
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 68d4aa888c8ac460 (2 x AgentTesla, 2 x SnakeKeylogger, 2 x AsyncRAT)
Reporter JAMESWT_WT
Tags:drop after exec exe github-com-Crac1Ma1ker

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
test.7z
Verdict:
Malicious activity
Analysis date:
2022-10-24 11:50:35 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/fd4e4f3d-23ed-4b3f-baee-b61936ffd8e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323365/
Detection(s):
SecuriteInfo.com.Adware.004c74291.19391.7112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching a process
Creating a file in the Windows directory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Forced shutdown of a system process
Launching the process to change the firewall settings
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0fe672f9-e837-4fb9-9271-7d0c86d923d8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096478
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729121 Sample: chrome.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 74 Multi AV Scanner detection for submitted file 2->74 76 Machine Learning detection for sample 2->76 8 chrome.exe 1 2->8         started        12 chrome.exe 2->12         started        14 chrome.exe 2->14         started        process3 file4 60 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 8->60 dropped 78 Detected unpacking (changes PE section rights) 8->78 80 Contains functionality to inject code into remote processes 8->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 8->82 16 GoogleUpdate.exe 12 8->16         started        20 powershell.exe 21 8->20         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        84 Drops executables to the windows directory (C:\Windows) and starts them 12->84 86 Writes to foreign memory regions 12->86 88 Allocates memory in foreign processes 12->88 26 powershell.exe 18 12->26         started        28 schtasks.exe 1 12->28         started        32 2 other processes 12->32 90 Adds a directory exclusion to Windows Defender 14->90 92 Sample uses process hollowing technique 14->92 94 Injects a PE file into a foreign processes 14->94 30 powershell.exe 19 14->30         started        34 3 other processes 14->34 signatures5 process6 dnsIp7 62 api.peer2profit.com 172.66.43.60, 443, 49698, 49699 CLOUDFLARENETUS United States 16->62 64 162.19.175.162, 443, 49700, 49701 CENTURYLINK-US-LEGACY-QWESTUS United States 16->64 66 Detected unpacking (changes PE section rights) 16->66 68 Detected unpacking (overwrites its own PE header) 16->68 70 Uses netsh to modify the Windows network and firewall settings 16->70 72 Modifies the windows firewall 16->72 50 3 other processes 16->50 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        52 2 other processes 34->52 signatures8 process9 process10 54 conhost.exe 50->54         started        56 conhost.exe 50->56         started        58 conhost.exe 50->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-24 10:44:20 UTC
File Type:
PE (Exe)
Extracted files:
231
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3gl5gmsfcuo6nsehmzbk44glxpu3leb4iffq3ljjwfc75edoj4q._file
Verdict:
malicious
Similar samples:
99e69a8f20885bef44503976b29f58ae65f5737bf2948da5d04fd873c70634a6
9b9218d3692f38654cde45d5a9b01a6d5cb83aa5442c286fc4e073a6348e08d1
c4758d6e6dc8ddef0f36e438329c3dfb9892848d5e48dd929223327838882504
d0c571182eb67023db9b2f8c440dfc76488b23ea51819de40bbeca16fbb9322e
e8f0dd4a951cb42729e34171301bf46bd708a8c1c1c0b5b7daf2ed9036b97cca
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/221024-n7fp8agedr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
61fb93abda0f7b5c22c30f3bc0407f58e922808431ef0a7f32b91340d1195f4f
MD5 hash:
c03b0a9f47fedfbbe6b7fc4485179cab
SHA1 hash:
5aa9cc3856930b877a4a029802270b9fbb794d91
Link:
https://www.unpac.me/results/71ee109d-549f-4f17-b915-7ae76a496616/
SH256 hash:
447a952d7faca92bad7622458ce5842828e0b49ea6a2d8483722858ddc056091
MD5 hash:
a18ca6935e0425309a14b7ce5ba084be
SHA1 hash:
7a17ba85c51ad03736a7b441dd5ce81435d700b3
Link:
https://www.unpac.me/results/71ee109d-549f-4f17-b915-7ae76a496616/
SH256 hash:
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279
MD5 hash:
3b21c52f7bf1f84b356020af8c9b3c45
SHA1 hash:
38f56daaa3dc98c233c1abcce1a5a864a49da66b
Link:
https://www.unpac.me/results/71ee109d-549f-4f17-b915-7ae76a496616/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2382151/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/323365/

Comments