MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a74270fed65ae7392cf3a7e1b808c150bcafede137f3cf005c0440dbea7c3e4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a74270fed65ae7392cf3a7e1b808c150bcafede137f3cf005c0440dbea7c3e4d
SHA3-384 hash: e466905bf4cf362be6e1d9d6e368bb5c12478715dcb10e616c551f23dfa2060e97eadf5a22c378ee2db777edbf57561c
SHA1 hash: f7d28019bd40e23887cf1232309f9ce29b4dbc60
MD5 hash: cd6b29646aa8d82ee74f3bdda005d396
humanhash: echo-red-berlin-chicken
File name:cd6b29646aa8d82ee74f3bdda005d396
Download: download sample
File size:3'013'632 bytes
First seen:2021-11-23 19:35:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42b27a080e9ee0252f310f33fbc7cafc
ssdeep 49152:YoXRQHTPPBZaVamZkbQ9FPC+oqq1tFiZQlKGTju76E1UCEKG+m+y9DL+:YoXRQzHBZaVazQ9hCAq1HiWTq76m8+m
Threatray 7'491 similar samples on MalwareBazaar
TLSH T1DBD5333F3AFA27D6E21D8FB36D217DE49F146F5964AC2620AE6D130CA01C46F778A501
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd6b29646aa8d82ee74f3bdda005d396
Verdict:
Suspicious activity
Analysis date:
2021-11-23 19:37:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ca8479ba-b807-48df-8db1-5d95f81591c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/619d42a4b71ceed4152d6718/reports/2d01ab8f-6a35-428d-8f65-970842fca35e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/06e32630-2bfc-45d2-b04d-a818f0cde1f2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894992
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a74270fed65ae7392cf3a7e1b808c150bcafede137f3cf005c0440dbea7c3e4d/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 19:36:22 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1f99084d5ea462b4d7bc7d47d3171b20e642dbb511a76bc9dbd22873d7bec667
22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31
493c4a7f6cdc0c6b3388b268aa38975c1bb52ea67f6415723a06a14213ee5d14
77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59
879305570a2b3dbe710ddd09445db20a1159696a6c72a503135db8eaef5eecb7
a16870457b27dc28fbe98cf395c127b7884366d9cd244583c226a36e76dee72d
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
df7841fad13bb90a108a0861c92c565ad754528e684600ad07011cd4e83f1a63
+ 7'481 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211123-ya8pvaecc6/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
b8d3bafa40e9c7346aee1308ba2c89c1a0032e103bed1c55eb51afd8b4abd9b3
MD5 hash:
0af46621c075dd6a159737f8844b53a3
SHA1 hash:
d96e037d53344b9e970ec434fd3d6af88c317e06
Link:
https://www.unpac.me/results/f465dcb6-aecc-4ffa-8a30-fa4457571e61/
SH256 hash:
a74270fed65ae7392cf3a7e1b808c150bcafede137f3cf005c0440dbea7c3e4d
MD5 hash:
cd6b29646aa8d82ee74f3bdda005d396
SHA1 hash:
f7d28019bd40e23887cf1232309f9ce29b4dbc60
Link:
https://www.unpac.me/results/f465dcb6-aecc-4ffa-8a30-fa4457571e61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a74270fed65ae7392cf3a7e1b808c150bcafede137f3cf005c0440dbea7c3e4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a74270fed65ae7392cf3a7e1b808c150bcafede137f3cf005c0440dbea7c3e4d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1810146/
Cape
Cape
https://www.capesandbox.com/analysis/208788/

Comments