MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7cddaab26425d654855f225afae2271c57fb051352a9754c968b57b5fd6579c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7cddaab26425d654855f225afae2271c57fb051352a9754c968b57b5fd6579c
SHA3-384 hash: 5f75d2d43d02285ef727f9b58f55d3a3fe15f0dd7950d74c7a323c243614f349d3bec2e7af34b6ca8ac4bb278563a809
SHA1 hash: 75b6c25584a4e34a926b6c3f5c64aa6975589a4c
MD5 hash: 27be4d1930a01d4a3ddebaa0d179116b
humanhash: five-neptune-may-crazy
File name:27be4d1930a01d4a3ddebaa0d179116b
Download: download sample
File size:3'248'640 bytes
First seen:2023-05-07 22:48:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ecfbe6e42943fae92c4582752c63b2b
ssdeep 49152:3NtxIRIBa3qKcZMBD3TFJP1rXdTl5s6j4dcaXD+jC0Ws:3NXIRYa6KBBrFT4dLatW
TLSH T12BE523C836DDB0B3F65524B80B5BA6BF15B1BE3685104C23BBCE269306B9B4CF251653
TrID 54.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4505/5/1)
3.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
27be4d1930a01d4a3ddebaa0d179116b
Verdict:
Malicious activity
Analysis date:
2023-05-07 22:49:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36f7b4b8-f7d0-45af-9a54-81be60109402

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387347/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug greyware packed
Link:
https://www.filescan.io/uploads/64582ade1c5e6717120719a7/reports/5f218713-e779-433a-89a9-0a44cd29750d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a7cddaab26425d654855f225afae2271c57fb051352a9754c968b57b5fd6579c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e7d68738-c927-4ce3-9092-b61efd2e962f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1227880
Signature
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious names
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 860844 Sample: zNRQGmNw75.exe Startdate: 08/05/2023 Architecture: WINDOWS Score: 68 51 Multi AV Scanner detection for submitted file 2->51 53 Machine Learning detection for sample 2->53 7 zNRQGmNw75.exe 1 3 2->7         started        11 SoftwareDistributionregid.1991-06.com.microsoft-ver4.4.1.1.exe 2->11         started        13 SoftwareDistributionregid.1991-06.com.microsoft-ver4.4.1.1.exe 2->13         started        process3 file4 47 SoftwareDistributi...soft-ver4.4.1.1.exe, PE32 7->47 dropped 49 SoftwareDistributi...exe:Zone.Identifier, ASCII 7->49 dropped 55 Creates autostart registry keys with suspicious names 7->55 57 Contain functionality to detect virtual machines 7->57 59 Hides threads from debuggers 7->59 61 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->61 15 SoftwareDistributionregid.1991-06.com.microsoft-ver4.4.1.1.exe 7->15         started        18 WerFault.exe 9 7->18         started        21 WerFault.exe 9 7->21         started        23 WerFault.exe 20 9 7->23         started        25 WerFault.exe 10 11->25         started        27 WerFault.exe 10 11->27         started        29 WerFault.exe 11->29         started        31 WerFault.exe 10 13->31         started        33 WerFault.exe 13->33         started        signatures5 process6 file7 63 Hides threads from debuggers 15->63 35 WerFault.exe 9 15->35         started        37 WerFault.exe 17 9 15->37         started        39 WerFault.exe 9 15->39         started        41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->45 dropped signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7cddaab26425d654855f225afae2271c57fb051352a9754c968b57b5fd6579c/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2023-05-07 22:49:09 UTC
File Type:
PE (Exe)
AV detection:
12 of 24 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7g5vkzgijowkscv6is27lrcohcx7mcrguvjovgjnc2xwx6wk6oa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230507-2rm19agb34/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7cddaab26425d654855f225afae2271c57fb051352a9754c968b57b5fd6579c
MD5 hash:
27be4d1930a01d4a3ddebaa0d179116b
SHA1 hash:
75b6c25584a4e34a926b6c3f5c64aa6975589a4c
Link:
https://www.unpac.me/results/9401eaae-f31e-4789-9b34-b6103c4fb9e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7cddaab26425d654855f225afae2271c57fb051352a9754c968b57b5fd6579c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a7cddaab26425d654855f225afae2271c57fb051352a9754c968b57b5fd6579c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/387347/
  
URLhaus
https://urlhaus.abuse.ch/url/2580611/

Comments


Avatar
zbet commented on 2023-05-07 22:48:51 UTC

url : hxxp://37.220.87.61/Clip1.exe