MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a894133671b96675c314b628c11f38eff4f537cf2532b354b082e5fab102d6eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a894133671b96675c314b628c11f38eff4f537cf2532b354b082e5fab102d6eb
SHA3-384 hash: 41fd0ce132efc8ddaff3f0cb1315a3142090af49b14b397e1e22d8a66bcbcbec57d624d6d40521f05a03eeeda27acc19
SHA1 hash: 60f500cf6b797a52fa4c4898923bd6c80e88f816
MD5 hash: a4c39cd90ffc5ceda61d3fd496360dd7
humanhash: seven-equal-arkansas-oklahoma
File name:SecuriteInfo.com.Adware.DoubleD.163.16661.20661
Download: download sample
File size:7'129'196 bytes
First seen:2022-05-03 12:58:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'512 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:73wTUA+kLEhf8pNnBIQNFa2V2SWwNLzwWXg:73wwl+7hFa5SDzi
Threatray 41 similar samples on MalwareBazaar
TLSH T1CF7633195200C5A6F4C99B71AABA21D9BF36E7BB387B1C8475F4B906EF31184D8C5323
TrID 63.3% (.EXE) Inno Setup installer (109740/4/30)
15.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
8.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Adware.DoubleD.163.16661.20661
Verdict:
Suspicious activity
Analysis date:
2022-05-03 16:14:46 UTC
Tags:
installer
Link:
https://app.any.run/tasks/0b961395-75cc-4b45-b6ea-2f38d051d533

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268405/
Detection(s):
SecuriteInfo.com.Adware.DoubleD.163.16661.20661.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16180/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6271270262b1ae4451d17f0e/reports/ee180cb1-c4c1-4563-b32a-33aa635b5af2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3fa2d59d-16ec-4210-a946-2bef22d932e7
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
spyw.evad
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/987094
Signature
Obfuscated command line found
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file registry)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 619586 Sample: SecuriteInfo.com.Adware.Dou... Startdate: 03/05/2022 Architecture: WINDOWS Score: 28 47 Snort IDS alert for network traffic 2->47 49 Tries to steal Mail credentials (via file registry) 2->49 8 SecuriteInfo.com.Adware.DoubleD.163.16661.exe 2 2->8         started        12 Video.UI.exe 56 38 2->12         started        15 EvJOWall.exe 2->15         started        17 EvJOWall.exe 2->17         started        process3 dnsIp4 39 SecuriteInfo.com.A...ubleD.163.16661.tmp, PE32 8->39 dropped 51 Obfuscated command line found 8->51 19 SecuriteInfo.com.Adware.DoubleD.163.16661.tmp 26 38 8->19         started        45 settings-ssl.xboxlive.com 12->45 file5 signatures6 process7 file8 31 C:\...vJOWall.exe (copy), PE32 19->31 dropped 33 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 19->33 dropped 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->35 dropped 37 4 other files (none is malicious) 19->37 dropped 22 EvJOWall.exe 2 22 19->22         started        25 taskkill.exe 1 19->25         started        27 notepad.exe 19->27         started        process9 dnsIp10 41 evjosoft.com 174.136.24.40, 49799, 49801, 80 IHNETUS United States 22->41 43 www.evjosoft.com 22->43 29 conhost.exe 25->29         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a894133671b96675c314b628c11f38eff4f537cf2532b354b082e5fab102d6eb/
Verdict:
unknown
Similar samples:
055b1959dd1e2de0cb28051206e54da4dd7bb32d492ce608629e457c76c20d60
36ed7e4e8dfce10773b1b1f1b7302e80d38bfd75d7c35bc5da2abf9a8a0b99e3
41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514
4c6db804a366a11a3321f87543f03c45e1785fed75a1c5e21ce39b658f6bb5bd
7a4c304b810703f0eb30ae166efb16ff9c1cfb0ebc9db5948e959614a3e49d5d
8eb45eae1bf18d642ec8a747887ce69f700398f833eae0f8843efabfdce9a1b8
b2b465aad0a254c202bee124ff4beb540ac09ce04655f61478b5824509a1f6a2
b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
+ 31 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220503-p724wshecl/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a661bf8b96dbdd1611357e4f9091803d9d54b5d512e986c84afbfca2922cc244
MD5 hash:
28ec3c30f65baf5dd4af77e764f84cbb
SHA1 hash:
bfa99f20bfc2c28a78e413bae21b0020fe8279a0
Link:
https://www.unpac.me/results/5c9b4342-7e00-4d18-a3fc-310dd314b9b8/
SH256 hash:
a894133671b96675c314b628c11f38eff4f537cf2532b354b082e5fab102d6eb
MD5 hash:
a4c39cd90ffc5ceda61d3fd496360dd7
SHA1 hash:
60f500cf6b797a52fa4c4898923bd6c80e88f816
Link:
https://www.unpac.me/results/5c9b4342-7e00-4d18-a3fc-310dd314b9b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DoubleD
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/a894133671b96675c314b628c11f38eff4f537cf2532b354b082e5fab102d6eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268405/

Comments