MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9a4843ea9af569ab5ffd213ac4910898019083eb74ff8f36678092daca92f2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9a4843ea9af569ab5ffd213ac4910898019083eb74ff8f36678092daca92f2e
SHA3-384 hash: 59d5835d91098bf6e1ec4522f62ece84341d0cfe257118c78b331915482f10e6bfed0ccca2ce7266a549830c35fc030f
SHA1 hash: 992fca17ad2fe4a6523c3858c87b0e5203628032
MD5 hash: 6d081da0c4ea3eff0e18d414047bb5fd
humanhash: louisiana-winter-helium-emma
File name:a9a4843ea9af569ab5ffd213ac4910898019083eb74ff8f36678092daca92f2e
Download: download sample
File size:2'095'208 bytes
First seen:2022-10-12 23:20:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec5356d8e0f77a28432ffd3fb34115c9 (1 x Mimic)
ssdeep 24576:w/iIzkQF+KpPnF1Fx+CszLyQ9lkxIQVki//47JhUhio7Z6OI93lGFtPtnNON+Ijo:whBPrElwNkto7VINlGFtPtnwjjOaW/
Threatray 1 similar samples on MalwareBazaar
TLSH T109A5D002FBC28272E593057891B6A73F893BBB209734C5D7C7D10D698D312D26A3B7A5
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter petikvx

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319593/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42793/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe evasive exploit explorer.exe filecoder greyware overlay rat scar
Link:
https://www.filescan.io/uploads/63474bdf67135c9da246a6a1/reports/c6ab4dc3-2f33-40c8-9fc2-17d2a01d2d6b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c03f187e-a2fc-4336-81ce-5abe146822b5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1089249
Signature
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to clear event logs
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to modify Windows User Account Control (UAC) settings
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9a4843ea9af569ab5ffd213ac4910898019083eb74ff8f36678092daca92f2e/
Threat name:
Win32.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 23:21:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 42 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgsiipvjv5ljvnp72ij2ysiqrgabscb6w5h7r43gpaes3lfjf4xa._file
Verdict:
malicious
Similar samples:
7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221012-3bfsnsggan/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/97a4ac88-5a10-44a9-80f2-35aa287b8c6c
Unpacked files
SH256 hash:
a9a4843ea9af569ab5ffd213ac4910898019083eb74ff8f36678092daca92f2e
MD5 hash:
6d081da0c4ea3eff0e18d414047bb5fd
SHA1 hash:
992fca17ad2fe4a6523c3858c87b0e5203628032
Link:
https://www.unpac.me/results/d8af81a9-42d7-4fe4-80da-681fb8283a4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9a4843ea9af569ab5ffd213ac4910898019083eb74ff8f36678092daca92f2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
Author:ditekSHen
Description:Detects executables containing commands for clearing Windows Event Logs
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Author:ditekSHen
Description:Detects executables containing anti-forensic artifcats of deletiing USN change journal. Observed in ransomware
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319593/

Comments