MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320
SHA3-384 hash: d878d4fd8b0f7918a3037e36dd5d979ddaadfbbbd1042debc85ee55a76a1023582ef36e0962e824c848dd0d27efd66e8
SHA1 hash: fe2a8c7ecf572fb588ac48d5203a46df4db6ef18
MD5 hash: cb75b6e7910427dca089ae5017842744
humanhash: mike-green-dakota-mobile
File name:aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320
Download: download sample
File size:7'432'583 bytes
First seen:2024-02-05 15:00:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'461 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:wer82TklmZKpwpFWNfCef7xaKrqxfaorxE39QdBWe9ej7:wMKCkjao2faq+Gbcj7
TLSH T1AF76334538F15F32CA7947FFE919B128B3751E7B9B926A69630E00AF363E027C181536
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474757/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.OpenCandy7AF.8482.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65c0f8360b80a4072892d91a/reports/ba41212e-a360-4681-9baa-4042b6b18c2f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/457e1d82-57e9-486e-990d-dabf629199e1
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1386901
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386901 Sample: u55pOXYKJJ.exe Startdate: 05/02/2024 Architecture: WINDOWS Score: 96 45 trenininmiba.gq 2->45 47 Antivirus detection for URL or domain 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 4 other signatures 2->53 9 u55pOXYKJJ.exe 2 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\u55pOXYKJJ.tmp, PE32 9->33 dropped 12 u55pOXYKJJ.tmp 21 32 9->12         started        process6 file7 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->35 dropped 37 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 12->37 dropped 39 C:\Users\user\AppData\...\unins000.exe (copy), PE32 12->39 dropped 41 35 other files (4 malicious) 12->41 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 12->55 16 pythonzlibext.exe 12->16         started        19 schtasks.exe 1 12->19         started        21 regsvr32.exe 12->21         started        signatures8 process9 dnsIp10 43 trenininmiba.gq 172.67.143.78, 49711, 49713, 80 CLOUDFLARENETUS United States 16->43 23 WerFault.exe 19 16 16->23         started        25 WerFault.exe 16 16->25         started        27 WerFault.exe 16 16->27         started        31 8 other processes 16->31 29 conhost.exe 19->29         started        process11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320/
Threat name:
Win32.Trojan.Ekstak
Create hunting rule
Status:
Malicious
First seen:
2024-01-27 03:34:55 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vigq4245fa34vordkzpgfeirexz7se22mqwdefwotc2mvevwumqa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240205-sdvz9scfdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a110086f61bbabda129b96358a06b3ef4397e0b11f6d7d699c000df5df893f0b
MD5 hash:
acd16e74313a223196dfba8f8ca0c427
SHA1 hash:
e87748c677120e22dba295d8f29dd8eef576bab4
Link:
https://www.unpac.me/results/1e81a51b-55fb-4a21-ba83-89a5ba523a5c/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/1e81a51b-55fb-4a21-ba83-89a5ba523a5c/
SH256 hash:
ea8d9264437b3c329c8a4e19574e1f7356546f87f5417945cdcf60d25fbe96da
MD5 hash:
bb77cffaa1ac423a479fcd028cb0eac5
SHA1 hash:
2a1befaeb57e4a1b567f63f7ae23863ac0e09c68
Link:
https://www.unpac.me/results/1e81a51b-55fb-4a21-ba83-89a5ba523a5c/
SH256 hash:
c724c767c98742b9fa1cecb249b3adfb154e8cd3a8c24a8dcc09d5fab131dba4
MD5 hash:
bb104b85dbce15cb7548266d4e877505
SHA1 hash:
25e6d3dd307518d1c1e51f7be994230c8a22bb09
Link:
https://www.unpac.me/results/1e81a51b-55fb-4a21-ba83-89a5ba523a5c/
SH256 hash:
aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320
MD5 hash:
cb75b6e7910427dca089ae5017842744
SHA1 hash:
fe2a8c7ecf572fb588ac48d5203a46df4db6ef18
Link:
https://www.unpac.me/results/1e81a51b-55fb-4a21-ba83-89a5ba523a5c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa0d0e6b9d28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474757/

Comments