MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa3b1c5afc0e923ac0a9dc5e17022e89a4df64403ac57bc7f53058acf8ada2aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa3b1c5afc0e923ac0a9dc5e17022e89a4df64403ac57bc7f53058acf8ada2aa
SHA3-384 hash: 49a73fb6d8bff9952c5ded19afdab112ea7c780bff037817f92f840c5ceae668fefba0515e8242979510efb03d4db96a
SHA1 hash: 728618a5b3cbe492f94fe55884391827874e8e4c
MD5 hash: 0c890d36918164e6fe9b78788fbc128d
humanhash: mississippi-happy-burger-juliet
File name:0c890d36918164e6fe9b78788fbc128d
Download: download sample
File size:1'187'187 bytes
First seen:2021-07-03 10:47:30 UTC
Last seen:2021-07-03 11:39:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e04eb610508ddb951732064297e50b65 (6 x CryptBot)
ssdeep 24576:j/T4vHsNMXj2mutmW8hi455JZYkO73VM+0X8T:jbkM2Xj2mu1oiEej7Fr0XW
TLSH D9459D0095C9E8A9C01A1032943DB53924D9F6DBD27BCC9FEB5C660964AF3D2E17BE0D
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0c890d36918164e6fe9b78788fbc128d
Verdict:
Malicious activity
Analysis date:
2021-07-03 10:51:07 UTC
Tags:
autoit trojan 1xxbot
Link:
https://app.any.run/tasks/6c0eeba8-439d-4b4c-bf92-ed649d3fb4f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

PUA.Win.File.Zegost-9629018-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83f0439b-2318-496f-960a-410eba54c09f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
81 / 100
Link:
https://www.joesandbox.com/analysis/811420
Signature
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443831 Sample: DhStRngAC2 Startdate: 03/07/2021 Architecture: WINDOWS Score: 81 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Sigma detected: Drops script at startup location 2->71 73 2 other signatures 2->73 10 DhStRngAC2.exe 7 2->10         started        13 hQHoEIxzAc.exe.com 1 2->13         started        17 wscript.exe 2->17         started        process3 dnsIp4 93 Contains functionality to register a low level keyboard hook 10->93 19 cmd.exe 1 10->19         started        65 JJPZcQbHDNMBPLjhMuVBFNgJPAo.JJPZcQbHDNMBPLjhMuVBFNgJPAo 13->65 55 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 13->55 dropped 95 Writes to foreign memory regions 13->95 97 Injects a PE file into a foreign processes 13->97 22 RegAsm.exe 2 13->22         started        99 Creates processes via WMI 17->99 file5 signatures6 process7 signatures8 75 Submitted sample is a known malware sample 19->75 77 Obfuscated command line found 19->77 79 Uses ping.exe to sleep 19->79 81 Uses ping.exe to check the status of other devices and networks 19->81 24 cmd.exe 3 19->24         started        27 conhost.exe 19->27         started        83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->83 process9 signatures10 85 Obfuscated command line found 24->85 87 Uses ping.exe to sleep 24->87 29 Antica.exe.com 24->29         started        32 PING.EXE 1 24->32         started        35 findstr.exe 1 24->35         started        process11 dnsIp12 103 Drops PE files with a suspicious file extension 29->103 38 Antica.exe.com 7 29->38         started        57 127.0.0.1 unknown unknown 32->57 59 192.168.2.1 unknown unknown 32->59 47 C:\Users\user\AppData\...\Antica.exe.com, Targa 35->47 dropped file13 signatures14 process15 dnsIp16 61 JJPZcQbHDNMBPLjhMuVBFNgJPAo.JJPZcQbHDNMBPLjhMuVBFNgJPAo 38->61 49 C:\Users\user\AppData\...\hQHoEIxzAc.exe.com, PE32 38->49 dropped 51 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 38->51 dropped 53 C:\Users\user\AppData\...\hQHoEIxzAc.url, MS 38->53 dropped 89 Writes to foreign memory regions 38->89 91 Injects a PE file into a foreign processes 38->91 43 RegAsm.exe 2 38->43         started        file17 signatures18 process19 dnsIp20 63 185.173.39.166, 228, 49729, 49734 ECO-ASRU Russian Federation 43->63 101 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->101 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa3b1c5afc0e923ac0a9dc5e17022e89a4df64403ac57bc7f53058acf8ada2aa/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-03 10:48:10 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210703-8mrdtt3lce/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
5e3e4ebd9c4ca827035498e4e4561d44577cb7f5384ab8763ae2cbbf3f78fb82
MD5 hash:
6f131615ec1ee1acb03e6756379b2d80
SHA1 hash:
b268312f837c0e0ef76017c9032f0b64a8d40353
Link:
https://www.unpac.me/results/9d323df2-f8c4-4a7e-8191-2324d14564a5/
SH256 hash:
aa3b1c5afc0e923ac0a9dc5e17022e89a4df64403ac57bc7f53058acf8ada2aa
MD5 hash:
0c890d36918164e6fe9b78788fbc128d
SHA1 hash:
728618a5b3cbe492f94fe55884391827874e8e4c
Link:
https://www.unpac.me/results/9d323df2-f8c4-4a7e-8191-2324d14564a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa3b1c5afc0e923ac0a9dc5e17022e89a4df64403ac57bc7f53058acf8ada2aa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe aa3b1c5afc0e923ac0a9dc5e17022e89a4df64403ac57bc7f53058acf8ada2aa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1422548/

Comments


Avatar
zbet commented on 2021-07-03 10:47:31 UTC

url : hxxp://136.144.41.201/USA/paypall.exe