MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa56138ede83b2313cffd1ac5a973cdce0ecd91a1140b8bbd28efa6685ff3e9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa56138ede83b2313cffd1ac5a973cdce0ecd91a1140b8bbd28efa6685ff3e9c
SHA3-384 hash: bfc0cb77a40cf7c0b52e1a32b046d36bcbc859134c5fa51787aec13803d871462560be7aa4a7267af606892834083079
SHA1 hash: e99f4585a7f8633da6102a69ec5e6714817acfe0
MD5 hash: 54cda5465cc12fa996aeb564f3d461d4
humanhash: salami-moon-nitrogen-blue
File name:168881286462590723dffc946a4facb19c7da058a68ffd373041eff35a842f621c1835a1d6538.dat-decoded
Download: download sample
File size:12'800 bytes
First seen:2023-07-08 10:41:08 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 192:uqGOImCk52zLT04H98+cBhGOnT1Vu4IW1CnhsJgQHs5hEdKXrdzLurHh:uHO10zRdhcOqVu3nhqds5hLXrUrHh
Threatray 120 similar samples on MalwareBazaar
TLSH T1AC42C82967E84738EABEAB339C7191510672FE49DD23DF7D09D0A5190E332448EE1F26
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:base64-decoded dll


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
DLAgent09 Downloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/411918/
Detection(s):
SecuriteInfo.com.Variant.Zusy.473104.15584.23905.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm cmd lolbin packed replace schtasks wscript
Link:
https://www.filescan.io/uploads/64a93d7b67f70195b4433e84/reports/357e9c53-1a3e-4921-a246-c255ce10ec1a/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/aa56138ede83b2313cffd1ac5a973cdce0ecd91a1140b8bbd28efa6685ff3e9c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0fff7e9a-2d40-4426-9078-0518d9900d58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa56138ede83b2313cffd1ac5a973cdce0ecd91a1140b8bbd28efa6685ff3e9c/
Threat name:
ByteCode-MSIL.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-07-08 10:42:05 UTC
File Type:
PE (.Net Dll)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjlbhdw6qozdcph72gwfvfz43tqozwi2cfalro6sr35gnbp7h2oa._file
Verdict:
malicious
Similar samples:
4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb
6c798312f1aa6826f5e1dcc49ae54d4011d0e28245b3e6be0803dfd4381c6acb
77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1
888dc17f63eb7b61713327994a126c3ce5ca2b69e2643c8f6b7caa34235e972f
8cd29838aeae1b19c74a19a1a8e1682dbe55fa82586706d9d640485274244ec8
8ea0725c12db093e1fdb832954d88c79e17cca9557360173154d5e6ca278b80e
a2818335c97356215ddb1e92fff59fe0f431eeffe99d423399989602b59aafd9
a91bc84dd26784dc82b1ee55b50dc3016738a09fa0f6cdd22ad053bc00dfa016
fba55b351eff155339d7954d4872d2ca7e7ad4d445acb47cd1343b419309af2f
fc8c983c70303955fbbf53be566a1e573a231e2d38aaeaee4ed30a064a1bf172
+ 110 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230708-mrnkfsfb81/
Unpacked files
SH256 hash:
aa56138ede83b2313cffd1ac5a973cdce0ecd91a1140b8bbd28efa6685ff3e9c
MD5 hash:
54cda5465cc12fa996aeb564f3d461d4
SHA1 hash:
e99f4585a7f8633da6102a69ec5e6714817acfe0
Link:
https://www.unpac.me/results/9ede93a1-a643-4c11-816e-9920e6e0e9a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa56138ede83b2313cffd1ac5a973cdce0ecd91a1140b8bbd28efa6685ff3e9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downloaders) containing reversed URLs to raw contents of a paste
Rule name:MALWARE_Win_DLAgent09
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

unknown 62590723dffc946a4facb19c7da058a68ffd373041eff35a842f621c1835a1d6

DLL dll aa56138ede83b2313cffd1ac5a973cdce0ecd91a1140b8bbd28efa6685ff3e9c

(this sample)

  
Dropped by
SHA256 62590723dffc946a4facb19c7da058a68ffd373041eff35a842f621c1835a1d6
  
Dropped by
MD5 d6cf963e84108179788211b6e9614d9b
  
URLhaus
https://urlhaus.abuse.ch/url/2678656/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/411918/

Comments