MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aad3072a367a7b47c0ef0472bde70721f5aff5285dbd40310bb19c7b68ff3918. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	aad3072a367a7b47c0ef0472bde70721f5aff5285dbd40310bb19c7b68ff3918
SHA3-384 hash:	9f7bb332779dafd3526ab794f0556dc409573c3056623ff0d9e0c656f323b3e9c43141ca8a2d9ebb89ed6a3938141bc5
SHA1 hash:	082ad7c7d350757e107841aa77402fbef12dd10c
MD5 hash:	0584dab798512e3053948814accbb6f9
humanhash:	ceiling-charlie-black-venus
File name:	aad3072a367a7b47c0ef0472bde70721f5aff5285dbd40310bb19c7b68ff3918
Download:	download sample
File size:	6'160'376 bytes
First seen:	2022-08-02 12:50:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4419e484e276ee1537b37e2081fdee7a
ssdeep	98304:q1F36xEKjmkfZcEGYNDn9Qofh4IYE393rJibfONsM8SHMER3kX7xN16IUS:qDf+mkSNYZB4qZrUS8WMAkL/1z
TLSH	T12656E0F13B05AFFFD94649385440DE9BC0B893E356D1C506ECA838B99A83F47C29A674
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	2351713cdc594123
Reporter	JAMESWT_WT
Tags:	exe signed Stream Synergy Inc.

Code Signing Certificate

Organisation:	Stream Synergy Inc.
Issuer:	DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
Algorithm:	ecdsa-with-SHA384
Valid from:	2021-06-18T00:00:00Z
Valid to:	2022-06-02T23:59:59Z
Serial number:	0d58b5346f4de87c850faa5a994fd935
Intelligence:	22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	eb0d6f2851e4a340b2325a9306cd7255d7f80e9436b9b4171bae7691922555b0
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aad3072a367a7b47c0ef0472bde70721f5aff5285dbd40310bb19c7b68ff3918

Verdict:

No threats detected

Analysis date:

2022-08-03 07:38:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ecea34b0-f006-43ef-a70c-55e44917d420

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295842/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

DNS request

Sending a custom TCP request

Searching for the window

Result

Malware family:

n/a

Score:

0/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28069/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/62e91d99b7eec6562784cf89/reports/2a9d3304-e12c-4662-a1e6-f6d9ee51e0bf/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6c3b2527-6e3c-4ae4-9309-b416c09dc8de

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1044855

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to evade debugger and weak emulator (self modifying code)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aad3072a367a7b47c0ef0472bde70721f5aff5285dbd40310bb19c7b68ff3918/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2022-06-19 23:52:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vljqokrwpj5upqhparzl3zyheh2275jilw6uamilwgohw2h7hema._file

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/220802-p3gx6agbdk/

Behaviour

Enumerates physical storage devices

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

MD5 hash:

40d7eca32b2f4d29db98715dd45bfac5

SHA1 hash:

124df3f617f562e46095776454e1c0c7bb791cc7

Link:

https://www.unpac.me/results/663b1fdd-dd4a-4c72-b2c1-a7e8a31814a6/

SH256 hash:

84c45f2241801ee043fa6f3caa2d41eac490e1433b17e6b4447c0284465786f1

MD5 hash:

c530bd7c386295637588943a0afaf2ce

SHA1 hash:

adb48b9546ceb5fa7fc7e072354ce743df387b6d

Link:

https://www.unpac.me/results/663b1fdd-dd4a-4c72-b2c1-a7e8a31814a6/

SH256 hash:

aad3072a367a7b47c0ef0472bde70721f5aff5285dbd40310bb19c7b68ff3918

MD5 hash:

0584dab798512e3053948814accbb6f9

SHA1 hash:

082ad7c7d350757e107841aa77402fbef12dd10c

Link:

https://www.unpac.me/results/663b1fdd-dd4a-4c72-b2c1-a7e8a31814a6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.09

Link:

https://yomi.yoroi.company/submissions/aad3072a367a7b47c0ef0472bde70721f5aff5285dbd40310bb19c7b68ff3918

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295842/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample