MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab3c989ae1c183636154ed334ade394295ecfd44fd97c87481f212ae51ba4bc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab3c989ae1c183636154ed334ade394295ecfd44fd97c87481f212ae51ba4bc3
SHA3-384 hash: 88c9fc9fbd72ebfcd0c8df93789945552323f2dab3491d4d26608c4b167780ad2b99027dfd762fdf85774caca1a7e6f0
SHA1 hash: 0ff850893e70942918408db5570c26cf20292111
MD5 hash: d14aab030b254bae3c6977c71cbc8a0b
humanhash: golf-alpha-black-paris
File name:d14aab030b254bae3c6977c71cbc8a0b
Download: download sample
Signature Adhubllka
Create hunting rule
File size:416'256 bytes
First seen:2022-01-06 12:02:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'646 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:y7NhwPfQL7PCpucTIwI7qfNJc8NK0eSH1XM8GveTM:fP4HCpucTIwgPiKQH1XM8Gve
Threatray 351 similar samples on MalwareBazaar
TLSH T1A3947C9E30D0B4EDC8E7D6F14D962C9BAE70B0A64347414B652F149EA95CFA2DF1C0B2
Reporter zbetcheckin
Tags:32 Adhubllka exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d14aab030b254bae3c6977c71cbc8a0b
Verdict:
Malicious activity
Analysis date:
2022-01-06 12:07:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e5fb45b-14ad-4a71-88b7-b2715e9b5db5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217563/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38460210.15806.8362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Moving a recently created file
Changing a file
Modifying an executable file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Modifying a system executable file
Setting browser functions hooks
Enabling autorun by creating a file
Encrypting user's files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61d6da7b135d97804c0f51d1/reports/ef8e7508-6154-4539-a259-f16ddb9fbcee/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27e9827b-6bce-49a8-8d82-48a03c27dc97
Result
Threat name:
Covid19 Cryptolocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916284
Signature
Contains functionality to detect sleep reduction / modifications
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Covid19 Ransomware
Yara detected Cryptolocker ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab3c989ae1c183636154ed334ade394295ecfd44fd97c87481f212ae51ba4bc3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 12:03:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03c9edcd023caff6903886d8c708cf83bd8e0ffc962523de0abcad76b9bc65c6
Adhubllka
1084eb5b0264e2e4d231ee157c346e65dc8bbb52989ea931abf4e16cd1596f1c
Adhubllka
2c7cbac8fb35bec6c10869cd5e50d479997a86e42a49c9d2f226c0a88b871c01
Adhubllka
4e1310dcbe61956354f58b7a45254e17974d431691e4eb21aebe8fcf92b8ef34
Adhubllka
5cc0900c9ec86120d00632b859c3ff0d03bff355db901ba7a1d87672fa096707
Adhubllka
b05304798ed228b2da35af7a3473599b937b62731176a7b706369a743467a104
Adhubllka
c00acdb96f514d116753a05bc91fd543f0d20cf48895b206ebaa87981e638725
Adhubllka
cf87c474b0154c536cdf0e771c8ca97d9c4ba1d5530f669b677cd3b9346fe37d
Adhubllka
+ 341 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220106-n7116abfam/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Installed Components in the registry
Modifies extensions of user files
Unpacked files
SH256 hash:
a697751f48d9cb93de448936cfaee722d0ffcf7804bef4fbff7c009d55d80ec0
MD5 hash:
1e8476956dc51ba679dc36d0346f3164
SHA1 hash:
ead279cf969287a5950f83d702b11cec27741424
Detections:
win_adhubllka_a0
Create hunting rule
win_adhubllka_auto
Create hunting rule
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
c91b6e3d49dc475eeb61b1ecfd283e465f948405fe10d9c38ddb44e86616336a
MD5 hash:
98a93e87ae86754548a1b929cd954e33
SHA1 hash:
9d593824dfcd92257ff954db5fe7cccc1ccda350
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
d35bb34050e5e7a9833588f68583ce6b0133c3a941c0160470bb80b25b8dbcaa
MD5 hash:
2fb4991b4cfad2e0523449758d9f8c4d
SHA1 hash:
9ab297b9c06bfe6e3baf9969df93c6916e9c133f
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
f761e5632261e4040bdfb131358e353e17b469ff9a03e2247431e5bcf6cb7d47
MD5 hash:
a937d582fe87d1026d90fff91a29234c
SHA1 hash:
27c851263f6f2ed8669459da6a1b40fb114d7fef
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
90c3a2e4c3c38a7974114d6f746f5582fe9c5e3315f8cd1ae554ecc5ef4598ab
MD5 hash:
c01aa7aef66a9e52b68c10095004118c
SHA1 hash:
09562f6ff103833bbb8056707b61c5a35c140913
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
SH256 hash:
ab3c989ae1c183636154ed334ade394295ecfd44fd97c87481f212ae51ba4bc3
MD5 hash:
d14aab030b254bae3c6977c71cbc8a0b
SHA1 hash:
0ff850893e70942918408db5570c26cf20292111
Link:
https://www.unpac.me/results/f2ea5cc8-f47a-49db-9ed3-26f5e70eca3a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ab3c989ae1c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab3c989ae1c183636154ed334ade394295ecfd44fd97c87481f212ae51ba4bc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_adhubllka_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.adhubllka.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adhubllka

Executable exe ab3c989ae1c183636154ed334ade394295ecfd44fd97c87481f212ae51ba4bc3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1952981/
Cape
Cape
https://www.capesandbox.com/analysis/217563/

Comments


Avatar
zbet commented on 2022-01-06 12:02:10 UTC

url : hxxps://profiteneh.com/wp-admin/js/101.exe