MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c
SHA3-384 hash: 5150fa23a0ccaeeb43af4bec830c3cd31215a2374cf2d67d97c613ff7703c7702c43dc3b8c18077804c3365e7b58b873
SHA1 hash: f66e219e915c80f4f4374084b7f0f8d15deadb22
MD5 hash: e1df1aabc15765a32e8642c474578eb1
humanhash: dakota-edward-carolina-victor
File name:e1df1aabc15765a32e8642c474578eb1.exe
Download: download sample
File size:5'034'680 bytes
First seen:2021-08-08 15:21:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 48 x PureHVNC, 34 x CoinMiner)
ssdeep 98304:0/JtoyeTQdvOnHnhjF/gEpLGdRbqn6LTqOdnwn:JySLEbqM2Odnwn
Threatray 69 similar samples on MalwareBazaar
TLSH T108364AE369E19B8FD24ED1F69AD1B43EA55BB5FACA08E343D456F235E613C803006B14
dhash icon 00bcbafecece8e30
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e1df1aabc15765a32e8642c474578eb1.exe
Verdict:
No threats detected
Analysis date:
2021-08-08 15:24:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8be433fb-eef3-45dc-9731-c9fcb9357eb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177256/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fe122676-6ca7-4b53-bcdb-e914c65c65e9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828821
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461250 Sample: IPT9HJdb2d.exe Startdate: 08/08/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 PE file contains section with special chars 2->50 52 Sigma detected: Powershell Defender Exclusion 2->52 8 IPT9HJdb2d.exe 2 4 2->8         started        12 MicrosoftApi.exe 14 2 2->12         started        15 MicrosoftApi.exe 2 2->15         started        process3 dnsIp4 40 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 8->40 dropped 42 C:\Users\user\AppData\...\IPT9HJdb2d.exe.log, ASCII 8->42 dropped 66 Detected unpacking (changes PE section rights) 8->66 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->68 70 Query firmware table information (likely to detect VMs) 8->70 17 MicrosoftApi.exe 1 5 8->17         started        44 45.137.190.236, 49721, 49722, 49724 BITWEB-ASRU Russian Federation 12->44 72 Hides threads from debuggers 12->72 74 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->74 file5 signatures6 process7 file8 38 C:\Users\user\AppData\...\tmp33D0.tmp.cmd, DOS 17->38 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 Detected unpacking (changes PE section rights) 17->56 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->58 60 4 other signatures 17->60 21 cmd.exe 1 17->21         started        24 cmd.exe 1 17->24         started        signatures9 process10 signatures11 62 Uses schtasks.exe or at.exe to add and modify task schedules 21->62 64 Adds a directory exclusion to Windows Defender 21->64 26 powershell.exe 22 21->26         started        28 conhost.exe 21->28         started        30 timeout.exe 1 21->30         started        32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started        36 schtasks.exe 1 24->36         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c/
Threat name:
Win64.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 15:22:06 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
49b57d024424267e79102b40cacbdb69c6e92ec41d5443d069da06e4eb083921
5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572
95654525c7022015e1177ff2e8eba84837f6808b6568bccd87af3e55a3c1f481
bc06c918fab5afbb61d15611dedadbc9012cf9e4979e9d3f261a9046c306bb87
cdf2ed21f6bda94bdebd880cb3e45005de2e714d8f1311f3d38684f103be2f00
d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397
+ 59 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion suricata themida trojan
Link:
https://tria.ge/reports/210808-qtw2q4ncmj/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
Unpacked files
SH256 hash:
ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c
MD5 hash:
e1df1aabc15765a32e8642c474578eb1
SHA1 hash:
f66e219e915c80f4f4374084b7f0f8d15deadb22
Link:
https://www.unpac.me/results/d251a171-6cc1-432b-ae73-2b05544070ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1493960/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177256/

Comments