MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
SHA3-384 hash: bba573ccfa3ea7ed7e4bbb78ae32d701c5880fc1a1020a42047fdef89d5e7e27049fe4133e364c8fc8c67f3a38dac484
SHA1 hash: e8f3fe039fd6ae0be2bc7d5a5f6e6d79462b49c6
MD5 hash: 9aa44dea64a5b73e45eaa865637d6f35
humanhash: moon-three-happy-oxygen
File name:6月工资发放结算.exe
Download: download sample
File size:5'773'163 bytes
First seen:2023-06-19 13:34:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 98304:O06FOznLo0+Dd6uxcobmpTncTYS3l72vu2X74NXoXYCOcWBOIn24vEWu:O3F6n80W6uGOao7urSoXYCOQIn2JWu
Threatray 24 similar samples on MalwareBazaar
TLSH T1B4462341F392C4B0D46A85B888828766CF773C2257B1C6EB5BE4695E5F333D09B32726
TrID 68.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
10.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon fadadac2a2b8c4e4 (11 x Nitol, 2 x Amadey, 2 x AgentTesla)
Reporter obfusor
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6月工资发放结算.exe
Verdict:
No threats detected
Analysis date:
2023-06-19 13:37:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29934855-c6c3-44a8-ae79-3ac6e3f56582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400505/
Detection(s):
MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91609/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Gathering data
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/39763c77-c798-47bb-9052-639d4d8502ae
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1257427
Signature
Found driver which could be used to inject code into processes
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890465 Sample: 6#U6708#U5de5#U8d44#U53d1#U... Startdate: 19/06/2023 Architecture: WINDOWS Score: 60 47 Multi AV Scanner detection for submitted file 2->47 49 Found driver which could be used to inject code into processes 2->49 51 May modify the system service descriptor table (often done to hook functions) 2->51 8 6#U6708#U5de5#U8d44#U53d1#U653e#U7ed3#U7b97.exe 4 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 8->35 dropped 11 irsetup.exe 28 8->11         started        process5 dnsIp6 45 192.168.2.1 unknown unknown 11->45 37 C:\Program Files (x86)\...\hookport_win10.sys, PE32 11->37 dropped 39 C:\un.exe, PE32+ 11->39 dropped 41 C:\Program Files (x86)\...\PopWndTracker.exe, PE32 11->41 dropped 43 11 other files (none is malicious) 11->43 dropped 53 Sample is not signed and drops a device driver 11->53 16 iusb3mon.exe 8 11->16         started        18 un.exe 5 11->18         started        21 un.exe 3 11->21         started        file7 signatures8 process9 file10 23 WerFault.exe 23 9 16->23         started        25 WerFault.exe 2 9 16->25         started        31 C:\Microsoft\iusb3mon.exe, PE32 18->31 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqtxnyzghntpna2t5rrbcn2c4wyel6jnu4zym2tzkjtt35fryrna._file
Verdict:
unknown
Similar samples:
02a8afb13fb3fa71b1607c1c878322ab3894d6e3d646ac17782339cc6065ce45
1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d
1e7ed9a8dd2e513ace96352932af722d1c3c88641b97f8f59a50774ef1dc31ea
61d451ce5a169591bd4e8633c9030a8afb54027e66dbae6127984caa48bc2568
827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88
86e69b16379a3aa41a658af413ea71364341da11e2f7d724dcefeac6eaa504ec
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
dc4f19e5e4dc8fcc3c4ef23408bb2786351dbc4c6d68fd8f882bcbdf52211ff3
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230619-qvnleafc4t/
Unpacked files
SH256 hash:
6f87a209231d2dbe34463d424d3b918a8b8e8af49cfcfab68e43e6832b4ccef5
MD5 hash:
ab0210c93fe684f8f752ed45f91be529
SHA1 hash:
033003357378665c1edfe2a36dcf6484e2f0bf44
Link:
https://www.unpac.me/results/7db9bd41-414f-4a2d-ad99-3fabffe19afb/
SH256 hash:
0f5c06a8174b98dcaf3b56e1a01c7859925760a11dc1dc111dc1501f21f5a29e
MD5 hash:
f7a37d4b09f97a048518f16e3679a124
SHA1 hash:
d07f98df25c5eb200ee8b03d3a0cb0bf2361d11a
Link:
https://www.unpac.me/results/7db9bd41-414f-4a2d-ad99-3fabffe19afb/
SH256 hash:
1d5eac4440755b424eca75b8e68abe4eb525eb212eefab30cbc153dd12a281d2
MD5 hash:
865bb84a0ec166dcb296e6dab1873c7e
SHA1 hash:
3f7097d138a4712a6adc12e02e350e2691b685f0
Link:
https://www.unpac.me/results/7db9bd41-414f-4a2d-ad99-3fabffe19afb/
SH256 hash:
f84225d68644f898d4785862662e7bb7d566db4b5579376eafc416138b73b416
MD5 hash:
64995d2bd8f733f1d4e3cf95f778a495
SHA1 hash:
f0c5c4218cf8c740e436c6613d08d327f79b5258
Link:
https://www.unpac.me/results/7db9bd41-414f-4a2d-ad99-3fabffe19afb/
SH256 hash:
9ddef513ee7a3495b5c25b7b45db56378ad1783685e0e7e8ce3bcb45ae48b093
MD5 hash:
c3b0faf8b9741b8259cbb4cc6e3b3ab3
SHA1 hash:
658461d8f581a0b29bf3105525ea2dd1b9ba7d70
Link:
https://www.unpac.me/results/7db9bd41-414f-4a2d-ad99-3fabffe19afb/
SH256 hash:
8dc69cb7f775bfd0b13fcdcb5a70861ecd41acb8b07fd7d44edb785f3ff0646c
MD5 hash:
2069f493379a017650696224657c3fd7
SHA1 hash:
d21edd002e636dc2f3d46df10d731142ecc49df6
Link:
https://www.unpac.me/results/7db9bd41-414f-4a2d-ad99-3fabffe19afb/
SH256 hash:
8f81bc92ee775ad5fa62ee1a504c45950be985e1f00006e630e913ca2e11abe1
MD5 hash:
54009012e012fa0496d452cccebdb192
SHA1 hash:
a682b66b666e86e4eabf8e0d28b9d98b18ae963a
Detections:
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/7db9bd41-414f-4a2d-ad99-3fabffe19afb/
Parent samples :
ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
583d8351de707ac2b46a2fb9fd9ee31056ad7a83b9fea10df5f3e5e46f890b92
7ce3b6378d4515a232cdbc3ed69c80f05236ae72ce868ea49dfa1353fd1da53d
8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff
SH256 hash:
ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
MD5 hash:
9aa44dea64a5b73e45eaa865637d6f35
SHA1 hash:
e8f3fe039fd6ae0be2bc7d5a5f6e6d79462b49c6
Link:
https://www.unpac.me/results/7db9bd41-414f-4a2d-ad99-3fabffe19afb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400505/

Comments