MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acc09a3633289ac4c40c744409c20f5f5167cf55fc792371d0e4bd9331c2ce31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acc09a3633289ac4c40c744409c20f5f5167cf55fc792371d0e4bd9331c2ce31
SHA3-384 hash: 8c6ef68ac1f4de193c4c276d3f5b6bbea8811a9b0a797a9b9618c25a7728f0aa2af13639aaf16f41f2f8726ce632f31f
SHA1 hash: 17aaeb2dc37184ed884588638bdfcdd9e1b4507f
MD5 hash: a923073515484b02bf7bc6f5635d50d4
humanhash: maryland-india-lithium-black
File name:a923073515484b02bf7bc6f5635d50d4.exe
Download: download sample
File size:1'110'941 bytes
First seen:2021-06-06 07:01:18 UTC
Last seen:2021-06-06 07:37:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 24576:f9btxEOmkGS3cvuujoUAzMF2Z0N8pDcQpiwtfsyvcGna+hAUtDpR2uQGeK0:fNNLRU1M70ONRjRl8K0
Threatray 218 similar samples on MalwareBazaar
TLSH 8D35239277E3C9F9C6D21531190ABBA12A7DDB201F24CAD7A7D03A035E364D0E77E189
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a923073515484b02bf7bc6f5635d50d4.exe
Verdict:
Malicious activity
Analysis date:
2021-06-06 07:04:58 UTC
Tags:
autoit trojan 1xxbot
Link:
https://app.any.run/tasks/56ff2aa0-7737-4726-b471-341e3d5c6c78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164714/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/797660
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430056 Sample: bszlCFCgNB.exe Startdate: 06/06/2021 Architecture: WINDOWS Score: 84 58 Multi AV Scanner detection for submitted file 2->58 60 Sigma detected: Drops script at startup location 2->60 62 Machine Learning detection for sample 2->62 9 bszlCFCgNB.exe 7 2->9         started        12 wscript.exe 2->12         started        14 KIutfgnPCs.exe.com 2->14         started        process3 dnsIp4 68 Contains functionality to register a low level keyboard hook 9->68 17 cmd.exe 1 9->17         started        70 Creates processes via WMI 12->70 48 XhdriZzbYSvkROP.XhdriZzbYSvkROP 14->48 signatures5 process6 signatures7 50 Submitted sample is a known malware sample 17->50 52 Obfuscated command line found 17->52 54 Uses ping.exe to sleep 17->54 56 Uses ping.exe to check the status of other devices and networks 17->56 20 cmd.exe 3 17->20         started        23 conhost.exe 17->23         started        process8 signatures9 64 Obfuscated command line found 20->64 66 Uses ping.exe to sleep 20->66 25 Strana.exe.com 20->25         started        28 PING.EXE 1 20->28         started        31 findstr.exe 1 20->31         started        process10 dnsIp11 72 Drops PE files with a suspicious file extension 25->72 34 Strana.exe.com 6 25->34         started        46 127.0.0.1 unknown unknown 28->46 42 C:\Users\user\AppData\...\Strana.exe.com, Targa 31->42 dropped file12 signatures13 process14 dnsIp15 44 XhdriZzbYSvkROP.XhdriZzbYSvkROP 34->44 38 C:\Users\user\AppData\...\KIutfgnPCs.exe.com, PE32 34->38 dropped 40 C:\Users\user\AppData\...\KIutfgnPCs.url, MS 34->40 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acc09a3633289ac4c40c744409c20f5f5167cf55fc792371d0e4bd9331c2ce31/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-05 12:39:19 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
01e0e8312ba9622a57dfbf40615513bf2a01c38d9fba806e1bc9c08364b2041f
03110bdd6c0d0f027422de86d47ce39cfb8cae70c04a616cbb8c325c03853ef6
03c770bfc70f92e979e48b46b0604c3254796123e48af7d611017af862321bea
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
e31da697e1f30aca20cb88b09a69ed60bdbba9b3c4da0e67e2654ecb541964f2
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
f87674db0a46d9903b10a9103dd2cad5b0d1ff7cccaaec2cc47231d5fc32007d
+ 208 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210606-7ssg599zr2/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
2756e47e8a57af5292762827d0cf52ceeb073a47c88e74390a42f1047ef82cfa
MD5 hash:
18f9b7ac9fd1818a8c421a66b6e673da
SHA1 hash:
5cfc2bf9119d35dbb275f07c817e6642c3b21d71
Link:
https://www.unpac.me/results/715ec60b-9026-40fb-8c94-a417ff8ff441/
SH256 hash:
2a2b151456b7cc08651a1827dc9d9cb870bedd130086724113b94cf8dab3efbd
MD5 hash:
182f0df7cf79f48630cce490011dcf07
SHA1 hash:
658180149611200efaafa6321e2ed0aa533019fb
Link:
https://www.unpac.me/results/715ec60b-9026-40fb-8c94-a417ff8ff441/
SH256 hash:
acc09a3633289ac4c40c744409c20f5f5167cf55fc792371d0e4bd9331c2ce31
MD5 hash:
a923073515484b02bf7bc6f5635d50d4
SHA1 hash:
17aaeb2dc37184ed884588638bdfcdd9e1b4507f
Link:
https://www.unpac.me/results/715ec60b-9026-40fb-8c94-a417ff8ff441/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acc09a3633289ac4c40c744409c20f5f5167cf55fc792371d0e4bd9331c2ce31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe acc09a3633289ac4c40c744409c20f5f5167cf55fc792371d0e4bd9331c2ce31

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1288366/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164714/

Comments