MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad6dd5d6218a1ddd8ec9d6bcfd2e5802b4b6a39f86dc67acd61a6273fad94ba4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad6dd5d6218a1ddd8ec9d6bcfd2e5802b4b6a39f86dc67acd61a6273fad94ba4
SHA3-384 hash: 3bbfef93c642ec8b7d016f840ffcafff5c5b558a0731c3656d9129f9cc5a6d12f2cff63f3deebf04a4124e2d4fe38898
SHA1 hash: 1cf4358befd3d4b7b135881f16041f9a935e8e2a
MD5 hash: 011e08e1833e96a280eedd66c0670859
humanhash: oscar-one-pip-bakerloo
File name:file.exe
Download: download sample
File size:2'482'722 bytes
First seen:2023-04-08 08:05:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1f9ea6d51ba4934aeaee8b1f7d283d7 (2 x CoinMiner, 1 x FatalRAT, 1 x Blackmoon)
ssdeep 49152:W0psLOmC85RiIvDnxh+oVx3PGlx/tabTg5Q6BkfgjE:K6mziIrnj+lja96/jE
Threatray 1'102 similar samples on MalwareBazaar
TLSH T11BB5330B7F702DA0EE60B93365B68B007DEED97D8321863552927510EE021A1FE5ADF7
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f8e0c8d0e6e6fc18 (1 x RustyStealer, 1 x RecordBreaker, 1 x LummaStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
No threats detected
Analysis date:
2023-04-08 08:08:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb79e70a-d2aa-4815-84b3-2c93b48232a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380844/
Detection(s):
Win.Malware.Misc-9963874-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76956/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6431206d0a8c21410f57e38d/reports/8412ba59-8424-4e99-8213-8e49b85895f0/overview
Verdict:
Malicious
Labled as:
Malware.Misc
Link:
https://www.hybrid-analysis.com/sample/ad6dd5d6218a1ddd8ec9d6bcfd2e5802b4b6a39f86dc67acd61a6273fad94ba4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a190f9e4-2b47-4dc2-939b-7a9e804b5227
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1210515
Signature
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 843431 Sample: file.exe Startdate: 08/04/2023 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 31 2 other signatures 2->31 7 file.exe 8 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\...\Setup.exe, PE32+ 7->23 dropped 10 Setup.exe 1 7->10         started        13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        process5 signatures6 33 Multi AV Scanner detection for dropped file 10->33 35 Detected unpacking (changes PE section rights) 10->35 37 Machine Learning detection for dropped file 10->37 39 4 other signatures 10->39 17 conhost.exe 10->17         started        19 conhost.exe 13->19         started        21 conhost.exe 15->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad6dd5d6218a1ddd8ec9d6bcfd2e5802b4b6a39f86dc67acd61a6273fad94ba4/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-08 08:06:12 UTC
File Type:
PE+ (Exe)
Extracted files:
61
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvw5lvrbrio53dwj226p2lsyak2lni47q3ogplgwdjrhh6wzjosa._file
Verdict:
unknown
Similar samples:
3018727d5b193342aed7d08be1e3d0b49ef2fcf19621cad8b3bcb31e0312cb07
67ed4226089a037258ae9c039e93f9ba85dc75409ff0c3402c69597de654cb5d
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466
d91506e7131a9b6e2da08adddf490d1123358cbaec3d2d1258393e0ece8ff9fc
e5ddc31d2c92d19cb412602f4d9ad66144d509f66bbb770f610dab1ecbdd05c9
f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5
f63921129822475dd132a116b11312ebbb0cdc8b54f188aabeb7cf7a8c9065fd
+ 1'092 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/230408-jzeezacd49/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Checks computer location settings
Unpacked files
SH256 hash:
5e3ced0a0dc6f36a2e779f2bd8cba3292369deb3b309531c356202fb844bbd47
MD5 hash:
d2c158a4a0b05ba9ab03846c44b4f6f5
SHA1 hash:
e592e0af6badaef0581f59bab59e0105e65a1ae2
Link:
https://www.unpac.me/results/b002eabb-2346-4c91-8f64-7ac8ef204bdb/
SH256 hash:
ad6dd5d6218a1ddd8ec9d6bcfd2e5802b4b6a39f86dc67acd61a6273fad94ba4
MD5 hash:
011e08e1833e96a280eedd66c0670859
SHA1 hash:
1cf4358befd3d4b7b135881f16041f9a935e8e2a
Link:
https://www.unpac.me/results/b002eabb-2346-4c91-8f64-7ac8ef204bdb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad6dd5d6218a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/ad6dd5d6218a1ddd8ec9d6bcfd2e5802b4b6a39f86dc67acd61a6273fad94ba4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380844/

Comments