MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f
SHA3-384 hash: fe4deb18d2b8c7d098ed4ac7af2582a9c414571fd59a6fded9f852942b297a0ac2d6f0b0a6e6ecc3479bbe455a14d367
SHA1 hash: 2802749a624d8b66786988805aafabdc8b3c741e
MD5 hash: 3661cbaa14b2974e5f1c228da71b3375
humanhash: washington-zebra-happy-thirteen
File name:file
Download: download sample
File size:259'072 bytes
First seen:2023-05-31 16:22:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ad88ac708ddb8f8b13f36cf34d63196
ssdeep 3072:/jw74LtbRIpVtSxq3hJSaj0CqWuvSNImaZhljVLl7r8qi41j2m2FtHJjgBvFGhC4:M6hJVL5nt2FvUJFGhCWUyAOkgqk7
Threatray 5'398 similar samples on MalwareBazaar
TLSH T15144D500B5D68532D5620C368CF67B5CA738A6110F274BEB738825799E243CCF6F99A7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://transparenciacanaa.com.br/cidadejunina/js/vendor/postmon.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c978e71f7e75fef5062a57d11ee2fae8
Verdict:
Malicious activity
Analysis date:
2023-05-04 20:32:08 UTC
Tags:
opendir loader evasion
Link:
https://app.any.run/tasks/3ca95cd2-8054-4b50-9c2d-85efc561df6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394139/
Detection(s):
SecuriteInfo.com.Adware.Generic.3107311.15844.10045.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Downloading the file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88844/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm greyware lolbin shell32.dll
Link:
https://www.filescan.io/uploads/6477746542786e46b28b5e24/reports/720a3255-ad52-4021-8800-67b05f78e461/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d4b71d8-2d16-4646-a1a7-e09c8813b607
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1246289
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Powershell Download and Execute IEX
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 879308 Sample: file.exe Startdate: 31/05/2023 Architecture: WINDOWS Score: 84 33 Antivirus detection for URL or domain 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 2 other signatures 2->39 7 file.exe 1 13 2->7         started        process3 dnsIp4 31 transparenciacanaa.com.br 162.214.154.198, 443, 49692, 49693 UNIFIEDLAYER-AS-1US United States 7->31 41 Self deletion via cmd or bat file 7->41 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 signatures7 43 Uses ping.exe to check the status of other devices and networks 11->43 16 PING.EXE 1 11->16         started        19 conhost.exe 11->19         started        21 powershell.exe 14 15 14->21         started        23 conhost.exe 14->23         started        process8 dnsIp9 25 127.0.0.1 unknown unknown 16->25 27 transparenciacanaa.com.br 21->27 29 195.123.210.154, 49699, 80 ITL-LV Bulgaria 21->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f/
Threat name:
Win32.Adware.FileFinder
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 06:25:16 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
27 of 37 (72.97%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwqzznfmcbotivplbqxyj7gc3hhuguhhrykjuyrqjsips6hhfn7q._file
Verdict:
malicious
Similar samples:
01e45abb29d308bb9402e7a7509bbd39fcf51fae5962fb40fcd13a04b6a87afd
28fff67a5ec01a9ccd4c5101cdfeaa2a714d90322b39a5b5be4cb48e4ff78ea2
384754e8def3862ee5805476c1c45bbec16d56175dc82438927e02cd98292b24
41da684add05801458398e2a45805258ba5a78c77e079f1d8f15aed85a4034e6
756c2e4a778391cf046be9510aee12e3a0e6c4dce5ea611e12a8a3dac4036e60
869abff3b6b8d0d0e854a0b7708ece00ab0e578902c694b816a35f102aa9ea5b
95c5e04a12bab61c95de5e63cb0b8730599772d3f4f46a9d6487b90841128a99
bd110195169a004ee16e607cebd27a1df959abb75d264d05b2c4ef55e329c8b7
e1364b7144e6240f9dfede83f545c99e8fe47acefda67f9e3edf7e560fc1989c
f642d33cd9637c327beff1360531a610de8146340644db1978acd41c76b4a502
+ 5'388 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230531-twcr3sge2z/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1
Unpacked files
SH256 hash:
ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f
MD5 hash:
3661cbaa14b2974e5f1c228da71b3375
SHA1 hash:
2802749a624d8b66786988805aafabdc8b3c741e
Link:
https://www.unpac.me/results/87f5e230-c02f-4762-bf0b-03c3ff377a74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/394139/
  
URLhaus
https://urlhaus.abuse.ch/url/2648475/

Comments