MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae6e498c8c5441ea32f11e33f00a73446a429aa601c2eccefbc4c40561481a2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae6e498c8c5441ea32f11e33f00a73446a429aa601c2eccefbc4c40561481a2c
SHA3-384 hash: 73efbb8add68816279738608a229beac3782abf955a11c556d4db0f96d355b0268e23a58369b5aeec4adff40f0616389
SHA1 hash: db45b1842c6735d25f5104aff70db231bc0aad34
MD5 hash: 0ceacf7dc64290934eff76d8c75a7d9c
humanhash: lamp-cat-william-triple
File name:Estratto_conto_commissioni_WU_Estratto_conto_commissioni_WU.pdf.exe
Download: download sample
File size:1'434'842 bytes
First seen:2022-09-27 12:37:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:eHLmCiIhVQxLW4iA/IG7+VtqdGXIyO3ZfsRIIukjdPoRd5ZdQx:z5/pwydGmGuIu0oRd5m
Threatray 1'856 similar samples on MalwareBazaar
TLSH T1B1650212B6C68871D4722A711939A720597B7C244B78894F63DC3D2FBBB32926931F73
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter JAMESWT_WT
Tags:Anyplace anyplace-gateway-work exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313971/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file
Creating a service
Launching a service
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39483/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6332eeb09cd210adb55ca803/reports/81848363-65ae-46a5-b326-2049ab43ac12/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/36408f38-d7df-45e2-ab5d-1830e66e9a86
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078300
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionalty to change the wallpaper
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710845 Sample: Estratto_conto_commissioni_... Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 7 Estratto_conto_commissioni_WU_Estratto_conto_commissioni_WU.pdf.exe 3 6 2->7         started        10 svchost.exe 2->10         started        13 svchost.exe 3 2->13         started        15 12 other processes 2->15 process3 file4 31 support-Y3Jpc2dvbj...WZvcnRhbGVjZQ==.exe, PE32 7->31 dropped 17 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgdG9kb2xvcHVlZG9lbmRpb3NxdWVtZWZvcnRhbGVjZQ==.exe 7->17         started        19 AcroRd32.exe 15 39 7->19         started        49 Changes security center settings (notifications, updates, antivirus, firewall) 10->49 22 MpCmdRun.exe 10->22         started        51 Query firmware table information (likely to detect VMs) 13->51 signatures5 process6 dnsIp7 24 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgdG9kb2xvcHVlZG9lbmRpb3NxdWVtZWZvcnRhbGVjZQ==.exe 12 17->24         started        39 192.168.2.1 unknown unknown 19->39 27 RdrCEF.exe 63 19->27         started        29 conhost.exe 22->29         started        process8 file9 33 C:\ProgramData\...\libspeexdsp.dll, PE32 24->33 dropped 35 C:\ProgramData\...\libspeex.dll, PE32 24->35 dropped 37 C:\ProgramData\...\hcs.exe, PE32 24->37 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae6e498c8c5441ea32f11e33f00a73446a429aa601c2eccefbc4c40561481a2c/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 12:38:16 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzxetdemkra6umxrdyz7acttirvefgvgahboztx3ytcakykidiwa._file
Verdict:
malicious
Similar samples:
04784d46d726d64b9c5a4562c89230e2be58e0349b0bee477c56699676549ef9
0e3854e6b691065b05fd143d9a67ccbc7869ccfce719b09d9443b7166f5ec61b
267c37f15594e1b55c509e743784ba4e05a7f2d5aa554a55a9357d1fc45b74f4
41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db
50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419
61640080e5604b1f88734d5d6d4dc118a79f3670053d5b297e0353dce9fa60bb
8c0429806e000a09e006beb89f6d438c458b565e500980a0301fda4f817922e1
bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38
ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33
+ 1'846 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit persistence upx
Link:
https://tria.ge/reports/220927-pt2wzaeehm/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Gathering data
Unpacked files
SH256 hash:
f15b0408096eafc700fe069b716ffa921854b4e95bed33ad08524a59cc8ad57b
MD5 hash:
9a8608bb0b654c650743221914d87ac2
SHA1 hash:
bc4dde9361fe4170a93e6e9af80cb8a2aaf70f66
Link:
https://www.unpac.me/results/c692eb58-8137-48a4-838e-2f441d7b2052/
SH256 hash:
2fafb2a5116b640a09804bb5e2f04b843a00d7b70ed73b60d0ed5068aad28bc9
MD5 hash:
c374e81222e06289a2a28aaa160b0a35
SHA1 hash:
a872dbaf117dad990371445bfd637c90b87fea8a
Link:
https://www.unpac.me/results/c692eb58-8137-48a4-838e-2f441d7b2052/
SH256 hash:
65a9bbd5b3b9161c0dd61a9e185e391cfa68f31171e1a5fcfad20bcc9eb09480
MD5 hash:
e10db82c997a756a01b6f954e86b83e0
SHA1 hash:
411fca36d8639b0ba78d8b3cfe1421626a33e6b4
Link:
https://www.unpac.me/results/c692eb58-8137-48a4-838e-2f441d7b2052/
SH256 hash:
55f90d649fe9b7aa82fcb8afe28f7a19467c00c636da83328572484dc99b214a
MD5 hash:
db626b2bb018dbc9cc45ac95225ada67
SHA1 hash:
09e7fcec8fb6b9afb6aeee1a8ab1cae452de6cbc
Link:
https://www.unpac.me/results/c692eb58-8137-48a4-838e-2f441d7b2052/
SH256 hash:
ae6e498c8c5441ea32f11e33f00a73446a429aa601c2eccefbc4c40561481a2c
MD5 hash:
0ceacf7dc64290934eff76d8c75a7d9c
SHA1 hash:
db45b1842c6735d25f5104aff70db231bc0aad34
Link:
https://www.unpac.me/results/c692eb58-8137-48a4-838e-2f441d7b2052/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae6e498c8c54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae6e498c8c5441ea32f11e33f00a73446a429aa601c2eccefbc4c40561481a2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest2
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ae6e498c8c5441ea32f11e33f00a73446a429aa601c2eccefbc4c40561481a2c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2315200/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2315202/
Cape
Cape
https://www.capesandbox.com/analysis/313971/

Comments