MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08
SHA3-384 hash: 5d36eb17513795ae15712af401ef9ed81ac0da86e1d1c1b9647adc672559a69a1755cabad83b12763e8e1e2c8465c463
SHA1 hash: 6cfa97a993cb27a64be835783d7871ff757d8d2b
MD5 hash: 6ca76d8eaf1ec1e760ac41c0b1386d07
humanhash: snake-glucose-friend-six
File name:6ca76d8eaf1ec1e760ac41c0b1386d07
Download: download sample
File size:8'870'912 bytes
First seen:2021-07-13 07:50:00 UTC
Last seen:2021-07-13 08:50:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8be87a87d7d2cb82ba86b065b2960678
ssdeep 98304:J92LYNVNUSJgVqaBuwaC2wyWq1SU6xjYwBOEGSWzVNlIFDAF:JfNVaCfCkWljrnWWY
Threatray 2'388 similar samples on MalwareBazaar
TLSH T1B396CFA12737438EE179083D9013DC32A73033909568AFA2966C76795D53E8B3763BED
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ca76d8eaf1ec1e760ac41c0b1386d07
Verdict:
Malicious activity
Analysis date:
2021-07-13 07:52:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e5c2e6d-5927-4485-968c-aed8fc9c9617

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171275/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.29042.12440.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d67a6b1b-d2e1-488c-8e21-8131a393678c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/815372
Signature
Binary is likely a compiled AutoIt script file
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potential time zone aware malware
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses Windows timers to delay execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447783 Sample: yb8gM8kviV Startdate: 13/07/2021 Architecture: WINDOWS Score: 88 26 Multi AV Scanner detection for submitted file 2->26 28 Binary is likely a compiled AutoIt script file 2->28 30 Machine Learning detection for sample 2->30 32 2 other signatures 2->32 7 yb8gM8kviV.exe 1 2->7         started        10 keymgr.exe 2->10         started        12 keymgr.exe 2->12         started        14 2 other processes 2->14 process3 signatures4 34 Query firmware table information (likely to detect VMs) 7->34 36 Uses Windows timers to delay execution 7->36 38 Hides threads from debuggers 7->38 40 Potential time zone aware malware 7->40 16 cmd.exe 1 7->16         started        42 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->42 44 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->44 process5 process6 18 conhost.exe 16->18         started        20 icacls.exe 1 16->20         started        22 icacls.exe 1 16->22         started        24 icacls.exe 1 16->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 07:50:19 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
14c9d0fb3da03dbd8095865240e1b3456a78ab740b1b46526573992b48eed0cf
196de41048232f60a7d93e73e7dd03bd524a79217c3408b98e69b855c7f83504
34b09f16fa6e9789bda97d9bd512ac7f49e235982db9d65109a4078ab3567bcf
3ce688f6b00b57a37f3ffa4c5410cc02ed5fa05eab37304d44e2d8399aa8b8e2
54fca1375e62c5978b78593ea50a5ac198da69c3e033c94371cbb81dc5a9d5be
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
b0bc5a3dae0127da8f7743df8dc4014e9ba08c5a29928448aed8764242050da2
f1aae79787fff8edd5f6769ebecf43eb5a94d392cb3723810a66dd9868ec2925
fb8a2b78f0d3139d8192dbeb925e8e8d13bf370540f2c7853107a8e4b3beac38
+ 2'378 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion themida trojan
Link:
https://tria.ge/reports/210713-5hdh543b1e/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Modifies file permissions
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08
MD5 hash:
6ca76d8eaf1ec1e760ac41c0b1386d07
SHA1 hash:
6cfa97a993cb27a64be835783d7871ff757d8d2b
Link:
https://www.unpac.me/results/11c0e50c-78fe-4c36-8627-e4379f398aa8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171275/
  
URLhaus
https://urlhaus.abuse.ch/url/1449820/

Comments


Avatar
zbet commented on 2021-07-13 07:50:01 UTC

url : hxxp://i55fundraising.com/setup_c.exe