MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af04cc48b865042951d3dacef41c86ef7592dfd5dc1479e5cf95cf5cac08f4b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af04cc48b865042951d3dacef41c86ef7592dfd5dc1479e5cf95cf5cac08f4b3
SHA3-384 hash: 2379457e28eee9976dc654390b83a25e1aa79a7812576ea5f4d4cef47c4e2008aa3968c774b70cc104bcc9468bd80c04
SHA1 hash: c7c1c1093776051e6bcc9df6e82f20e0aa9792df
MD5 hash: 16c633a0dbc26c0b9ef72208078ba8ba
humanhash: three-blossom-river-colorado
File name:16c633a0dbc26c0b9ef72208078ba8ba
Download: download sample
File size:1'523'200 bytes
First seen:2022-01-08 11:24:48 UTC
Last seen:2022-01-08 12:44:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6af73011d9ad7cbccf66eb190442910 (42 x RedLineStealer, 8 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 24576:I5HMKeFE/1RMh0entGccbicJCVdxlCWkJj+KxlejxqBP/fxMVIhgmkEaHNYK3rkA:g10EtRCntA2prC1jvej8P/fxNh7Nad8y
Threatray 990 similar samples on MalwareBazaar
TLSH T11D65230204E3AC81CD09C3F381672ED49D4D0CD19B9EAA771F536B9376286B1E97F988
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
352
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16c633a0dbc26c0b9ef72208078ba8ba
Verdict:
Suspicious activity
Analysis date:
2022-01-08 11:26:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78016762-7659-4c5c-9eca-16f580c6e473

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217812/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% directory
DNS request
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d9749302e388f9fdb62873/reports/067dc667-4fa6-4ca7-a0b3-a5560b410824/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e24222c0-ccea-46aa-a086-9f36a5af50a8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/917129
Signature
Allocates memory in foreign processes
Contains functionality to prevent local Windows debugging
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af04cc48b865042951d3dacef41c86ef7592dfd5dc1479e5cf95cf5cac08f4b3/
Threat name:
Win32.Infostealer.Anagra
Create hunting rule
Status:
Malicious
First seen:
2022-01-05 06:29:12 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
07a5ff510108132737775fd77c67f40c3ed50b414ed5aaf9e633cab96fa99c98
2fa8fb2ee024e1a7c5a27fd07f4892b5e4c13c1d71624086ef3594a0644ceffb
5ed9c8e4709af1af34ea8d1e6d5177c3d164c62c7dece9adcdd3d9c1b402484f
6804e6d84da5db804a33138fc6d1f7e4009bb1e165cc9606862d4b3b0807042a
75f0e70be89891b680052a2eea7e6e3a8002d86c8e1d701f180faef14dac4b3b
7b127d520696b1e8ea633c47770a05b3c06e5215911a91241ecebe297b9ef395
96283ef1de41a1a5c4e7e0fa5ead383995198c25ae71d19d0a4138333ce88dfb
+ 980 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/220108-njajasddbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
5fb6d78a005855a735c538d79004ccaf042622431fdba5047539f1a6e05f704e
MD5 hash:
a31b2af1ec483b292571ee5ae2a7f1e4
SHA1 hash:
38103d01af73ca2a94c571cd442704fd2bbeb6ec
Link:
https://www.unpac.me/results/aa76a65e-bd24-4260-977a-57d3d11b42ea/
SH256 hash:
1b7ba0d3624a832c680fbfb8abf11900ad37800caed87cc487ffe96d3ad524a0
MD5 hash:
18bf8e0f809eb38b8a5ef8f07849acc0
SHA1 hash:
a8e641b855dff8c404a1df0e04348d18d379e89d
Link:
https://www.unpac.me/results/aa76a65e-bd24-4260-977a-57d3d11b42ea/
SH256 hash:
af04cc48b865042951d3dacef41c86ef7592dfd5dc1479e5cf95cf5cac08f4b3
MD5 hash:
16c633a0dbc26c0b9ef72208078ba8ba
SHA1 hash:
c7c1c1093776051e6bcc9df6e82f20e0aa9792df
Link:
https://www.unpac.me/results/aa76a65e-bd24-4260-977a-57d3d11b42ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af04cc48b865042951d3dacef41c86ef7592dfd5dc1479e5cf95cf5cac08f4b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe af04cc48b865042951d3dacef41c86ef7592dfd5dc1479e5cf95cf5cac08f4b3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217812/
  
URLhaus
https://urlhaus.abuse.ch/url/1957516/

Comments


Avatar
zbet commented on 2022-01-08 11:24:49 UTC

url : hxxp://squidgame.to/auf.exe