MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2a324897aebabb250e405cf19388be6979b40615b16b7b7d816c44ca90ec3fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2a324897aebabb250e405cf19388be6979b40615b16b7b7d816c44ca90ec3fe
SHA3-384 hash: 76d9b7cdd732ae0f6d4fa989762a1ce64fe777bf5343f9764374b816455b1f40032a06ac09742ef6c79d8576bf61be8f
SHA1 hash: a4086cbafcd9331a845546709caf3766666ce3c2
MD5 hash: fc085ba8f7310476a6f94d6e346067df
humanhash: don-delta-hydrogen-tennis
File name:fc085ba8f7310476a6f94d6e346067df
Download: download sample
File size:1'959'675 bytes
First seen:2022-03-02 19:31:32 UTC
Last seen:2022-03-02 21:58:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:jFL23n5BfJXAENzLWeyEcgh7Eize4xbY0fB3rnfrWsUo/4O1YbuTbIYV+TtU7dy:F0BfJXAEh8Ecgmce4WOj7bPU
Threatray 1'353 similar samples on MalwareBazaar
TLSH T14295BC017FB1446BC91E36B28802DF923CBD2D98EC1CAD46F26A151BD77E3616C2AD53
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup_x32_x64.exe
Verdict:
Malicious activity
Analysis date:
2022-03-02 12:05:46 UTC
Tags:
evasion trojan rat redline socelars stealer loader opendir vidar
Link:
https://app.any.run/tasks/38f05e34-d3da-4023-90aa-d505342eca5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246488/
Detection(s):
SecuriteInfo.com.W32.BrowserAssistant.B7.29606.12533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7914/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/621fc6360cd58dbd9264e190/reports/547e7e01-b302-4c4f-91b0-fe0d8c2d6ec3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/99342ee0-227b-4571-842c-bae63d8a0504
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/949491
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Shell32 DLL Execution in Suspicious Directory
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 581978 Sample: zRYu9RkU6z Startdate: 02/03/2022 Architecture: WINDOWS Score: 56 23 store-images.s-microsoft.com 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Sigma detected: Suspicious Call by Ordinal 2->27 29 Sigma detected: Shell32 DLL Execution in Suspicious Directory 2->29 10 zRYu9RkU6z.exe 3 8 2->10         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\Temp\xwQ29o.cpl, PE32 10->21 dropped 13 control.exe 1 10->13         started        process6 process7 15 rundll32.exe 13->15         started        process8 17 rundll32.exe 15->17         started        process9 19 rundll32.exe 17->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2a324897aebabb250e405cf19388be6979b40615b16b7b7d816c44ca90ec3fe/
Threat name:
Win32.Trojan.Qshell
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 17:46:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
160bb1d1ffcdea76c664adfeed64f6fe3e16285baf9c4336ebb0caeddfcfd931
62173847065d1aa1b93254e623844a1f223a4df4a06499f21b64fe82389fb327
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3
bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
d15e506977055556f490656e5abddb4c774ed22f58d7fa6ec6523e0148911408
df59ccb9d70f7f61dc2c65faa61446278fb402b64401f2f3cfe8bbad72f70610
f5d0792248cb4a496cb1d59f94aa291e734b250760018e533290c9aa573276c0
+ 1'343 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220302-x8yrvshfgj/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
b2a324897aebabb250e405cf19388be6979b40615b16b7b7d816c44ca90ec3fe
MD5 hash:
fc085ba8f7310476a6f94d6e346067df
SHA1 hash:
a4086cbafcd9331a845546709caf3766666ce3c2
Link:
https://www.unpac.me/results/e37ffa23-7548-40d5-a197-c1bc379d5f2d/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b2a324897aeb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2a324897aebabb250e405cf19388be6979b40615b16b7b7d816c44ca90ec3fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b2a324897aebabb250e405cf19388be6979b40615b16b7b7d816c44ca90ec3fe

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2071264/
Cape
Cape
https://www.capesandbox.com/analysis/246488/

Comments


Avatar
zbet commented on 2022-03-02 19:31:34 UTC

url : hxxp://duoproc.net/2/data64_6.exe