MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6da1f4b8808d1e1eb5c6e9fd77eaa58a8efaad424362247495b39269e7e6c4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6da1f4b8808d1e1eb5c6e9fd77eaa58a8efaad424362247495b39269e7e6c4a
SHA3-384 hash: 30c3c3ba1523ba3d4bf291c999bfdb85e3d82b836f6ff6575b838605141235b1b2b9478407825e0bc3979dc8e759ac26
SHA1 hash: 2321470e2003a1828bf2881007a5eb57c90cc4dc
MD5 hash: d6789e957473e48dc6cab4e5cd516dac
humanhash: mexico-butter-foxtrot-snake
File name:file
Download: download sample
File size:7'609'737 bytes
First seen:2022-10-11 15:02:20 UTC
Last seen:2022-10-11 15:14:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3786a4cf8bfee8b4821db03449141df4 (2'102 x Adware.Neoreklami, 2 x RedLineStealer, 2 x Adware.MultiPlug)
ssdeep 196608:91OKBoeDZqdS7/q7On00bv/C/pQWT1IFUBtB6:3Owoesf6nrj/2pUFkq
Threatray 444 similar samples on MalwareBazaar
TLSH T11E763322B4C0C4FAC6B69576A9A0FFC810E5D48B4BD3807367C54A49B9BB824C97D74F
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from http://194.58.108.112/setup.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318998/
Detection(s):
SecuriteInfo.com.Program.Unwanted.2823.171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Modifying a system file
Launching a process
Launching cmd.exe command interpreter
Creating a process with a hidden window
Forced system process termination
Creating a file
Creating a file in the system32 subdirectories
Launching a service
Sending a UDP request
Replacing files
Deleting a recently created file
Running batch commands
Blocking the Windows Defender launch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/634585a6f2794c622d289476/reports/d9a7a807-36c2-4266-8270-51e7906f7476/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be44d8c0-0a36-419a-aae7-6fff4865437b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1088096
Signature
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720687 Sample: file.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 96 99 Antivirus detection for dropped file 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 3 other signatures 2->105 10 file.exe 7 2->10         started        13 moBrwlJ.exe 1 8 2->13         started        16 powershell.exe 12 2->16         started        18 gpscript.exe 2->18         started        process3 file4 87 C:\Users\user\AppData\Local\...\Install.exe, PE32 10->87 dropped 20 Install.exe 4 10->20         started        89 C:\Windows\Temp\...\sczFCZC.exe, PE32 13->89 dropped 113 Antivirus detection for dropped file 13->113 115 Multi AV Scanner detection for dropped file 13->115 117 Very long command line found 13->117 119 Uses cmd line tools excessively to alter registry or file data 13->119 24 powershell.exe 9 13->24         started        26 Conhost.exe 13->26         started        28 gpupdate.exe 1 16->28         started        30 conhost.exe 16->30         started        signatures5 process6 file7 85 C:\Users\user\AppData\Local\...\Install.exe, PE32 20->85 dropped 107 Multi AV Scanner detection for dropped file 20->107 32 Install.exe 10 20->32         started        109 Uses cmd line tools excessively to alter registry or file data 24->109 36 cmd.exe 24->36         started        38 conhost.exe 24->38         started        40 reg.exe 24->40         started        44 9 other processes 24->44 42 conhost.exe 28->42         started        signatures8 process9 file10 81 C:\Users\user\AppData\Local\...\moBrwlJ.exe, PE32 32->81 dropped 83 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 32->83 dropped 91 Antivirus detection for dropped file 32->91 93 Multi AV Scanner detection for dropped file 32->93 95 Uses cmd line tools excessively to alter registry or file data 32->95 97 2 other signatures 32->97 46 forfiles.exe 1 32->46         started        48 forfiles.exe 1 32->48         started        50 schtasks.exe 2 32->50         started        54 3 other processes 32->54 52 reg.exe 36->52         started        signatures11 process12 process13 56 cmd.exe 1 46->56         started        59 conhost.exe 46->59         started        61 cmd.exe 1 48->61         started        63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        67 conhost.exe 54->67         started        69 conhost.exe 54->69         started        71 conhost.exe 54->71         started        signatures14 111 Uses cmd line tools excessively to alter registry or file data 56->111 73 reg.exe 1 1 56->73         started        75 reg.exe 1 56->75         started        77 reg.exe 1 1 61->77         started        79 reg.exe 1 61->79         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6da1f4b8808d1e1eb5c6e9fd77eaa58a8efaad424362247495b39269e7e6c4a/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 15:03:21 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3nb6s4ibdi6d224n2p5o7vklcuo7kwueq3cer2jlm4snht6nrfa._file
Verdict:
malicious
Similar samples:
0321e96f1546b8e781e765d342e220fbe3cc3780de1b19ff67be9b851a04fe0f
18b8de802c7d2accddc4769d5aac4686cec0ea84806b9eb9dd2dac84557b0895
43e651d7c2434dfa8743981cac3b5a3b3f65aaf32f39bedfb8b0b5c7d1fa2414
4a1ee6bf9a229bedcc3b53392436122a9350fa0f9fde4aa3d103c496eea8d75b
541c733595b3282b051a43d17ef5a5bb889f3ffa53a360917fc0a8913db3b651
91c4abd856a7f0709e8b14ce66db2455017f338d32a713846d6a226ec73a6e0e
93da010fb0150e7aefe2e21a722b1616a9b106232b09c44b3bfabdce041b836e
a4f9b4813088e9e95a3fcf3afb1ab97a251463dcbec3f0be74c952417282bec9
b84e4b51dfed1b4d050e80a2d214e291455691876eb4bd5de075aa4b22052b23
db2ba25a701e2d01d821a3a3b495d7a5e16ad2943a69d18cffa9da0350c58c52
+ 434 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/221011-se1bdabbek/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/099b0934-234e-4168-b5a5-993e4864c4a1
Unpacked files
SH256 hash:
c5a271aa1e37518cba9a2e9650661eb18a3ec048e0c5636bbddb0ad975f67cc4
MD5 hash:
f55a95591a6f0a2fbfa30c7100d3b930
SHA1 hash:
6aad5ea15ed234927423573822ee72521a0b1d14
Link:
https://www.unpac.me/results/45210131-4a39-4455-b146-1776a6d238e3/
SH256 hash:
b6da1f4b8808d1e1eb5c6e9fd77eaa58a8efaad424362247495b39269e7e6c4a
MD5 hash:
d6789e957473e48dc6cab4e5cd516dac
SHA1 hash:
2321470e2003a1828bf2881007a5eb57c90cc4dc
Link:
https://www.unpac.me/results/45210131-4a39-4455-b146-1776a6d238e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/b6da1f4b8808d1e1eb5c6e9fd77eaa58a8efaad424362247495b39269e7e6c4a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/318998/

Comments