MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6ee55a608c075f6276f52be9c3af5ba04b376c31b0f965461eb12ec9370a847. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6ee55a608c075f6276f52be9c3af5ba04b376c31b0f965461eb12ec9370a847
SHA3-384 hash: bdd8ba2d311e3efe0d89a360c0514febc61105dfa80687a229cf752da6ee0c5f6e0ccd484da8f98286ff73e2e8a28210
SHA1 hash: 04fa5374fa7b5482a99d7e24cee95e1b16d2686d
MD5 hash: 3f92034b2251b28c955e94ef688d35bb
humanhash: timing-fourteen-steak-leopard
File name:INQUIRY.exe
Download: download sample
File size:1'216'273 bytes
First seen:2022-10-09 04:22:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:0AOcZ2i7aEkXtul6Q9IOWcKB+l3Lfy+88hQZUcztVqEu91Hekbgb:iftulB6OWSl3DyR4QiWfqEsHekM
Threatray 1'974 similar samples on MalwareBazaar
TLSH T124451212BBD684B2D07329302839E7297D7D78201F25D61FA7E04D2DEEB5580A225FB7
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0d8ec9898f0d8aa (9 x Formbook, 6 x NanoCore, 3 x Vjw0rm)
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317980/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42069/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware nanocore overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63424ca7491b0c7e71c7dd98/reports/ffb4c2ed-9ee3-496a-adbe-c9d95f25230b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce29f80d-dcb0-4346-b9d1-c8b47fb89209
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1086414
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 718971 Sample: INQUIRY.exe Startdate: 09/10/2022 Architecture: WINDOWS Score: 56 17 Multi AV Scanner detection for submitted file 2->17 7 INQUIRY.exe 3 36 2->7         started        process3 file4 15 C:\Users\user\AppData\Local\...\dldchow.exe, PE32 7->15 dropped 10 wscript.exe 1 7->10         started        process5 process6 12 dldchow.exe 10->12         started        signatures7 19 Multi AV Scanner detection for dropped file 12->19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6ee55a608c075f6276f52be9c3af5ba04b376c31b0f965461eb12ec9370a847/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-05 09:15:47 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3xfljqiyb27mj3pkk7jyoxvxiclg5wddmhzmvdb5mjoze3qvbdq._file
Verdict:
unknown
Similar samples:
3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89
41344e5c95b80aaec71e1399c38731319a4151c0408f5709c2f973b430418a50
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901
83327640b003bbdb759074d1e9925381bcb661a35b531b3d9832435ae80298ac
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc
d32f28ba0890002ca897903a45f7d3b939abecd09de1128e3b5134cf57ab4960
+ 1'964 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221009-ezsv5sgce8/
Behaviour
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9678e51-f6fd-4828-83c8-90bfd0be70fe
Unpacked files
SH256 hash:
0f87ffc5a00fb2fce56cad1a10c00b1737307470289dadb044a69881556c8a27
MD5 hash:
7b7113bb2d2d3dc7fef37d17805d50ee
SHA1 hash:
c07e844eb1ef764975afb376bb62b10d51168f73
Link:
https://www.unpac.me/results/a2237a29-ff51-42ac-a621-302e8c344b98/
SH256 hash:
b6ee55a608c075f6276f52be9c3af5ba04b376c31b0f965461eb12ec9370a847
MD5 hash:
3f92034b2251b28c955e94ef688d35bb
SHA1 hash:
04fa5374fa7b5482a99d7e24cee95e1b16d2686d
Link:
https://www.unpac.me/results/a2237a29-ff51-42ac-a621-302e8c344b98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6ee55a608c075f6276f52be9c3af5ba04b376c31b0f965461eb12ec9370a847

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe b6ee55a608c075f6276f52be9c3af5ba04b376c31b0f965461eb12ec9370a847

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/317980/

Comments