MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd9523a1ca548fb43c47de22febb8739f34afcba2843d6577a18759110deecbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd9523a1ca548fb43c47de22febb8739f34afcba2843d6577a18759110deecbd
SHA3-384 hash: f07122231a31b08025b0093aa3a0379c9564986f0c0852d2c9c455e033e64dfb9d169c691519651e25943e6e136493ff
SHA1 hash: 784dc9365f00dc656a63cc328d6fd5992793d1bd
MD5 hash: e37a2fe7992506bd8942275786859703
humanhash: avocado-london-beryllium-bluebird
File name:e37a2fe7992506bd8942275786859703
Download: download sample
File size:4'484'743 bytes
First seen:2023-09-07 08:26:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d363d3b473a6c355539abd95921390d (4 x ValleyRAT, 3 x FatalRAT, 1 x YoungLotus)
ssdeep 49152:tyDQkeCmaxbwAgIubaJY7Qyo3r0K0BsBacA654JOh24Th3pCd4OnJm6gEwHHYwkt:tyDQkeSLhuba4o3r0fCjAhcgUma6tH
Threatray 65 similar samples on MalwareBazaar
TLSH T11B267D31B24AC42BDA6201B01A2C9BDF5528BF650FB554C7B3DC2E6E1BB45C21736E27
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d4ccd0f0f0c8d4d0
Reporter JAMESWT_WT
Tags:ConnectWise exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e37a2fe7992506bd8942275786859703
Verdict:
Malicious activity
Analysis date:
2023-09-07 08:37:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de04ecb6-459b-4dd3-abb6-f9815cf0edc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446922/
Detection(s):
SecuriteInfo.com.FileRepMalware.30961.1351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Launching a process
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bd9523a1ca548fb43c47de22febb8739f34afcba2843d6577a18759110deecbd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/740d9fe7-63a5-4ff8-84e1-d4d58426c657
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1305066
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305066 Sample: Sk1Rr7s9tW.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 80 41 Antivirus detection for URL or domain 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 2 other signatures 2->47 6 msiexec.exe 96 46 2->6         started        10 Sk1Rr7s9tW.exe 43 2->10         started        13 Sens111754690.exe 2->13         started        process3 dnsIp4 23 C:\Windows\Installer\MSI5C65.tmp, PE32 6->23 dropped 25 C:\Windows\Installer\MSI5702.tmp, PE32 6->25 dropped 27 C:\Windows\Installer\MSI5694.tmp, PE32 6->27 dropped 35 8 other files (6 malicious) 6->35 dropped 49 Drops executables to the windows directory (C:\Windows) and starts them 6->49 15 MSI5C65.tmp 6->15         started        17 msiexec.exe 6->17         started        19 msiexec.exe 6->19         started        39 192.168.2.1 unknown unknown 10->39 29 C:\Users\user\AppData\Roaming\...\SensApi.dll, PE32 10->29 dropped 31 C:\Users\user\AppData\Roaming\...\SensApi.dll, PE32 10->31 dropped 33 C:\Users\user\AppData\...\Sens111754690.exe, PE32 10->33 dropped 37 4 other files (none is malicious) 10->37 dropped 21 msiexec.exe 2 10->21         started        file5 signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd9523a1ca548fb43c47de22febb8739f34afcba2843d6577a18759110deecbd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-27 13:06:48 UTC
File Type:
PE (Exe)
Extracted files:
229
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwkshiokksh3ipch3yrp5o4hhhzuv7f2fbb5mv32db2zceg65s6q._file
Verdict:
unknown
Similar samples:
5bcc5718b11d0e933930934805ea3f1dcb888dd19eb9dd75574ef425e704d799
a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def
b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0
bd043af859a796897462ed7a5aadb1c4a145f67f01a00c49b45a4b80564da6bb
bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1
bf13eb2026e85f67cbe27ba0ba349a615776976ae8c47ae979335a7d556e04bc
c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48
d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d
e6ca97018621d4cab0eca8eeda2a5df23b4b35ac544a6e39a19207b847874c59
+ 55 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230907-kceynaff6z/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
44d51cf6fd892054206ad1ac081ddae54f17e47847d3e5282aaa1739cdaf0281
MD5 hash:
50545a18a741daa696e4ddfed00141a0
SHA1 hash:
c5f1c2b8567c865e9edfe432ce4f76c2d68d2acf
Link:
https://www.unpac.me/results/e45a97d2-c7e2-4c38-b831-991eb969e525/
SH256 hash:
605b0e070e2cb5edb8000eba435824b9f876c1a496baf474c78499d0b9a425ac
MD5 hash:
91e139dd89c4ca0c1009d408a94f17f7
SHA1 hash:
2a6fe5e4d7b47f05373bb16d24a9c481f6809ed5
Link:
https://www.unpac.me/results/e45a97d2-c7e2-4c38-b831-991eb969e525/
SH256 hash:
bd9523a1ca548fb43c47de22febb8739f34afcba2843d6577a18759110deecbd
MD5 hash:
e37a2fe7992506bd8942275786859703
SHA1 hash:
784dc9365f00dc656a63cc328d6fd5992793d1bd
Link:
https://www.unpac.me/results/e45a97d2-c7e2-4c38-b831-991eb969e525/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd9523a1ca548fb43c47de22febb8739f34afcba2843d6577a18759110deecbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446922/

Comments