MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdd4a86b2edf5a0394af6054aa0235be1e970d7ae21e4615c94f5167fdec7419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdd4a86b2edf5a0394af6054aa0235be1e970d7ae21e4615c94f5167fdec7419
SHA3-384 hash: 6a20fd02af407304eb3eb94b67cb3595f0b718225d44da36a50be82c4102dc7b62d52c4c1533408c127f52544a023f47
SHA1 hash: 249a7f2951a7f1164a0265a42f0dd60df24dc2f6
MD5 hash: f77b7e551d1b31ea4eadfd747ef74b48
humanhash: alanine-connecticut-fruit-social
File name:JITStarter.exe
Download: download sample
File size:3'838'428 bytes
First seen:2021-11-24 00:21:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 66ca40ddd484286266f124230bec8b21
ssdeep 98304:+Jwg48hJp9/wkOs71vXcwn8GzAYmLQQaCGk2uUglR:Zg48HVOWcw+YmLvXFOIR
Threatray 7'461 similar samples on MalwareBazaar
TLSH T14E0622D1EC66701DCDAAFA35148ECA3C90BDEC20C6C452A16F6E375F9DD6F9C9620086
File icon (PE):PE icon
dhash icon c2c09898d066e6f6
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JITStarter.exe
Verdict:
Malicious activity
Analysis date:
2021-11-21 01:28:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eabf8027-f45e-4fd7-b01d-f31b715c967e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching cmd.exe command interpreter
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed virus
Link:
https://www.filescan.io/uploads/619d85aeb71ceed4152db471/reports/d80abacd-9725-4308-a78b-7634d8858fc5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95e5e0ae-44fb-4044-bb51-09b3a52d6ba5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/895111
Signature
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527589 Sample: JITStarter.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 84 72 Antivirus detection for URL or domain 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Connects to a pastebin service (likely for C&C) 2->76 78 PE file contains section with special chars 2->78 8 JITStarter.exe 4 2->8         started        13 rundll32.exe 2->13         started        process3 dnsIp4 66 electronfilehosting.xyz 104.21.93.71, 443, 49788, 49825 CLOUDFLARENETUS United States 8->66 68 ryos.best 104.21.17.113, 443, 49778, 49860 CLOUDFLARENETUS United States 8->68 70 2 other IPs or domains 8->70 62 C:\Users\user\Desktop\dxwebsetup.exe, PE32 8->62 dropped 64 C:\Users\user\...64DP461-KB3102438-Web.exe, PE32 8->64 dropped 80 Query firmware table information (likely to detect VMs) 8->80 82 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->82 84 Performs DNS queries to domains with low reputation 8->84 86 2 other signatures 8->86 15 cmd.exe 1 8->15         started        17 WerFault.exe 23 9 8->17         started        20 cmd.exe 1 8->20         started        22 conhost.exe 8->22         started        file5 signatures6 process7 file8 24 NDP461-KB3102438-Web.exe 131 15->24         started        27 conhost.exe 15->27         started        38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->38 dropped 29 dxwebsetup.exe 1 7 20->29         started        31 conhost.exe 20->31         started        process9 file10 48 C:\...\sqmapi.dll, PE32 24->48 dropped 50 C:\...\SetupUtility.exe, PE32 24->50 dropped 52 C:\...\SetupUi.dll, PE32 24->52 dropped 60 26 other files (none is malicious) 24->60 dropped 33 Setup.exe 4 24->33         started        54 C:\Users\user\AppData\Local\...\dxwsetup.exe, PE32 29->54 dropped 56 C:\Users\user\AppData\Local\...\dsetup32.dll, PE32 29->56 dropped 58 C:\Users\user\AppData\Local\...\dsetup.dll, PE32 29->58 dropped 35 dxwsetup.exe 14 29->35         started        process11 file12 40 C:\Windows\Temp\OLD3752.tmp, PE32 35->40 dropped 42 C:\Windows\Temp\OLD34F0.tmp, PE32 35->42 dropped 44 C:\Windows\SysWOW64\...\dsetup32.dll (copy), PE32 35->44 dropped 46 3 other files (none is malicious) 35->46 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdd4a86b2edf5a0394af6054aa0235be1e970d7ae21e4615c94f5167fdec7419/
Threat name:
Win32.PUA.LoadMoney
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 23:38:06 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
26 of 45 (57.78%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba
198032ed08a5197c0b5ceefa0be69749d46a724b7d88915fe0762242692cb942
25c212b01aed427cbe5c5e0f06e5edd0188f881551347aa20804b3da88da2af2
28de63cf9d4273527e534ea9b07c5b9434960dd8ffc169323e6580c356568026
48f9b4bc2bf75c03449857ff0d6b47c35ab97ed8ba444890ccdd4128d9ae1027
b94115f5638021ccf653c3de4c947632560d95d967d64b7b84860e813a8f692a
bff3d8677d0c866b3fa47a2176ba05c9ae03cc215794896f2ef922a1aa037097
c0aef5e5917abe6276cc6ee7225cc9f47115d1f95e1a5ec861fb0f42a8d4af18
+ 7'451 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
agilenet discovery evasion persistence themida trojan
Link:
https://tria.ge/reports/211124-anxyhaege4/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
dcf6e315339e29ee97054109891c82059ce179397cd3eb06020b67334b1b83d4
MD5 hash:
69e8d910fd34df6adebbd3c13b118fb9
SHA1 hash:
fb3427cc000382769b41509e451098703e54d4c7
Link:
https://www.unpac.me/results/0f7c7a5b-ff39-4efb-8c00-f89886bb1dd4/
SH256 hash:
bdd4a86b2edf5a0394af6054aa0235be1e970d7ae21e4615c94f5167fdec7419
MD5 hash:
f77b7e551d1b31ea4eadfd747ef74b48
SHA1 hash:
249a7f2951a7f1164a0265a42f0dd60df24dc2f6
Link:
https://www.unpac.me/results/0f7c7a5b-ff39-4efb-8c00-f89886bb1dd4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdd4a86b2edf5a0394af6054aa0235be1e970d7ae21e4615c94f5167fdec7419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe bdd4a86b2edf5a0394af6054aa0235be1e970d7ae21e4615c94f5167fdec7419

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208845/

Comments