MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bde7edb2e9d5c117677faf4a11373c465e3e5d776348c6156987cafa153e0033. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bde7edb2e9d5c117677faf4a11373c465e3e5d776348c6156987cafa153e0033
SHA3-384 hash: d84a9c740595165ea79695ee1de7ea79ecb6db10af4180791bf38258910e5a23e1d2f3da958d335ee4fcdd8f877d1bc1
SHA1 hash: 86ff5b3bf9ef5572b01e809bafd8e1dbf376c53d
MD5 hash: 44acbaef03563e5feef87e57e5e2e12d
humanhash: violet-october-potato-single
File name:file
Download: download sample
File size:2'193'720 bytes
First seen:2023-03-07 17:50:37 UTC
Last seen:2023-03-07 19:27:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash aaa5676a9471619c6d9f60b74546b854
ssdeep 49152:C8ez9PrNIgqoiXXNIVtdat8gHdHoofY3sTCgFC0mEkhnkEME70z:+P+x8YF5c8u10Ehnk4Qz
TLSH T119A5337BC6481684DD378A396F0395F5852323E52E7A1BA410D6E3211707F6A33E78BB
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://covidguardeth.com/svcrun.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-07 17:53:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad5778ae-5f5e-449c-9298-838e70f1019a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372411/
Detection(s):
SecuriteInfo.com.Win64.Trojan-gen.28897.19621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Launching a process
Creating a file
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/640779867f18ce9b018068d5/reports/042fd0cb-259e-41b5-a050-2644b0f931f1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/bde7edb2e9d5c117677faf4a11373c465e3e5d776348c6156987cafa153e0033
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c2316f76-eb0d-4b9e-9b6d-30ff02e3edcb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188818
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 12150 Sample: file.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 4 other signatures 2->51 7 file.exe 14 8 2->7         started        12 CARWD.exe 14 5 2->12         started        14 CARWD.exe 2->14         started        process3 dnsIp4 41 179.43.140.229, 49844, 49849, 49854 PLI-ASCH Panama 7->41 37 C:\ProgramData\Package\CARWD.exe, PE32+ 7->37 dropped 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->53 55 Sets debug register (to hijack the execution of another thread) 7->55 57 Adds a directory exclusion to Windows Defender 7->57 16 cmd.exe 1 7->16         started        19 powershell.exe 27 7->19         started        39 C:\Users\user\AppData\Local\...\CARWD.exe.log, CSV 12->39 dropped 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->59 21 cmd.exe 1 12->21         started        23 powershell.exe 12->23         started        file5 signatures6 process7 signatures8 43 Uses schtasks.exe or at.exe to add and modify task schedules 16->43 25 conhost.exe 16->25         started        27 schtasks.exe 1 16->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 schtasks.exe 1 21->33         started        35 conhost.exe 23->35         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bde7edb2e9d5c117677faf4a11373c465e3e5d776348c6156987cafa153e0033/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 18:11:13 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxt63mxj2xaroz37v5fbcnz4izpd4xlxmnemmfljq7fpufj6aazq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230307-we5smsbb35/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
.NET Reactor proctector
Checks computer location settings
Unpacked files
SH256 hash:
bde7edb2e9d5c117677faf4a11373c465e3e5d776348c6156987cafa153e0033
MD5 hash:
44acbaef03563e5feef87e57e5e2e12d
SHA1 hash:
86ff5b3bf9ef5572b01e809bafd8e1dbf376c53d
Link:
https://www.unpac.me/results/695be8e7-c727-4a05-9d77-fba4dfef0a05/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bde7edb2e9d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bde7edb2e9d5c117677faf4a11373c465e3e5d776348c6156987cafa153e0033

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:win_xfilesstealer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xfilesstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2550406/
Cape
Cape
https://www.capesandbox.com/analysis/372411/

Comments