MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be6d8a6d979ab788d3eea3908878988623449c2b163ac3494bd9c046b7d31c23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be6d8a6d979ab788d3eea3908878988623449c2b163ac3494bd9c046b7d31c23
SHA3-384 hash: 14c63f6f4389c18b5bd46ce3b1495b255e9c9a365874d492f1b9dbda9122a122503e8af9fd255bdaf98ee6fc69a74204
SHA1 hash: c32f149b2edcc77b94e163b902a6589c803982f5
MD5 hash: 76cc99344e1ca0657575ca705a3ca631
humanhash: apart-timing-lamp-freddie
File name:Activate__It__1234.exe
Download: download sample
File size:885'136 bytes
First seen:2022-01-19 22:34:25 UTC
Last seen:2022-01-19 23:04:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea1d6accdddb91f67c2aa5adacfa9a44
ssdeep 6144:HOzxP3Xbjh8o45Y+DBOxFDC9BsAeQt+LNiSP2Re8J2xiSP2Re8J2xiSP2Re8J2xw:HOzxPbFC5Y+DBnXisysk8k8k8ks
Threatray 1'584 similar samples on MalwareBazaar
TLSH T1FD15AE33B565ED33CC0702B2FF5E46679D86E8908B5D13F39BE4A61A50260E5C6B3A13
Reporter iam_py_test
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Open___Setup_3456.exe
Verdict:
Malicious activity
Analysis date:
2022-01-19 20:27:11 UTC
Tags:
trojan opendir loader
Link:
https://app.any.run/tasks/fcf3b14d-eb27-46dc-993c-32cd4685091b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/220828/
Detection(s):
SecuriteInfo.com.Variant.Zusy.412374.29246.31475.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Reading critical registry keys
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Searching for analyzing tools
Searching for the window
Launching a process
Creating a file in the %AppData% subdirectories
Stealing user critical data
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4804/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe gozi greyware mokes overlay packed zusy
Link:
https://www.filescan.io/uploads/61e8921dd32385db630b0cbb/reports/dae220fc-fa12-422c-96d5-c757a9ba15a8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0f0f39e-8be1-466a-8671-d65e49a48dcc
Result
Threat name:
ClipBanker
Create hunting rule
Detection:
malicious
Classification:
bank.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923925
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected ClipBanker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 556403 Sample: Activate__It__1234.exe Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 51 Antivirus detection for URL or domain 2->51 53 Antivirus detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 6 other signatures 2->57 8 Activate__It__1234.exe 2->8         started        11 IntelRapid.exe 2->11         started        13 IntelRapid.exe 2->13         started        process3 signatures4 67 Detected unpacking (changes PE section rights) 8->67 69 Detected unpacking (overwrites its own PE header) 8->69 71 Self deletion via cmd delete 8->71 79 2 other signatures 8->79 15 Activate__It__1234.exe 16 8->15         started        73 Query firmware table information (likely to detect VMs) 11->73 75 Hides threads from debuggers 11->75 77 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->77 process5 dnsIp6 39 xitzwq04.top 176.119.159.16, 49747, 49748, 80 MTW-ASRU Russian Federation 15->39 41 patkyj38.top 37.220.10.240, 49746, 80 IOMART-ASGB United Kingdom 15->41 43 192.168.2.1 unknown unknown 15->43 33 C:\Users\user\AppData\Local\Temp\File1.exe, PE32+ 15->33 dropped 35 C:\Users\user\AppData\Local\...\biamou[1].exe, PE32+ 15->35 dropped 45 Self deletion via cmd delete 15->45 47 Tries to harvest and steal browser information (history, passwords, etc) 15->47 49 Tries to steal Crypto Currency Wallets 15->49 20 File1.exe 4 15->20         started        24 cmd.exe 1 15->24         started        file7 signatures8 process9 file10 37 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 20->37 dropped 59 Antivirus detection for dropped file 20->59 61 Query firmware table information (likely to detect VMs) 20->61 63 Machine Learning detection for dropped file 20->63 65 2 other signatures 20->65 26 IntelRapid.exe 20->26         started        29 conhost.exe 24->29         started        31 timeout.exe 1 24->31         started        signatures11 process12 signatures13 81 Query firmware table information (likely to detect VMs) 26->81 83 Hides threads from debuggers 26->83 85 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be6d8a6d979ab788d3eea3908878988623449c2b163ac3494bd9c046b7d31c23/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 21:48:00 UTC
File Type:
PE (Exe)
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
142dc674a687ade3bc56e2e78f0a6dc0603d81f176f8a9d794d909b6839bcc5b
2dfc078c3658a63016fd846cc735c0d5c359b6639cb89ae08ccc9a19fb3e5df3
314259cc43c8619b5f8e1ec548b34b64d6b8084342cdd6d8a970718c2d791da8
41df984882b7cb539f1bcc03433f60e2bd7a0313b1e05bda78338d9176d6996b
88019b018015f33c8ca9290a531027e90eae517f6b590fb1711de81ff222ed98
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
ae275aba1d935bd3045e9cd3f258b72636e6759506e183423341a992faf47f80
d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
f6cb90f76c5ba8a4482c8405f744103f898b7d1920c569b74fb22dd9bea7d2a4
+ 1'574 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220119-2hsv5sdgg4/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
9f8dcab6d7c3c6abf7583a1b1185985bcafbc72072220c26913c845084fb5d32
MD5 hash:
6685d1841c9f85cc7d652dcc00b8ccc0
SHA1 hash:
5e5482d5bb95b57ea3e5827a79a61f3c91434f55
Link:
https://www.unpac.me/results/0aaca85d-0951-433c-9ab3-35442a82c850/
SH256 hash:
be6d8a6d979ab788d3eea3908878988623449c2b163ac3494bd9c046b7d31c23
MD5 hash:
76cc99344e1ca0657575ca705a3ca631
SHA1 hash:
c32f149b2edcc77b94e163b902a6589c803982f5
Link:
https://www.unpac.me/results/0aaca85d-0951-433c-9ab3-35442a82c850/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/be6d8a6d979a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/be6d8a6d979ab788d3eea3908878988623449c2b163ac3494bd9c046b7d31c23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:WIN32_MALWR_DROPPER_INJECTOR_RANSOMWARE
Create hunting rule
Author:Jesper Mikkelsen
Description:Detect Suspicous dropper injector - possible ransomware dropper
Reference:SHA-1:0feda1e7b0d4506270c85973826fa498e9ed0f5b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

rar d03b2c1b815a527af6aea63a5890203d5be14dc6a42f2d8f42e8aed8a91e7dd6

Executable exe be6d8a6d979ab788d3eea3908878988623449c2b163ac3494bd9c046b7d31c23

(this sample)

  
Dropped by
SHA256 d03b2c1b815a527af6aea63a5890203d5be14dc6a42f2d8f42e8aed8a91e7dd6
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220828/

Comments


Avatar
iam-py-test commented on 2022-01-19 23:10:56 UTC

Downloads https://bazaar.abuse.ch/sample/29080b370df6a00c28578de988c5429aa0fc412c0977aadb1a56d6ed40a7c439/