MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c26a178b9957a5f6b66b0da22dc1071f0635c7d31864cb1db45083ec9ed26310. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c26a178b9957a5f6b66b0da22dc1071f0635c7d31864cb1db45083ec9ed26310
SHA3-384 hash: 021a96914f8f2cf4edeb5941ebd864421aaba6bdcc56195f6fadc26f856f6e9f69a6bcb97ef0f99514b23aa64c49b080
SHA1 hash: 7873e1cff59ff2d322dc5018ff9e709d8579c5da
MD5 hash: a85d2cb948d3d346fb43334da2ab6341
humanhash: oven-massachusetts-mississippi-purple
File name:cleaner_protected.exe
Download: download sample
File size:5'707'776 bytes
First seen:2022-12-20 00:48:30 UTC
Last seen:2022-12-20 02:32:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 65a31057fef5fa88e0f06f7eaf9970ad
ssdeep 98304:kflcAEzG6LJJmcGi4H9b3KWeYUFGDQM5u5GDqptBYfMBqNcE/IJQ7RZi2eeW:8lcpzG6dJrf6pK/YUFGDQMI5TptBLB6M
Threatray 3'616 similar samples on MalwareBazaar
TLSH T13C4612FE6298735CC059CC709427FD85B1B6591E0AF996EEB1DFBAC02B4B410DA02F46
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter atomiczsec
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cleaner_protected.exe
Verdict:
Malicious activity
Analysis date:
2022-12-20 00:49:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8084472-a966-4ff6-b2b3-d9f39f453963

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348165/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64126287.346.29514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer packed
Link:
https://www.filescan.io/uploads/63a1067f387373744cae9e9a/reports/753f2d58-9fb3-448f-90e5-35667ebc4634/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/15a64c01-c85c-4059-a674-d7d1b16b1e06
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1137628
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Detected VMProtect packer
Disables security and backup related services
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive system registry key value via command line tool
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 770358 Sample: cleaner_protected.exe Startdate: 20/12/2022 Architecture: WINDOWS Score: 96 45 www.google.com 2->45 47 discord.com 2->47 49 cdn.discordapp.com 2->49 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Detected VMProtect packer 2->65 67 2 other signatures 2->67 9 cleaner_protected.exe 1 2->9         started        signatures3 process4 signatures5 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->69 71 May disable shadow drive data (uses vssadmin) 9->71 73 Uses cmd line tools excessively to alter registry or file data 9->73 75 3 other signatures 9->75 12 cmd.exe 1 9->12         started        15 cmd.exe 9->15         started        17 cmd.exe 9->17         started        19 44 other processes 9->19 process6 signatures7 77 May disable shadow drive data (uses vssadmin) 12->77 79 Uses cmd line tools excessively to alter registry or file data 12->79 81 Deletes shadow drive data (may be related to ransomware) 12->81 85 2 other signatures 12->85 21 taskkill.exe 1 12->21         started        23 vssadmin.exe 15->23         started        83 Queries sensitive system registry key value via command line tool 17->83 25 reg.exe 17->25         started        27 chrome.exe 17 1 19->27         started        30 net.exe 19->30         started        32 powershell.exe 38 19->32         started        34 38 other processes 19->34 process8 dnsIp9 57 192.168.2.1 unknown unknown 27->57 59 239.255.255.250 unknown Reserved 27->59 36 chrome.exe 27->36         started        39 chrome.exe 27->39         started        41 chrome.exe 1 6 27->41         started        43 net1.exe 30->43         started        process10 dnsIp11 51 www.google.com 142.250.203.100, 443, 49706, 49807 GOOGLEUS United States 36->51 53 clients.l.google.com 142.250.203.110, 443, 49697 GOOGLEUS United States 36->53 55 6 other IPs or domains 36->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c26a178b9957a5f6b66b0da22dc1071f0635c7d31864cb1db45083ec9ed26310/
Threat name:
Win64.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 23:22:08 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjvbpc4zk6s7nntlbwrc3qihd4ddlr6tdbsmwhnukcb6zhwsmmia._file
Verdict:
malicious
Similar samples:
14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
1f4c351f59d50d3baf25046a553765d88e237b18f390a577dbb00fe127126626
28fb5919e3a1fc15519abf1b5b9307dfadb14d8f6d3a983572aaed61583ceb9b
2e085282467ab80f8064d2557f4afea9a82ba68e52ccd6f6f4c75e0f81dd0b30
3758900465a0bbb5ce4eab1a5c981a7c35b8334427f606ab722223e2b2dacc73
59b298046b7092f498220a974fd2bc753ea6d926dfc6eaa70394d9096c2a7900
89bc05a18db73de6b19390bc0ef32711e4e357ebb89a9aa915c5d2d15da3a33c
ca6c462b90f5554feb1b4be69588178a0130d40d5126968ba2e1df73bce6abf8
+ 3'606 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence ransomware spyware stealer vmprotect
Link:
https://tria.ge/reports/221220-a6cehsgd96/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Gathers network information
Interacts with shadow copies
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Modifies Windows Firewall
VMProtect packed file
Deletes shadow copies
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eca6e015-9cf4-4a9d-8b3d-08c7d6dc7d1e
Unpacked files
SH256 hash:
c26a178b9957a5f6b66b0da22dc1071f0635c7d31864cb1db45083ec9ed26310
MD5 hash:
a85d2cb948d3d346fb43334da2ab6341
SHA1 hash:
7873e1cff59ff2d322dc5018ff9e709d8579c5da
Link:
https://www.unpac.me/results/b5a438b7-3def-447f-9a36-46d45b8af83e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c26a178b9957/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c26a178b9957a5f6b66b0da22dc1071f0635c7d31864cb1db45083ec9ed26310

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c26a178b9957a5f6b66b0da22dc1071f0635c7d31864cb1db45083ec9ed26310

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/348165/

Comments