MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f
SHA3-384 hash: dede0c7f1242ff1237e06117e4f491af343822c104429e9f37435575d4920884ee816eb741d8155b0f4815c01968fe98
SHA1 hash: eead6aa05c2162297bd659552a2b36c9d4049c9c
MD5 hash: 246287d32b60e2b7bb61049101ea6679
humanhash: winter-mirror-fish-fourteen
File name:6469919403.exe
Download: download sample
File size:2'713'088 bytes
First seen:2023-10-31 17:20:18 UTC
Last seen:2025-06-02 11:53:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 86017bc19d1fbf8fe17849ce343a3f2e
ssdeep 49152:cfvsoieEhVbQVSOlX0ZjyqZrV/O3mdrqADkXfOc0:ccowVbQcOlBVWdrG
Threatray 51 similar samples on MalwareBazaar
TLSH T1E7C50262F390153BE17716389C0F8359AC39BE502A34A98B2FE52D0C5F797C27D29297
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13097/50/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon d4c0c4c4c4c4d4c4 (1 x Nitol)
Reporter adm1n_usa32
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
355
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hunlipaos.exe
Verdict:
Malicious activity
Analysis date:
2023-10-31 17:14:19 UTC
Tags:
loader onlylogger autoit
Link:
https://app.any.run/tasks/989e21cf-5420-4d8d-ae4f-dc271000200e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457428/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Searching for the window
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/6541377f7462628255568f72/reports/7097a44b-3881-417e-b303-c92fe148f7ed/overview
Verdict:
Malicious
Labled as:
TrojanDropper.Delf
Link:
https://www.hybrid-analysis.com/sample/c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/eb4c4864-0732-44a1-bb3a-8ade39ffc136
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1335016
Signature
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335016 Sample: 6469919403.exe Startdate: 31/10/2023 Architecture: WINDOWS Score: 68 37 oOwCFpIJoHhscMIwxDNjMZHofWRKt.oOwCFpIJoHhscMIwxDNjMZHofWRKt 2->37 39 hackermania.org 2->39 9 6469919403.exe 3 2->9         started        process3 file4 35 C:\Users\user\AppData\Local\Temp\...\Weapons, PE32+ 9->35 dropped 12 cmd.exe 1 9->12         started        15 conhost.exe 9->15         started        process5 signatures6 53 Uses ping.exe to sleep 12->53 55 Drops PE files with a suspicious file extension 12->55 57 Uses ping.exe to check the status of other devices and networks 12->57 17 cmd.exe 1 12->17         started        process7 signatures8 43 Uses ping.exe to sleep 17->43 20 Imports.pif 17->20         started        23 cmd.exe 2 17->23         started        26 cmd.exe 2 17->26         started        28 6 other processes 17->28 process9 file10 45 Found API chain indicative of debugger detection 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Contains functionality to modify clipboard data 20->49 51 Injects a PE file into a foreign processes 20->51 30 Imports.pif 20->30         started        33 C:\Users\user\AppData\Local\...\Imports.pif, PE32+ 23->33 dropped signatures11 process12 dnsIp13 41 hackermania.org 172.67.141.15, 443, 49738, 49739 CLOUDFLARENETUS United States 30->41
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-31 17:21:04 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3wnxzggc4gt5snsbyqhc65cofu3tzajzg2jnehq4cmymzi4orhq._file
Verdict:
malicious
Similar samples:
3e841431aaa53eb3cfa6f167b3a46bca0eb16d22e6fd1d06944414b78cc512d8
3f92929879f642470b73488aa719ae8c044a302969d14e70ea1ec2a1fda59bd3
57bd1d7a3ce9a10797575f75af56a675b3739ab5901e383a7870b17fa328ecb4
5dcea548692418c3f47e0f0b2f05991720e870c2c65170c603f6e8dbcc11dd23
9f7b7f84298ff1ca0a0bdd87fc2d6ea25b89cea705ea37c61c95df03b7791348
ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
ade3cb4d8d6dc56650eb1b32afb7cf7797c52d262a686db30aca473754b7029d
f18e085889d9d7324c57ecb800563ba2e808c0ef8ad52b7b1f1f3afa169bf836
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/231031-vwzsaadf72/
Behaviour
Enumerates processes with tasklist
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f
MD5 hash:
246287d32b60e2b7bb61049101ea6679
SHA1 hash:
eead6aa05c2162297bd659552a2b36c9d4049c9c
Link:
https://www.unpac.me/results/095fde06-9a95-4417-a461-ee633f36e734/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

OnlyLogger

Executable exe 0796818dc3510e88a966f0aaacd201ba162c46e0bc0f7c670ffbd43df485f5a7

Executable exe c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f

(this sample)

anyrun
any.run
https://app.any.run/tasks/a9f62caf-ef25-4d79-95b8-c6144cb33f55
  
Dropped by
SHA256 0796818dc3510e88a966f0aaacd201ba162c46e0bc0f7c670ffbd43df485f5a7
Cape
Cape
https://www.capesandbox.com/analysis/457428/
  
Dropped by
MD5 51162ded57e5aeda4eb0bbe6ed5d52f0

Comments


Avatar
Adm1n 32 USA commented on 2023-10-31 17:20:42 UTC

seems to be an AV killer of some sort