MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9deeda7cd7adb4ff584d13ea64cdb50c9e8b5c616f1dff476f372e86c9b9be6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9deeda7cd7adb4ff584d13ea64cdb50c9e8b5c616f1dff476f372e86c9b9be6
SHA3-384 hash: 49bea7e48e8a4d457a5ce9f53a126237853fd524c20a6578888f06eb5b092f42ab95805203d75b593ff6833c458123c3
SHA1 hash: cfcf2e1b27df153e3811c9f838e8c4cd6c661bd9
MD5 hash: 1fd22400a2631e214740acb4a1e580f1
humanhash: low-zulu-north-muppet
File name:gzuvk.exe
Download: download sample
File size:27'754'184 bytes
First seen:2023-01-30 20:50:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d1de500e42d2702177623521d4e86120
ssdeep 786432:5tcon7Mjqtph1WbCdkfixUwmoZFSvyfRHdl1jPT3+ttVpi:5t7gjq3qbCdOAVDRRHdld+tZi
Threatray 4'059 similar samples on MalwareBazaar
TLSH T104573397C4E759ACEBCDF031DD07B8A29729DCB56190F86B11C6B078BBD7884231A784
TrID 36.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
23.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.0% (.EXE) Win32 Executable (generic) (4505/5/1)
4.6% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://ya.ru
Verdict:
Malicious activity
Analysis date:
2022-09-23 09:48:37 UTC
Tags:
loader
Link:
https://app.any.run/tasks/c88b4498-b9ed-47d8-ba1c-35121953a628

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/64129/overview
Behaviour
MalwareBazaar
GetTempPath
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed python shell32.dll swrort
Link:
https://www.filescan.io/uploads/63d82db8447edb203a021ac6/reports/9e3bf177-5e53-4450-87ab-0adfacdfea49/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Dark Utilities
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1161985
Signature
DLL side loading technique detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Uses TOR for connection hidding
Yara detected Dark Utilities
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win64.Trojan.DarkUtilities
Create hunting rule
Status:
Malicious
First seen:
2022-07-06 21:10:23 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhpo3j6nplnu75me2e7kmtg3kde6rnogc3y575dw6nzoq3e3tpta._file
Verdict:
unknown
Similar samples:
001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48
348f79dc98ed91d11dea91d8295eac25cbd8a67daaa52ab0120708d2c7bde40c
3fe6c3edb6593444aaed9ae78a6164a3c98a10a32012d32c35ca4aa987db2c61
41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d
438a7ec2cc82a114b13aa6b44ae9b044597d1d0643ec1d138a39fe24628fe4df
6399814e06253b852792dccb2e02cd468233cf5ada2ed39e5f7202e8d24f8901
a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec
cf68ac02858c0053067b47b24338b564aeb92f25310765a2bad8928174285a62
db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183
fde6da45bacb901c194e7443ed04aba47a388cb5ee4fb193f0e528e1abc4cabb
+ 4'049 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230130-zn9pqsed3x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/c9deeda7cd7adb4ff584d13ea64cdb50c9e8b5c616f1dff476f372e86c9b9be6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments