MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a
SHA3-384 hash: 65d92491aea5e2599edbd8cf48e494fc07005c2ebf71a14382f0375ae29e89f149bd206d30b172de19d431fbe7f053d8
SHA1 hash: ed7779094d6dce79be2252807e28c59aec8590b3
MD5 hash: 0993776328ea1684833f09868032549c
humanhash: speaker-fifteen-virginia-idaho
File name:1c220cdc.dat
Download: download sample
File size:112'640 bytes
First seen:2023-01-23 19:56:45 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 504e07031691ec0854e7084c0a3240a7
ssdeep 3072:0LJ0tYRDh8zCTFGMCcKh0ff87FhtHW43tNncyIEyNlO:0LGtkl8zCTFGM1QA07btHW4TcjTvO
TLSH T1D0B302B8F5AA11BBCC6022708EC6B757634B150913110DD711FBADB4BE8B3FAAD78510
TrID 54.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4505/5/1)
3.5% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malware_traffic
Tags:dll TA505


Avatar
malware_traffic
Run method: rundll32.exe [filename],#2

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356099/
Detection(s):
Win.Packed.Lazy-9983625-0
Create hunting rule

Win.Packed.Lazy-9983626-0
Create hunting rule

Win.Packed.Lazy-9983627-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
stealer
Link:
https://www.filescan.io/uploads/63cee6912b351a3d0ea7fa41/reports/a7bb9547-d58a-40f4-834f-6cbbf9115360/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0a634036-148c-4ae0-a92c-5ea0ee777b43
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1157350
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Execute DLL with spoofed extension
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790089 Sample: 1c220cdc.dat.dll Startdate: 23/01/2023 Architecture: WINDOWS Score: 84 82 Multi AV Scanner detection for domain / URL 2->82 84 Antivirus detection for URL or domain 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 Sigma detected: Execute DLL with spoofed extension 2->88 8 loaddll32.exe 3 2->8         started        12 explorer.exe 2->12         started        14 explorer.exe 2->14         started        16 2 other processes 2->16 process3 file4 74 C:\Users\user\AppData\Local\...\FC08.tmp.bat, ASCII 8->74 dropped 98 Self deletion via cmd or bat file 8->98 18 cmd.exe 1 8->18         started        20 regsvr32.exe 2 8->20         started        24 rundll32.exe 2 6 8->24         started        35 3 other processes 8->35 27 cmd.exe 12->27         started        29 cmd.exe 14->29         started        31 cmd.exe 16->31         started        33 cmd.exe 16->33         started        signatures5 process6 dnsIp7 37 rundll32.exe 2 18->37         started        68 C:\Users\user\AppData\Local\...3DD.tmp.bat, ASCII 20->68 dropped 90 Self deletion via cmd or bat file 20->90 41 explorer.exe 1 20->41         started        76 64.190.113.123, 443, 49685, 49686 TRAVELCLICKCORP1US United States 24->76 78 download-cdn.com 152.89.196.75, 443, 49684 NEXTVISIONGB United Kingdom 24->78 92 System process connects to network (likely due to code injection or exploit) 24->92 43 rundll32.exe 27->43         started        45 conhost.exe 27->45         started        47 rundll32.exe 29->47         started        49 conhost.exe 29->49         started        53 2 other processes 31->53 55 2 other processes 33->55 70 C:\Users\user\AppData\Local\...479.tmp.bat, ASCII 35->70 dropped 51 explorer.exe 1 35->51         started        file8 signatures9 process10 file11 72 C:\Users\user\AppData\Local\...3FC.tmp.bat, ASCII 37->72 dropped 94 System process connects to network (likely due to code injection or exploit) 37->94 96 Self deletion via cmd or bat file 37->96 57 explorer.exe 1 37->57         started        60 rundll32.exe 43->60         started        62 rundll32.exe 47->62         started        64 rundll32.exe 53->64         started        66 rundll32.exe 55->66         started        signatures12 process13 dnsIp14 80 192.168.2.1 unknown unknown 57->80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkxkp3edsvvienbau6g6yqyp3w25wzoz7jf4mvkwlg43bqc4qf5a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230123-ypfbvagg6v/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a
MD5 hash:
0993776328ea1684833f09868032549c
SHA1 hash:
ed7779094d6dce79be2252807e28c59aec8590b3
Link:
https://www.unpac.me/results/b943c7c7-4dc2-4cc2-b83f-0586c3c265fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356099/

Comments