MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cadcd8c01844efd569e6d84e5cf516261a8e43450b2b22d8227a710eaa524909. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cadcd8c01844efd569e6d84e5cf516261a8e43450b2b22d8227a710eaa524909
SHA3-384 hash: 639c6ae77b35eae315b84c09c0c7c022c5b8a9cc656a5cdcfa3e84bf3bed99a5320e330c5c62e4e36691663803bf0886
SHA1 hash: 2b5f22ac2158a90eae8783e05e62171095bbdce7
MD5 hash: fc157bf81ab006d1bb0a542aaf499c53
humanhash: item-magnesium-fix-november
File name:fc157bf81ab006d1bb0a542aaf499c53
Download: download sample
File size:1'166'336 bytes
First seen:2024-02-12 03:59:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8aHh2+b+HdiJUt:CTvC/MTQYxsWR7aHh2+b+HoJU
Threatray 2'239 similar samples on MalwareBazaar
TLSH T13945CF027391C022FF9B92734F5AF6115BBC69260123E61F13981DBABE701B1563E7A3
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
400
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-02-12 13:14:54 UTC
Tags:
opendir hausbomber loader evasion keylogger rat remcos remote purplefox backdoor ammyy kelihos trojan phorpiex rhadamanthys stealer redline amadey botnet payload raccoon recordbreaker asyncrat arechclient2 risepro azorult xworm gh0st quasar dcrat lokibot stealc nitol banload arkei gh0stcringe metastealer vidar gcleaner socks5systemz proxy python ramnit
Link:
https://app.any.run/tasks/05fedc06-23a0-4ce4-a364-32f815d12b11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475772/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin packed shell32
Link:
https://www.filescan.io/uploads/65c997c4179f724a954faa4d/reports/39b002b0-8bf3-41c2-ad49-6ef86bb3e77c/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/cadcd8c01844efd569e6d84e5cf516261a8e43450b2b22d8227a710eaa524909
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/951c870a-7547-4ef3-acbe-530e213c56ff
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1390502
Signature
Binary is likely a compiled AutoIt script file
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cadcd8c01844efd569e6d84e5cf516261a8e43450b2b22d8227a710eaa524909
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cadcd8c01844efd569e6d84e5cf516261a8e43450b2b22d8227a710eaa524909/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-11 12:14:49 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
13 of 37 (35.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlonrqayitx5k2pg3bhfz5iweyni4q2fbmvsfwbcpjyq5kssjeeq._file
Verdict:
unknown
Similar samples:
1632642cdbdc5568afc3a0612dc078e01fae6a96148934ec9af1faacb6926cb4
4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4
44d85e7e0e05ce06956da634a3f19633f1393bf7f82f1faef84e2c4e9d57af5a
60b2187fb7db90cc596f9ab3eb852ef99e5d8a53467b552440282d02df5b18b2
799c7bed3c5fe743f6b748efff0994fbda6f19028cc9921a06cf633e7629bba7
7cfbfe371912b59dec9a22cb39790c9f94774124ac786b48d493ec46830a0c1c
7e390ca86f3a591a740e6aed05214cf75773e0d38dd70fd194fe26f12e876123
97efe91fe5eff3dcdcb055f037f1df01c1409e6bd38a8f07170ea53a0ff265ef
bcec8f25d0fcce6b453b9bc363d15b3fa84f2bca0afc7c5bb9f3620386b4dabc
c56085ee871e8eea85eb269f98c711fd2f7a395f5b054309a0e59047f9605ead
+ 2'229 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240212-ekm2cafe6v/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
cadcd8c01844efd569e6d84e5cf516261a8e43450b2b22d8227a710eaa524909
MD5 hash:
fc157bf81ab006d1bb0a542aaf499c53
SHA1 hash:
2b5f22ac2158a90eae8783e05e62171095bbdce7
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e096515f-9c73-4991-ae3e-7a3a8684c3ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cadcd8c01844efd569e6d84e5cf516261a8e43450b2b22d8227a710eaa524909

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cadcd8c01844efd569e6d84e5cf516261a8e43450b2b22d8227a710eaa524909

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/475772/
  
URLhaus
https://urlhaus.abuse.ch/url/2759919/

Comments


Avatar
zbet commented on 2024-02-12 03:59:59 UTC

url : hxxp://185.215.113.46/cost/well.exe