MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caddfa40d2378b74b85fda2cd26730bf9535e2e488f9b926e063a385829a19b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caddfa40d2378b74b85fda2cd26730bf9535e2e488f9b926e063a385829a19b4
SHA3-384 hash: 051d38d8e0a1ea4b79e51093ddb86e7e7d6c8804c47df843be255b2dbe4cdd227b897f3621524dfe80ea1a7fea2bc069
SHA1 hash: f956e1b04b2820b85c7207ef24165c8365b27a06
MD5 hash: 741fd6c26f23c6a4d2ba4b8b84d0a971
humanhash: quiet-comet-fix-bacon
File name:03330064.bin
Download: download sample
File size:782'336 bytes
First seen:2022-09-21 07:33:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a2dc45c505e2beb6d3f71145876a93b
ssdeep 12288:EIl6zsyhbGTXbXkjZ1uC3phMb9m+FENdGQ9cilI+9+YJXWVzNYJYelhIhLE+xhgN:E91BWT4UC3phMZmOTQ9ciCa+qWVyJYpX
TLSH T1CDF4AE23F482C076D0731071056A7B2289FDFE150A359AEB67EC199A4B781D1FB3B663
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Reporter johannes
Tags:exe


Avatar
viql
Unpacked Sample 859c659aee8b897aeebf4b87364cc6d1

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
03330064.bin
Verdict:
Malicious activity
Analysis date:
2022-09-21 07:35:53 UTC
Tags:
trojan stealer opendir
Link:
https://app.any.run/tasks/7190d167-a191-4174-80e9-fc180cfbf6d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311984/
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.28232.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Reading critical registry keys
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38373/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware shell32.dll virus yakes
Link:
https://www.filescan.io/uploads/632abe72865ed83c011b7391/reports/642276a2-ce63-43dd-a2d0-a74161e4817a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87e0975c-5745-4748-8fb7-6bec89719ac1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074386
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 706933 Sample: 03330064.bin.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Antivirus detection for dropped file 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 8 other signatures 2->44 8 03330064.bin.exe 44 2->8         started        process3 dnsIp4 34 dixiel22.top 185.231.155.3, 49699, 80 VDSINA-ASRU Russian Federation 8->34 36 lueink02.top 95.161.129.88, 49700, 80 TIERA-ASRU Russian Federation 8->36 32 C:\Users\user\AppData\Roaming\...\lutzen.exe, PE32 8->32 dropped 54 Self deletion via cmd or bat file 8->54 56 Tries to harvest and steal browser information (history, passwords, etc) 8->56 13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        file5 signatures6 process7 process8 17 lutzen.exe 7 13->17         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 timeout.exe 1 15->25         started        file9 30 C:\Users\user\AppData\...\DpEditor.exe, PE32 17->30 dropped 46 Antivirus detection for dropped file 17->46 48 Multi AV Scanner detection for dropped file 17->48 50 Query firmware table information (likely to detect VMs) 17->50 52 3 other signatures 17->52 27 DpEditor.exe 17->27         started        signatures10 process11 signatures12 58 Query firmware table information (likely to detect VMs) 27->58 60 Hides threads from debuggers 27->60 62 Tries to detect sandboxes / dynamic malware analysis system (registry check) 27->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caddfa40d2378b74b85fda2cd26730bf9535e2e488f9b926e063a385829a19b4/
Threat name:
Win32.Infostealer.Murida
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 07:34:11 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlo7uqgsg6fxjoc73iwnezzqx6ktlyxerd43sjxamorylau2dg2a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220921-jdkd4affg5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/160fbc96-c9b6-4263-8d22-ffdf8114ebc7
Unpacked files
SH256 hash:
caddfa40d2378b74b85fda2cd26730bf9535e2e488f9b926e063a385829a19b4
MD5 hash:
741fd6c26f23c6a4d2ba4b8b84d0a971
SHA1 hash:
f956e1b04b2820b85c7207ef24165c8365b27a06
Link:
https://www.unpac.me/results/6389e475-31ba-4192-9c83-6349c97ca8d1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/caddfa40d237/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caddfa40d2378b74b85fda2cd26730bf9535e2e488f9b926e063a385829a19b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CryptBot

Executable exe b2fdf16f56a53ec57134d20655a23d5919c022a97cf7da4087bd6bf9f3704bb6

Executable exe caddfa40d2378b74b85fda2cd26730bf9535e2e488f9b926e063a385829a19b4

(this sample)

  
Dropped by
MD5 859c659aee8b897aeebf4b87364cc6d1
Cape
Cape
https://www.capesandbox.com/analysis/311984/
  
Dropped by
SHA256 b2fdf16f56a53ec57134d20655a23d5919c022a97cf7da4087bd6bf9f3704bb6

Comments