MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdd9b66c16de51ebf5863b1dff82b2ce347efce4d93b9be9d40a47ecac04b4b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdd9b66c16de51ebf5863b1dff82b2ce347efce4d93b9be9d40a47ecac04b4b8
SHA3-384 hash: c8647dad6e8ae93abbe4a1107e9fd5ef8ce2b9e04461b1feb0d06531415578dc8d99a5b9a83de687c088cdc2dd905bbb
SHA1 hash: 57052447996fb048cda66832bff3f90c6f302292
MD5 hash: 42f800b4319afd281f65e5d615f57a36
humanhash: romeo-glucose-seven-speaker
File name:42f800b4319afd281f65e5d615f57a36.exe
Download: download sample
File size:2'811'557 bytes
First seen:2023-07-31 06:36:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:Z2Z/DivWXGmi5ZYtLXS+J17JMIdX8UoO5gXKf1slKOnZ6wqK4:ZFvtBStLXS+JUISy5F1s4yaP
Threatray 1'530 similar samples on MalwareBazaar
TLSH T17BD53311E9E15872D56210341B3CA760A93AB9701F11DEDB7BE95C2AA8712E0733EDF3
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 484da69b9b864d68
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
42f800b4319afd281f65e5d615f57a36.exe
Verdict:
Malicious activity
Analysis date:
2023-07-31 06:39:12 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/4f088964-38e6-4ad9-b5b9-ea585467fbc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439276/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Loading a suspicious library
DNS request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control fingerprint greyware lolbin lolbin overlay packed replace setupapi shdocvw shell32 stealer
Link:
https://www.filescan.io/uploads/64c7568f3d0bb8484a89ae44/reports/1df48206-f602-415c-b351-832ac65fd519/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/cdd9b66c16de51ebf5863b1dff82b2ce347efce4d93b9be9d40a47ecac04b4b8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6c969490-d4f4-41f8-8b2a-74e60b72f069
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1282906
Signature
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdd9b66c16de51ebf5863b1dff82b2ce347efce4d93b9be9d40a47ecac04b4b8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxm3m3aw3zi6x5mghmo77avszy2h57he3e5zx2oubjd6zlaews4a._file
Verdict:
unknown
Similar samples:
03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd
09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2
0e3854e6b691065b05fd143d9a67ccbc7869ccfce719b09d9443b7166f5ec61b
23941746340e89fb699e4ecec106fbfd40186fc5b483bf72d82d5d5a2706863f
41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db
504229eb947e4ae07f6cb408da3dde9ae2ae2996b4df208ab9d06558f39d2cf5
50774c53ce18234a360e8848e54a0e50468e019b74352a9228737fd4860cf419
9c2be0c1c80a7f7c5de355be5d52ea7f1b023ca29fcf33a753c41c13bbdb8ef9
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
+ 1'520 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230731-hdgsjadh5s/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
e0e7e29881d0d1074ad58e69a6e75f662ea8fe1f0a840b356ac32b448c823596
MD5 hash:
ece9d14ef54b13dc9bc4708edc8afb61
SHA1 hash:
9947a31d8c411945c3ecd7476fc82c6c2b7148d0
Link:
https://www.unpac.me/results/35c7afba-8b8b-4cf5-b1eb-7520a3280253/
SH256 hash:
cdd9b66c16de51ebf5863b1dff82b2ce347efce4d93b9be9d40a47ecac04b4b8
MD5 hash:
42f800b4319afd281f65e5d615f57a36
SHA1 hash:
57052447996fb048cda66832bff3f90c6f302292
Link:
https://www.unpac.me/results/35c7afba-8b8b-4cf5-b1eb-7520a3280253/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/439276/

Comments