MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce077d6b1a5b8013a57769b06e6e713ef19c4ca3423fa91614897543ced5d15a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	ce077d6b1a5b8013a57769b06e6e713ef19c4ca3423fa91614897543ced5d15a
SHA3-384 hash:	e3428262e4886a21a7625ddbfb2cf857b44c97a81179482aecc4daa45a5459ce4d0825a67b1c18907d938154ff49f82c
SHA1 hash:	ff3c3e674ca34a721d73938ac6d0faa025b05e5d
MD5 hash:	4b2945881797ca11e96a1e2ff52fe2a0
humanhash:	august-fillet-equal-eight
File name:	4b2945881797ca11e96a1e2ff52fe2a0.exe
Download:	download sample
File size:	2'845'184 bytes
First seen:	2023-05-10 08:00:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	49152:oxp8eE+mWx3Ktz/leJH5sF3JzCAA8NRJFlrg:I2
Threatray	14 similar samples on MalwareBazaar
TLSH	T128D5E0B17FD9F92AE1BD2AB4E86B054C6D34EC5B9598D25EB84C34C80F74754C822EB0
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4b2945881797ca11e96a1e2ff52fe2a0.exe

Verdict:

Malicious activity

Analysis date:

2023-05-10 08:06:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f4bc8f1e-5fb1-435f-a0bd-4aea14d81f3b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/388071/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.80730.21391.15393.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

10/10

Confidence:

90%

Link:

https://www.filescan.io/uploads/645b4f45d860ee3e1ca69df1/reports/5ecdbd99-864a-4af7-90c6-59e883c95de6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/ce077d6b1a5b8013a57769b06e6e713ef19c4ca3423fa91614897543ced5d15a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/43fe1773-8a0c-433f-b104-a6a840854878

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1229844

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ce077d6b1a5b8013a57769b06e6e713ef19c4ca3423fa91614897543ced5d15a/

Threat name:

Win64.Trojan.Nekark

Status:

Malicious

First seen:

2023-05-07 06:53:16 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zydx22y2loabhjlxngyg43trh3yzytfdii72sfqurf2uhtwv2fna._file

Verdict:

malicious

12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad

6885a9ebd3e4a2d367b385f8d846f528bacfc944b7be6f1e2eca12d6c951a7d5

6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda

71664ca9b4d0ca2030a0bb792ae8d6c6791fb57f71ed061899af6dda9c06630a

9142931e43055d6363ee826270edf47ada8acc56ebca1084ca9ee2fcca579536

9206df8f28b1540fa4f76fc385b2d786fadaef5cf7b0e24e5218ff7fff0fcbad

a0959f72e13211452dc49f9359f43d5b7df3a98fb24f0fbaf0ec2c29d85bb1ec

e1ad3754ce46be3a6178d6050b3bde5b84cc9c0c8c4479fae1a529cdd3c8484b

fd24ac75f267d1cc406697651273087eaf7c5f86ff59d323fdf66a41915429b0

+ 4 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/230510-jwj62sgg8x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Unpacked files

SH256 hash:

ce077d6b1a5b8013a57769b06e6e713ef19c4ca3423fa91614897543ced5d15a

MD5 hash:

4b2945881797ca11e96a1e2ff52fe2a0

SHA1 hash:

ff3c3e674ca34a721d73938ac6d0faa025b05e5d

Link:

https://www.unpac.me/results/eb73d177-df2b-4f12-81b9-a34b5ed5fdec/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ce077d6b1a5b8013a57769b06e6e713ef19c4ca3423fa91614897543ced5d15a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2628129/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/388071/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample