MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceed0ebc3f52b44accb06cfe1828133c66665a27146a08dfca26fd77ad6e0474. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceed0ebc3f52b44accb06cfe1828133c66665a27146a08dfca26fd77ad6e0474
SHA3-384 hash: 40e2ce92a6b7c51f616968242b39d35319bc42a80bbef77d858979f374e00bff7ff90c6aad8ed3a1f7e4ebb7b10db6b0
SHA1 hash: 0ddd9a81ab722db5a6913ddc013d396875f6a1d0
MD5 hash: be16629c4a08ee23fcc1c4a8198be065
humanhash: alanine-washington-steak-stream
File name:be16629c4a08ee23fcc1c4a8198be065
Download: download sample
File size:764'928 bytes
First seen:2021-06-30 15:08:36 UTC
Last seen:2021-06-30 15:49:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 49872ca347743de3342dae48ab6a2426 (2 x Formbook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:3/GRJUeqFZCVHtc67SJFBoy7PoAMkANkLkU4wXc:3eRJsFQHGKSacRsNi
Threatray 77 similar samples on MalwareBazaar
TLSH 2FF48DE2F1C28933E1361974FC6B976E1836FF142D0874856EF93A5C9B35682663E183
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
035e286f0b1c50844dcf7dccb7312036.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 14:42:49 UTC
Tags:
trojan stealer vidar rat azorult raccoon remcos loader
Link:
https://app.any.run/tasks/14a778ec-5a69-4257-a534-a4478718da4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f84d1bb-9f49-4925-8b99-160a3bb9bc7d
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810059
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442470 Sample: Mz89FW9zvK Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected Clipboard Hijacker 2->68 70 2 other signatures 2->70 8 Mz89FW9zvK.exe 1 24 2->8         started        13 sqlcmd.exe 13 2->13         started        15 Qsahttm.exe 13 2->15         started        17 2 other processes 2->17 process3 dnsIp4 62 cdn.discordapp.com 162.159.129.233, 443, 49732, 49733 CLOUDFLARENETUS United States 8->62 60 C:\Users\Public\Libraries\...\Qsahttm.exe, PE32 8->60 dropped 72 Detected unpacking (changes PE section rights) 8->72 74 Detected unpacking (overwrites its own PE header) 8->74 76 Uses schtasks.exe or at.exe to add and modify task schedules 8->76 78 Contains functionality to compare user and computer (likely to detect sandboxes) 8->78 19 Mz89FW9zvK.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        80 Multi AV Scanner detection for dropped file 13->80 82 Machine Learning detection for dropped file 13->82 84 Injects a PE file into a foreign processes 13->84 86 Contains functionality to detect sleep reduction / modifications 13->86 26 sqlcmd.exe 13->26         started        28 Qsahttm.exe 15->28         started        30 Qsahttm.exe 17->30         started        file5 signatures6 process7 file8 56 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 19->56 dropped 58 C:\Users\user\...\sqlcmd.exe:Zone.Identifier, ASCII 19->58 dropped 32 schtasks.exe 1 19->32         started        34 reg.exe 1 22->34         started        36 conhost.exe 22->36         started        38 cmd.exe 1 24->38         started        40 conhost.exe 24->40         started        42 schtasks.exe 1 26->42         started        44 schtasks.exe 1 28->44         started        process9 process10 46 conhost.exe 32->46         started        48 conhost.exe 34->48         started        50 conhost.exe 38->50         started        52 conhost.exe 42->52         started        54 conhost.exe 44->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ceed0ebc3f52b44accb06cfe1828133c66665a27146a08dfca26fd77ad6e0474/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 14:50:32 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
6a6d545fd995dbffb75332ad4a05e32f20777410b36e633c42e4f6c8cdc685d2
6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3
72a21c420bc7b744d977b3b0d68f486257784cac7a44c9b29602b0d23fe0e744
7acd63274b81b72ef23396d8e8ec007adc22b4a74a2242a07a75466c3805df42
85adf569d259dc53c5099fea6e90ff3a614a406b4308ebdf9f40e8bed151f526
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210630-zteka9hnds/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
49f77536366703b0e3ca29cb6373d6514376a22680d0a06fcecd1934f0155413
MD5 hash:
593606abb6e00ea220a2527c44ffb6e7
SHA1 hash:
f8a90f103f62713f502a0f9a9219b4c1125e1516
Link:
https://www.unpac.me/results/c9772693-01cb-4914-8634-fc94cd94efc4/
SH256 hash:
1fe6b821182d1362a05881b38dafb4dbf4b58afcee33b66b46af50f843455360
MD5 hash:
c8d3d76ece8e531d898f61996ab83847
SHA1 hash:
8e002a727e4bbca65b0d3e033ec2d599649d3f23
Link:
https://www.unpac.me/results/c9772693-01cb-4914-8634-fc94cd94efc4/
SH256 hash:
ceed0ebc3f52b44accb06cfe1828133c66665a27146a08dfca26fd77ad6e0474
MD5 hash:
be16629c4a08ee23fcc1c4a8198be065
SHA1 hash:
0ddd9a81ab722db5a6913ddc013d396875f6a1d0
Link:
https://www.unpac.me/results/c9772693-01cb-4914-8634-fc94cd94efc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ceed0ebc3f52b44accb06cfe1828133c66665a27146a08dfca26fd77ad6e0474

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ceed0ebc3f52b44accb06cfe1828133c66665a27146a08dfca26fd77ad6e0474

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1323338/

Comments