MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cffe6e5ff4988a9aa30fcce3f005db402986bf5689516976fca483310265a2a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cffe6e5ff4988a9aa30fcce3f005db402986bf5689516976fca483310265a2a4
SHA3-384 hash: 1b6ed964a0a3956ebe3bd198261bef2b9e66a93d44b8edc6b1f2a83a184899b3f4d3c0b048aa2739f6c41ae58b12967b
SHA1 hash: bdc4397414c1b3ff4adb14d9a60ba2be215a36c6
MD5 hash: 155ec0523f3c0cbff4aa09d2b7044a77
humanhash: london-victor-maine-minnesota
File name:155ec0523f3c0cbff4aa09d2b7044a77
Download: download sample
File size:6'546'944 bytes
First seen:2022-11-05 19:53:15 UTC
Last seen:2022-11-05 22:05:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2833962a826dde948cb1671c2bf82fb5
ssdeep 98304:6N+dbd33oSpsJu9oR+bY11UhoIwBOqF85EiqrvBb2s4U5OoNkI9xFvPrBtOseF4a:Y+BzpWu891ZDBOr+iqrpbTLp/Qy
Threatray 32 similar samples on MalwareBazaar
TLSH T13466231AB2BCD521E152D2304D26CAF7022B7E24971285AB328E7F5F35723B16336B57
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 68d4aa888c8ac460 (2 x AgentTesla, 2 x SnakeKeylogger, 2 x AsyncRAT)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
155ec0523f3c0cbff4aa09d2b7044a77
Verdict:
No threats detected
Analysis date:
2022-11-05 19:53:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12d64340-5771-41b3-9872-af3a0b5c36b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329205/
Detection(s):
SecuriteInfo.com.Variant.Lazy.260895.32692.13825.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Forced system process termination
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49031/overview
Behaviour
MalwareBazaar
MeasuringTime
CallSleep
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug greyware packed stealer
Link:
https://www.filescan.io/uploads/6366bf5c15611f8d8bf90f00/reports/6c49b2f4-d46c-4ea3-ad90-4b5fb253f9d2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/56588087-79e7-429c-aa40-1a9881f741c9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1106284
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 738948 Sample: LTxl97QUra.exe Startdate: 05/11/2022 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->66 8 LTxl97QUra.exe 1 2->8         started        12 LTxl97QUra.exe 2->12         started        14 LTxl97QUra.exe 2->14         started        process3 file4 46 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 8->46 dropped 68 Encrypted powershell cmdline option found 8->68 70 Drops executables to the windows directory (C:\Windows) and starts them 8->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 8->72 74 4 other signatures 8->74 16 GoogleUpdate.exe 12 8->16         started        20 powershell.exe 22 8->20         started        22 powershell.exe 21 8->22         started        24 2 other processes 8->24 signatures5 process6 dnsIp7 48 api.peer2profit.com 172.66.40.196, 443, 49698, 49700 CLOUDFLARENETUS United States 16->48 50 162.19.175.128, 443, 49699, 49701 CENTURYLINK-US-LEGACY-QWESTUS United States 16->50 52 Detected unpacking (changes PE section rights) 16->52 54 Detected unpacking (creates a PE file in dynamic memory) 16->54 56 Detected unpacking (overwrites its own PE header) 16->56 58 4 other signatures 16->58 26 netsh.exe 3 16->26         started        28 netsh.exe 3 16->28         started        30 netsh.exe 3 16->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 24->38         started        signatures8 process9 process10 40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cffe6e5ff4988a9aa30fcce3f005db402986bf5689516976fca483310265a2a4/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-11-05 16:58:46 UTC
File Type:
PE (Exe)
Extracted files:
138
AV detection:
15 of 41 (36.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z77g4x7utcfjviypztr7abo3iauynp2wrfiws5x4usbtcatfuksa._file
Verdict:
malicious
Similar samples:
086896ba131161dac8f232478d8d9167f33fd81a02271f49fa0a362aa236c8ca
3c755dda9245f3bf25d22e5564c6224239ab3d698a5cc8faadaa4db4709b5656
72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
763b9ddb8670835d34e5ecbd031c8077ad8c1e1572e43f558fa664a8d6b0c4d5
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
9aabc9de4fbef67b8b8596428afa7dfa2754ac84e492b3d1f0a945b941fbac96
a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279
b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion vmprotect
Link:
https://tria.ge/reports/221105-ymjaqahde4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/23bb4535-7636-4e93-9132-831a8d01aff7
Unpacked files
SH256 hash:
cffe6e5ff4988a9aa30fcce3f005db402986bf5689516976fca483310265a2a4
MD5 hash:
155ec0523f3c0cbff4aa09d2b7044a77
SHA1 hash:
bdc4397414c1b3ff4adb14d9a60ba2be215a36c6
Link:
https://www.unpac.me/results/f9a9f1cc-9deb-41bc-a7d8-fcad2f7ab746/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cffe6e5ff498/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cffe6e5ff4988a9aa30fcce3f005db402986bf5689516976fca483310265a2a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cffe6e5ff4988a9aa30fcce3f005db402986bf5689516976fca483310265a2a4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2401724/
Cape
Cape
https://www.capesandbox.com/analysis/329205/

Comments


Avatar
zbet commented on 2022-11-05 19:53:27 UTC

url : hxxp://gitcdn.link/cdn/gta11113/fgjhfh/main/P2PTnh.hjhk