MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0d417ece8e94dbb4834e29c345d2e05de5de8ba3b3e05d922614c6f508d4cbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	d0d417ece8e94dbb4834e29c345d2e05de5de8ba3b3e05d922614c6f508d4cbe
SHA3-384 hash:	892fca85926f8ee1f1962cc772b41e954b439d65798864b80a465d4276bc31d80eb6e3d51780a82714da26641e2bf964
SHA1 hash:	6f49f6ce4068524aab980fce4c85473f63415d5f
MD5 hash:	40899d038ee717f6e407ed53668c8d16
humanhash:	arizona-equal-arizona-freddie
File name:	40899d038ee717f6e407ed53668c8d16.exe
Download:	download sample
File size:	555'008 bytes
First seen:	2023-08-02 17:52:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:FVcSX+wMmdF1/jILYCWilocbzK27bwgTysayxbLz7ms4u6m7PH1:FVcSX+wrd/r3IO2g06Pg/1
Threatray	35 similar samples on MalwareBazaar
TLSH	T137C4DEC04168E294DF5156F9FD4A693988B0624BAC5B2EAFF74BBDD03C735C48A9E403
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	85-217-144-143 exe

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

40899d038ee717f6e407ed53668c8d16.exe

Verdict:

Malicious activity

Analysis date:

2023-08-02 17:55:17 UTC

Tags:

lgoogloader opendir gcleaner loader rat redline stealer arkei vidar stealc smoke trojan evasion

Link:

https://app.any.run/tasks/20f01b8b-e4a5-4876-b36b-9ed8e2328b56

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/439911/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.68475985.17070.21997.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Creating a file in the Windows directory

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Using the Windows Management Instrumentation requests

Enabling autorun for a service

Blocking the User Account Control

Forced shutdown of a system process

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed packed

Link:

https://www.filescan.io/uploads/64ca98008b880a9fc64329d5/reports/884ba5aa-5e01-4c20-9646-bd5a11388e55/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d0d417ece8e94dbb4834e29c345d2e05de5de8ba3b3e05d922614c6f508d4cbe

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWalker Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eca9a984-c7ac-4aad-ab9c-d959262bec8c

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1284633

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d0d417ece8e94dbb4834e29c345d2e05de5de8ba3b3e05d922614c6f508d4cbe/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-08-01 23:15:50 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2dkbp3hi5fg3wsbu4kodixjoaxpf32f2hm7alwjcmfgg6uenjs7a._file

Verdict:

malicious

2e4548a3744c45b01a65b8523d08f044ecf9e1cba90f3e792d3894d5c72dbabe

486e5a611e29d76bdd2cfa9fc600931539f920b2552eab45e3dc7878b58a19d5

4c673b59e43c4475cd1204bba60adcef91be7bd9116d5548102eca86f6b0ffdc

4cb622e428772576bdcf156ec4030b782f0764fd6ea9da4de543e5723fb62b9d

6a3ea5ef986f8bc290a7393c4a890e87b583f5d30d2afa771b3540a54ae0313e

73f2bda2748d084de9a966db5a390504cc5bd65f030492ac50861d2587b49e7f

8678f9a3ecfd06cd0f5f2ecd34414ccfd0dc475b8f7d4269e330b5935a8e8f99

d5dff38d0773eefad7e6b3fe7005e8ace7c37fc9a6b88eca21f6120d2b860f32

ff7957fa16a3e0a3d4862f78b5df98a7f8ce404a205d4d1fe14abc6fe8b51b9a

+ 25 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230802-wgaqaahf2s/

Behaviour

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

d0d417ece8e94dbb4834e29c345d2e05de5de8ba3b3e05d922614c6f508d4cbe

MD5 hash:

40899d038ee717f6e407ed53668c8d16

SHA1 hash:

6f49f6ce4068524aab980fce4c85473f63415d5f

Link:

https://www.unpac.me/results/c9293415-d468-4f01-a6ea-73b0adb545c1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d0d417ece8e9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d0d417ece8e94dbb4834e29c345d2e05de5de8ba3b3e05d922614c6f508d4cbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe d0d417ece8e94dbb4834e29c345d2e05de5de8ba3b3e05d922614c6f508d4cbe

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2681797/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/439911/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample