MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1aab5929869cfe69e83022529492d8c60f749c4e2c33af45da5adee88435cdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1aab5929869cfe69e83022529492d8c60f749c4e2c33af45da5adee88435cdd
SHA3-384 hash: cf8ed693ce4d2dfbadd3aead49e64bd695bdc5071349be4227626b24c9d18c5bcce59c0c2e2c894187d40fea6cb5add2
SHA1 hash: 9d448761ffa9b6e110f723fe551055ee0be4408d
MD5 hash: 6cd65c568257694ab3ec9912419d202e
humanhash: mars-xray-william-washington
File name:6cd65c568257694ab3ec9912419d202e.exe
Download: download sample
File size:1'564'160 bytes
First seen:2023-08-01 10:56:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:9mx+F970i1R6m0g7DXfQE4E4P3/vXywukahdPwk:8x+70I6m0sXfQ33nXyqan
Threatray 20 similar samples on MalwareBazaar
TLSH T191755A21B67CCA45C0DE163E84EA370407B8B893E661E73E7ED136E995113C64D1E8EE
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 6268eca692ecf0e0
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6cd65c568257694ab3ec9912419d202e.exe
Verdict:
Malicious activity
Analysis date:
2023-08-01 11:00:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8043b7d-ce2c-42bc-97b9-1a4ba312b308

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439581/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.29405.31445.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand lolbin msbuild obfuscated packed
Link:
https://www.filescan.io/uploads/64c8e500a108b876ac84bb57/reports/d3bc1f80-9464-43fe-8361-d6e67ce83100/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d1aab5929869cfe69e83022529492d8c60f749c4e2c33af45da5adee88435cdd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ClipBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf317b6a-53e0-4a8b-8ef2-dad8a834c07f
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1283664
Signature
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1283664 Sample: 7oAASso97K.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 88 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Clipboard Hijacker 2->35 37 Machine Learning detection for sample 2->37 6 7oAASso97K.exe 5 2->6         started        10 assdfmdswkhs.exe 2 2->10         started        12 MSBuild.exe 2 2->12         started        14 MSBuild.exe 1 2->14         started        process3 file4 25 C:\Users\user\Videos\assdfmdswkhs.exe, PE32 6->25 dropped 27 C:\Users\...\assdfmdswkhs.exe:Zone.Identifier, ASCII 6->27 dropped 29 C:\Users\user\AppData\...\7oAASso97K.exe.log, ASCII 6->29 dropped 39 Writes to foreign memory regions 6->39 41 Allocates memory in foreign processes 6->41 43 Injects a PE file into a foreign processes 6->43 16 MSBuild.exe 1 2 6->16         started        45 Multi AV Scanner detection for dropped file 10->45 47 Machine Learning detection for dropped file 10->47 19 MSBuild.exe 2 10->19         started        21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        signatures5 process6 signatures7 31 Creates an autostart registry key pointing to binary in C:\Windows 16->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1aab5929869cfe69e83022529492d8c60f749c4e2c33af45da5adee88435cdd/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 18:39:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
132
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gvlleuynhh6nhudaissssjnrrqposoe4lbtv5c5uww65ccdltoq._file
Verdict:
malicious
Similar samples:
28481cfb09fe12acea1347b45a6f5e71f9442ef13a5c4e77ab226a4eb135db5b
35bec8209ce812572a8ca75f137e8c2b6c1271fea7c96a72a4e08087b640fa0c
844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9
8f61fb247d39dfb97f59db9374ac43793fa6432057a6e1d76aa06a22ea9f3ca8
b43b91f6495c2d4c9c48f707f17cf7d09e3dc46b9ca0759372945bd40d77a6b7
bf566a0e924a5567391242c61c0070a09ee3bca04a02e4f0170040b90e5b73e5
cc081c42b4c7b8d373aa4cc662d59112338a3cfbb22218f481ec248a7d1df437
e30fb0167cff4b0cc4cbc651e4c833459e94a603b8b9a33d449986ca641f7ce8
e51fec6dac7dcf6e329afb113aeb9539924ecb47cb18a621438c09d756debf93
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230801-m19jaafd38/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
bd0fcb4c298822bef4e8864dc7fbb48d222320a29e0e4776d77d21d2c057cf8d
MD5 hash:
b97cc70f842cadea1d425d59a9d0bbc2
SHA1 hash:
ca154c12331e147ad0e0c6aa238ea46c28cce31c
Link:
https://www.unpac.me/results/0502299d-5a0c-460e-83ed-255e53506e29/
SH256 hash:
7eb3fd9ee7b34b01b7ddab318648d875d2638e101c05004f23acfa1facc76a06
MD5 hash:
1e353fd35810095d7acf43f416f63c78
SHA1 hash:
89d50db5cba371356e372976f580312bce18f09b
Link:
https://www.unpac.me/results/0502299d-5a0c-460e-83ed-255e53506e29/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/0502299d-5a0c-460e-83ed-255e53506e29/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
d1aab5929869cfe69e83022529492d8c60f749c4e2c33af45da5adee88435cdd
MD5 hash:
6cd65c568257694ab3ec9912419d202e
SHA1 hash:
9d448761ffa9b6e110f723fe551055ee0be4408d
Link:
https://www.unpac.me/results/0502299d-5a0c-460e-83ed-255e53506e29/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1aab5929869/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1aab5929869cfe69e83022529492d8c60f749c4e2c33af45da5adee88435cdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICOUS_EXE_UNC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables with considerable number of regexes often observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d1aab5929869cfe69e83022529492d8c60f749c4e2c33af45da5adee88435cdd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2685793/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/439581/

Comments