MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde
SHA3-384 hash: 7555ef4326816260a43d51c1e10a24f46aff994f12e4f1b408c65f2fc08ccba2d30b7c2d8fad6203822965c39d66861e
SHA1 hash: 4ecb0d749df3b76e6fd367bb8cf7fdc2b50a8b26
MD5 hash: c436c42e07c1c93c8aeb48b35b51a4a9
humanhash: washington-purple-foxtrot-cardinal
File name:c436c42e07c1c93c8aeb48b35b51a4a9.exe
Download: download sample
File size:2'616'320 bytes
First seen:2021-12-16 08:57:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc9dbb16a3b4e2cc8d0db4a2164aacd8
ssdeep 49152:J5/gVHefM1wisXSKCV514NNgMiMlqQxmRmfiiQ8+KbM7k1NPJQZpktax:L2efHSXV5iOGqQDfii+YfJyo
Threatray 8'232 similar samples on MalwareBazaar
TLSH T197C533AB1417FF72D5CE68B4C8CA3A4BE9E3E31CC6BA31BA1B3DA41561053859E4DC11
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214528/
Detection(s):
Win.Trojan.Generic-9908700-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a custom TCP request
Сreating synchronization primitives
Creating a process from a recently created file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2216/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61baff9e6daa353fa3b4d9fd/reports/4b51d2fe-8d52-46ea-9b08-e5a1f66c5fb9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb71b6d7-20d5-4670-8e91-809d091d6715
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908367
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 19:25:41 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0bd168703d2bb6a6d5fffe115c4834f4057bcb7f7877369a3230a82badce3d15
0e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
3afb94af10e2fae81d10a10c089362e6eac18d1a84a2c24c5fb6003e402931a7
64b608dd4724d90e85149b4b450fc86f7a258da04095e9e8cff77a7ee5645b29
6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5
83183a8d40a911690ac0064964d07bac630a508a63a43b56fb61ed405d8d8900
acda9ae5a6c865eb3291e1bb7cc41e6b0f86a12e180c984a2f4fcb302505021b
bf45b415add34c4a9cfd28e2f0060a5771b452a290d4807cc66e5e0355b014c0
dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0
+ 8'222 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211216-kw6wgsbfc5/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Blocklisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
407b54259a0c591b110e0905f2650c1419914761a0aed7bad4d7d5541bb07ba1
MD5 hash:
a6136e83963d5746540e003872926f85
SHA1 hash:
880fc521d06c7465310ed55d2cd755239ddb56de
Link:
https://www.unpac.me/results/df44add8-e562-4a20-bf9d-98926ec70ccc/
SH256 hash:
d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde
MD5 hash:
c436c42e07c1c93c8aeb48b35b51a4a9
SHA1 hash:
4ecb0d749df3b76e6fd367bb8cf7fdc2b50a8b26
Link:
https://www.unpac.me/results/df44add8-e562-4a20-bf9d-98926ec70ccc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MALWARE_Win_DLAgent14
Create hunting rule
Author:ditekSHen
Description:Detects downloader injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1887349/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214528/

Comments