MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d26eb6a88c035ccf77d7fa007cc052fb2e423cda3ad120d0937490b895e1f21b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d26eb6a88c035ccf77d7fa007cc052fb2e423cda3ad120d0937490b895e1f21b
SHA3-384 hash: 25d03ca1aa763f66880d093fe5c6c3bdb804fd9a919c96f2b80c5efa3969557763dfa353a8cff51161d19f192e5d807e
SHA1 hash: e571d26761b205d575cb69a453af709bee45869a
MD5 hash: d70e739d3a8486ac1daa47c71b09011b
humanhash: sad-freddie-monkey-gee
File name:file
Download: download sample
File size:109'056 bytes
First seen:2022-11-22 10:34:00 UTC
Last seen:2022-11-24 08:03:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 107642d7afa806275959216edae50a1f
ssdeep 3072:jgEcLLLJvw/9aOukppeX6lIRVFT3aXnEoUQJ:LmC1ppePC7tJ
TLSH T1AFB36E11B6D2907AD57A693204A5EA614A3EF9300F788EBB77D5133E0F341D0E623E67
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://e-hemsire.net/data/avatars/file.exe

Intelligence

File Origin
# of uploads :
27
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-22 10:38:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/387c54c1-28e1-49a8-b042-e19108d0f6f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337178/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.3020.18554.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Launching a process
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Downloading the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware rat
Link:
https://www.filescan.io/uploads/637ca59d5f223762e6ee2f65/reports/39652686-14c8-4d4f-af7f-6ae8e3eafb64/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/638e9a13-563b-4e39-85aa-af0609807cd3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1118845
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Powershell Download and Execute IEX
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 751563 Sample: file.exe Startdate: 22/11/2022 Architecture: WINDOWS Score: 76 35 Multi AV Scanner detection for submitted file 2->35 37 Sigma detected: Powershell Download and Execute IEX 2->37 39 Machine Learning detection for sample 2->39 7 file.exe 13 2->7         started        process3 dnsIp4 33 e-hemsire.net 46.105.79.7, 443, 49683, 49684 OVHFR France 7->33 41 Found evasive API chain (may stop execution after checking mutex) 7->41 43 Self deletion via cmd or bat file 7->43 45 Contains functionality to compare user and computer (likely to detect sandboxes) 7->45 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 signatures7 47 Uses ping.exe to check the status of other devices and networks 11->47 16 PING.EXE 1 11->16         started        19 conhost.exe 11->19         started        21 powershell.exe 14 16 14->21         started        23 conhost.exe 14->23         started        process8 dnsIp9 25 127.0.0.1 unknown unknown 16->25 27 e-hemsire.net 21->27 29 195.123.211.56, 49693, 80 ITL-LV Bulgaria 21->29 31 192.168.2.1 unknown unknown 21->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d26eb6a88c035ccf77d7fa007cc052fb2e423cda3ad120d0937490b895e1f21b/
Threat name:
Win32.Downloader.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 10:35:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 26 (76.92%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jxlnkemanom656x7iahzqcs7mxeepg2hlisbuetosilrfpb6inq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221122-ml4dqaac39/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Malware Config
Dropper Extraction:
https://e-hemsire.net/data/avatars/config_40.ps1
Unpacked files
SH256 hash:
d26eb6a88c035ccf77d7fa007cc052fb2e423cda3ad120d0937490b895e1f21b
MD5 hash:
d70e739d3a8486ac1daa47c71b09011b
SHA1 hash:
e571d26761b205d575cb69a453af709bee45869a
Link:
https://www.unpac.me/results/360123d2-af41-44b4-9581-50394a43ce6a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d26eb6a88c035ccf77d7fa007cc052fb2e423cda3ad120d0937490b895e1f21b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/337178/
  
URLhaus
https://urlhaus.abuse.ch/url/2429753/

Comments