MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352
SHA3-384 hash: fd673ea1dcab8c3e12281c5b7d6438eab09e0b10ed5b3e4490ba9254722338f94e875ef81409c5b5c19ac66c1ef57bad
SHA1 hash: e1634073c1fd3a88e65e21d19edb108b60cbdd63
MD5 hash: f12d41a888b7e3fd03c3c5347c6ee778
humanhash: spaghetti-don-mars-bakerloo
File name:f12d41a888b7e3fd03c3c5347c6ee778
Download: download sample
File size:1'537'500 bytes
First seen:2024-01-01 04:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 24576:XWljQk33d4AGvTiszKXiP5Yh8ynFNCJRkjFdOdqj1xCjBTXaUbyJhn8yePX7tEfm:Cl+AMTXyixYhxaJ2jTj1Mj5Ry7n8Am
Threatray 9 similar samples on MalwareBazaar
TLSH T17F6533BCF7C9AD4FD05906F089424231EDAFDE14B522A4E51228EAB90DF2674723D74B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.5133.5182.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Modifying a system file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65923a2dffafd83ebca21f39/reports/59a5bb38-739b-4a36-86cb-7a362bab65ac/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03fc3ac6-e4a7-403b-89e8-18d23ba9167e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1368472
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368472 Sample: R3BcLtsXMd.exe Startdate: 01/01/2024 Architecture: WINDOWS Score: 64 43 su.eda1.ru 2->43 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 .NET source code contains potential unpacker 2->51 53 Machine Learning detection for sample 2->53 8 R3BcLtsXMd.exe 6 57 2->8         started        11 KKMAgent.exe 15 29 2->11         started        14 KKMAgent.exe 2->14         started        signatures3 process4 dnsIp5 31 C:\Users\user\AppData\...\uninstall.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\Roaming\...\TSCLIB.dll, PE32 8->33 dropped 35 C:\Users\user\AppData\...\SushkovMessages.dll, PE32 8->35 dropped 41 13 other files (12 malicious) 8->41 dropped 45 su.eda1.ru 213.189.216.94, 443, 49706, 49709 INTERNET-PRO-ASRU Russian Federation 11->45 37 C:\Users\user\AppData\Local\...\tmp24CE.tmp, PE32 11->37 dropped 39 C:\Users\user\AppData\...\kkm.exe (copy), PE32 11->39 dropped 16 kkm.exe 35 11->16         started        19 WerFault.exe 21 14->19         started        file6 process7 file8 23 C:\Users\user\AppData\Roaming\...\QRCoder.dll, PE32 16->23 dropped 25 C:\Users\user\AppData\Roaming\...\KKMLib.dll, PE32 16->25 dropped 27 C:\Users\user\AppData\...\HtmlAgilityPack.dll, PE32 16->27 dropped 29 2 other files (none is malicious) 16->29 dropped 21 KKMAgent.exe 16->21         started        process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-01 04:06:11 UTC
File Type:
PE (Exe)
Extracted files:
184
AV detection:
14 of 22 (63.64%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ljtiho46h7sum2bhyctsfuj3ofrpulgnm332txy66xd247pinja._file
Verdict:
unknown
Similar samples:
0eb49cae715e2f31551ea4afa64045540ed77ab891ba1864660b74af64a16971
1f0c96d7ee0d9664c0085394604a9137abc292a52c871f4bc3b5245627961573
36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be
893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42
c9944c04100d2b5d75b8bff00359b3bef6481bdb72d965032ac800d99cb4fe1a
d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352
f4865aacbca098c07aea1e49efe9bf55dd13b0120b9f29cf49575532ede8ef04
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240101-en3wzadhh5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Unpacked files
SH256 hash:
d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352
MD5 hash:
f12d41a888b7e3fd03c3c5347c6ee778
SHA1 hash:
e1634073c1fd3a88e65e21d19edb108b60cbdd63
Link:
https://www.unpac.me/results/114413e0-2d48-4343-a5cc-054d83ccf7ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d2d3341ddcf1ff2a33413e05391689db8b17d1666b37bd4ef8f7ae3d73ef4352

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745588/

Comments


Avatar
zbet commented on 2024-01-01 04:05:37 UTC

url : hxxp://su.eda1.ru/dist/kkm/kkm_fix_old.exe