MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d33ffbc628ac01f56c1f6d4f6d21821d71c239b0a028de77866cdaa8fa042e8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d33ffbc628ac01f56c1f6d4f6d21821d71c239b0a028de77866cdaa8fa042e8b
SHA3-384 hash: 260547e38319f38c4e19c39aedabf8a44509612c5689b8a03c61f55e9d14ff83161a46c31f49e600b83df27930cd8840
SHA1 hash: ef88c3aeffa552ed00f03b2dcf6f6e02ffa6dfab
MD5 hash: ae724c2ddf68e649225b81b29b911c31
humanhash: october-mango-bulldog-seventeen
File name:d33ffbc628ac01f56c1f6d4f6d21821d71c239b0a028de77866cdaa8fa042e8b
Download: download sample
File size:5'937'152 bytes
First seen:2023-05-18 14:06:05 UTC
Last seen:2023-05-20 14:55:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e3ef0bc385cf71984de079a17922d74e
ssdeep 98304:Xend5IJ5zoyGS//Ivc2i00XiJWIzu8TYp7ZQloj9ghi1RebMIg9Cbk/V8r04kdJD:XeGcyrIvy053Yp7ZmojDIg9Cbk/V8NSx
Threatray 2 similar samples on MalwareBazaar
TLSH T156569C11F858547EC15E21F1CEE9E678A72BED245BF5019372807EEA6A3028D392C35F
TrID 47.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
28.0% (.OCX) Windows ActiveX control (116521/4/18)
10.3% (.EXE) InstallShield setup (43053/19/16)
7.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
2.5% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 6edbb12b17172b96 (10 x Quakbot, 9 x Heodo, 7 x BazaLoader)
Reporter JaffaCakes118

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d33ffbc628ac01f56c1f6d4f6d21821d71c239b0a028de77866cdaa8fa042e8b
Verdict:
Malicious activity
Analysis date:
2023-05-18 16:06:09 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3b87f87f-05ef-4072-950a-525d95fefb22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.11813.7176.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware keylogger lolbin packed phishing shell32.dll
Link:
https://www.filescan.io/uploads/6466315d6687116ea47f4ace/reports/9ef00462-d7f2-4f84-b8e6-7eed2decc88a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d33ffbc628ac01f56c1f6d4f6d21821d71c239b0a028de77866cdaa8fa042e8b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/51b7b8a1-1ac5-4e69-8d20-6bd7a4eea1d4
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1236246
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869243 Sample: HZ8Y6MTW1L.exe Startdate: 18/05/2023 Architecture: WINDOWS Score: 48 25 Multi AV Scanner detection for submitted file 2->25 7 HZ8Y6MTW1L.exe 10 2->7         started        11 medge.exe 2->11         started        process3 dnsIp4 21 gz.file.myqcloud.com 159.75.57.69, 443, 49698 TELE2EU China 7->21 23 test-1318139899.cos.ap-guangzhou.myqcloud.com 7->23 19 C:\Program Files (x86)\Sone\medge.exe, PE32 7->19 dropped 13 cmd.exe 7->13         started        15 medge.exe 7->15         started        file5 process6 process7 17 conhost.exe 13->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d33ffbc628ac01f56c1f6d4f6d21821d71c239b0a028de77866cdaa8fa042e8b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-18 06:08:10 UTC
File Type:
PE (Exe)
Extracted files:
820
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2m77xrrivqa7k3a7nvhw2imcdvy4eonquaun454gntnkr6qef2fq._file
Verdict:
unknown
Similar samples:
14b8d9f4afcc17cc313c5b741754099eda1c99cc157754473dc6e068cdf9e1a0
ec5e56c47bcec243ce0d97b37a23831dcac32008a633bda4ddaf5d97af4018d6
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230518-regzcsbb8y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d33ffbc628ac01f56c1f6d4f6d21821d71c239b0a028de77866cdaa8fa042e8b
MD5 hash:
ae724c2ddf68e649225b81b29b911c31
SHA1 hash:
ef88c3aeffa552ed00f03b2dcf6f6e02ffa6dfab
Link:
https://www.unpac.me/results/5cbd2080-3206-4843-87dd-c7e8862acfc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d33ffbc628ac01f56c1f6d4f6d21821d71c239b0a028de77866cdaa8fa042e8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments