MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d41295c513c151fa5a6a0afd777b1f6cd7d8b7c94af994e22d76f6c7b402f796. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HawkEye


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d41295c513c151fa5a6a0afd777b1f6cd7d8b7c94af994e22d76f6c7b402f796
SHA3-384 hash: 8fa9a94b52e5b441fe22a3c2851fc0cf04fe3949af7cd8b180ed51b8c5f0e40059803cdd64dd8c2d4ea8219d29e46c08
SHA1 hash: 9aecf5f83a446d660c72a2d7790888d7c5ebdea4
MD5 hash: 1d368d5b842ebf13854b951a72ecf7dd
humanhash: violet-red-purple-rugby
File name:d4.exe
Download: download sample
Signature HawkEye
Create hunting rule
File size:49'920 bytes
First seen:2021-11-26 13:53:10 UTC
Last seen:2021-11-26 15:58:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:gA6V/KaqKsWMCaeSCzhihc51rcj5Us6vCIXYQPhYVDrgHa/Dw1Im7HPxGZ7XSj9h:gTHzM1Qhihc51f2Kwk1IGpG89yW4y
Threatray 715 similar samples on MalwareBazaar
TLSH T10C23820227E64114F1B64A35AD76C2300B37BD59AE32C62E15CCAD8F3BB7B144D92B63
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter 0x746f6d6669
Tags:exe HawkEye

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d4.exe
Verdict:
Malicious activity
Analysis date:
2021-11-26 13:56:05 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/13a8c7df-dcb8-4024-9d26-ef65e2f6ea8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
ditekSHen.MALWARE.Win.Trojan.NWorm.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Running batch commands
Creating a process from a recently created file
Launching the process to change the firewall settings
Сreating synchronization primitives
Launching the process to change network settings
Launching a service
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Changing the hosts file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint obfuscated overlay packed packed powershell stealer
Link:
https://www.filescan.io/uploads/61a0e6fff36138de3f3f1233/reports/b0b209bb-50ab-4f6e-a12c-3d546675a1f3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/471e302c-91c2-47ee-b3f3-b3d516737f50
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896765
Signature
Bypasses PowerShell execution policy
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Machine Learning detection for sample
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Change PowerShell Policies to a Unsecure Level
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses whoami command line tool to query computer and username
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529240 Sample: d4.exe Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 55 8.8.8.8.in-addr.arpa 2->55 57 dns.google 2->57 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Machine Learning detection for sample 2->79 81 2 other signatures 2->81 9 d4.exe 3 2->9         started        signatures3 process4 file5 53 C:\Windows\System32\drivers\etc\hosts, ASCII 9->53 dropped 91 Bypasses PowerShell execution policy 9->91 93 Uses netsh to modify the Windows network and firewall settings 9->93 95 Modifies the hosts file 9->95 97 Modifies the windows firewall 9->97 13 powershell.exe 15 61 9->13         started        16 cmd.exe 2 9->16         started        20 netsh.exe 3 9->20         started        22 4 other processes 9->22 signatures6 process7 dnsIp8 65 mafube45655731.ngrok.io 3.17.7.232, 49811, 80 AMAZON-02US United States 13->65 67 ec2-3-239-215-107.compute-1.amazonaws.com 3.239.215.107, 49812, 9001 AMAZON-AESUS United States 13->67 24 cmd.exe 13->24         started        27 conhost.exe 13->27         started        51 C:\Users\user\Desktop\tor.exe, PE32 16->51 dropped 69 Uses ipconfig to lookup or modify the Windows network settings 16->69 71 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 16->71 73 Uses whoami command line tool to query computer and username 16->73 29 conhost.exe 16->29         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        35 conhost.exe 22->35         started        37 conhost.exe 22->37         started        39 conhost.exe 22->39         started        file9 signatures10 process11 signatures12 83 Uses whoami command line tool to query computer and username 24->83 41 systeminfo.exe 24->41         started        44 NETSTAT.EXE 24->44         started        47 whoami.exe 24->47         started        49 ipconfig.exe 24->49         started        process13 dnsIp14 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 41->85 87 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 41->87 89 Writes or reads registry keys via WMI 41->89 59 29.220.184.93.in-addr.arpa 44->59 61 254.115.248.8.in-addr.arpa 44->61 63 8 other IPs or domains 44->63 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d41295c513c151fa5a6a0afd777b1f6cd7d8b7c94af994e22d76f6c7b402f796/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 10:15:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3a178349d762b6e0b164676fc67dc1658f7e3190bed841b0699f43213bca7b09
HawkEye
609924bb2e3350f494553b8a7e91916766dae319d2b17550c8d97b403fc00794
HawkEye
7a8e89beb8fa4a647a23d499115ff58be5246fe23160df7a404bb42610326d26
HawkEye
ac601a34b6e00a6409580aa29283f241b44a33785757354c846b3df4a3bf676f
HawkEye
ad2bf8487310a468bc4e71714b81d4616d75310206c6c35e8a7cd495b7f90c22
HawkEye
cad70669903576a958ddeca091837210a4dd5ff769da7ad1d50a31997850c705
HawkEye
dbba7dd4355342a19336aba7d468ecbdfb0d730287e8f8f28ed88ba445bab2fc
HawkEye
+ 705 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211126-q7jszscfcr/
Behaviour
Gathers network information
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Blocklisted process makes network request
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
HawkEye
Unpacked files
SH256 hash:
d41295c513c151fa5a6a0afd777b1f6cd7d8b7c94af994e22d76f6c7b402f796
MD5 hash:
1d368d5b842ebf13854b951a72ecf7dd
SHA1 hash:
9aecf5f83a446d660c72a2d7790888d7c5ebdea4
Link:
https://www.unpac.me/results/bf608366-6a9e-4425-a097-24b149df2500/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d41295c513c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d41295c513c151fa5a6a0afd777b1f6cd7d8b7c94af994e22d76f6c7b402f796

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments