MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d
SHA3-384 hash: b78fe204ca7ea83a0efdd9e79e060139daadbb43f0228337719eaebe2b928e19afcacf8f0e0a5cc2baf396fd7491094d
SHA1 hash: b3cfe5db4df2754e23aefd71067f87ca81b2d7b1
MD5 hash: 8589fe09a6ad2bdc47a753125086f742
humanhash: edward-april-single-video
File name:8589fe09a6ad2bdc47a753125086f742
Download: download sample
File size:17'281'170 bytes
First seen:2023-05-13 20:36:28 UTC
Last seen:2023-05-13 22:27:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d363d3b473a6c355539abd95921390d (4 x ValleyRAT, 3 x FatalRAT, 1 x YoungLotus)
ssdeep 196608:WcywI4gKOVUosfPfgy4f1SEmaa7jgs2EnIyolKU72urtYF6N6YHYU4vcv0NXAAqL:0wI4Zhoc0AAEnwluI0Y4UKXxUsDcFn
Threatray 15 similar samples on MalwareBazaar
TLSH T19E07F121724AC427D56A02B1696CDA9F9138BF720B7254DBB3DC3D6E4BB44C21336E27
TrID 56.9% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
33.6% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0ef8829ccc61f0b2 (1 x RecordBreaker)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8589fe09a6ad2bdc47a753125086f742
Verdict:
Malicious activity
Analysis date:
2023-05-13 20:38:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75b72e31-44f5-4f75-92f2-f74c3a4d73ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win64.Krypt.22999.32540.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware msiexec.exe overlay packed setupapi.dll shell32.dll tofsee
Link:
https://www.filescan.io/uploads/645ff4f1446f9ce94a65a79e/reports/5c0972fb-e189-47a7-9db9-f904fed36024/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c3711120-50ee-4741-acb0-5fabf8dd0fb1
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1232227
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865205 Sample: 7zCia3diaj.exe Startdate: 13/05/2023 Architecture: WINDOWS Score: 60 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Machine Learning detection for dropped file 2->48 6 msiexec.exe 89 48 2->6         started        9 7zCia3diaj.exe 25 2->9         started        process3 file4 30 C:\Windows\Installer\MSIE515.tmp, PE32 6->30 dropped 32 C:\Windows\Installer\MSIDF08.tmp, PE32 6->32 dropped 34 C:\Windows\Installer\MSIDE9A.tmp, PE32 6->34 dropped 42 7 other malicious files 6->42 dropped 11 msiexec.exe 6->11         started        13 msiexec.exe 1 6->13         started        15 msiexec.exe 6->15         started        17 msiexec.exe 6->17         started        36 C:\Users\user\AppData\Local\...\shi95D4.tmp, PE32+ 9->36 dropped 38 C:\Users\user\AppData\Local\...\MSI98C4.tmp, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\MSI973C.tmp, PE32 9->40 dropped 19 msiexec.exe 12 9->19         started        process5 file6 22 C:\Users\user\AppData\Local\...\MSI9FCD.tmp, PE32 19->22 dropped 24 C:\Users\user\AppData\Local\...\MSI9F01.tmp, PE32 19->24 dropped 26 C:\Users\user\AppData\Local\...\MSI9DD7.tmp, PE32 19->26 dropped 28 4 other malicious files 19->28 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2sjd2n2hofgq3da7niwo5rpmcxdcscydb2biikp5hhw42som6j6q._file
Verdict:
unknown
Similar samples:
082ac271e7068243ead494e9447288e5969d22bc461e6de9dd1203145a203a73
4f6cb888a4dfade727490683feaee96679d7044f0181799c18a8c7060cb8dab3
9d2321341dc5804543514a81cab9aac8dbc52466c77bad98a3835819cb9d9c7d
a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def
bf13eb2026e85f67cbe27ba0ba349a615776976ae8c47ae979335a7d556e04bc
e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230513-zd5ysshc54/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Loads dropped DLL
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2631396/

Comments


Avatar
zbet commented on 2023-05-13 20:36:34 UTC

url : hxxp://207.154.211.201/ProtonVPN_v3.0.5.exe