MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d648e8e94c0674e6b1bd537936a33a39c33d3429d34fb70b97ff7f60904c9c84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d648e8e94c0674e6b1bd537936a33a39c33d3429d34fb70b97ff7f60904c9c84
SHA3-384 hash: d3f06622f90d857d9f034806751409a119f3339709ec45e26a151936e4b2678f71cb8ab5e670e46e883e6ac67faaad32
SHA1 hash: 90e49995309e8d20ab9596b1b8e6d80a90a5984b
MD5 hash: d857ed44ef2cf4d3e9676ecc68c149c9
humanhash: five-pizza-seventeen-princess
File name:codes.zip.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:3'176'424 bytes
First seen:2021-07-11 11:54:44 UTC
Last seen:2021-07-11 13:32:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e00de6e48b9b06aceb12a81e7bf494c9 (20 x Adware.Generic, 1 x CoinMiner)
ssdeep 98304:PG5QgxEwE6X/foVF2OjVvgxyJWiD+aS2OSrT0:PG5pjq2c8yYiD++fs
Threatray 13 similar samples on MalwareBazaar
TLSH T12BE533123CF54177FAC14872A8646ED4E0F8E6280FB14DE7375E8A2D7F3924192287E9
Reporter Anonymous
Tags:Adware.Generic exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
codes.zip.exe
Verdict:
No threats detected
Analysis date:
2021-07-11 11:58:05 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e3060ee9-f712-4d3a-b6fb-572e66df0895

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170827/
Detection(s):
SecuriteInfo.com.Trojan.Vittalia.18899.7239.14908.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.16315.17849.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.23765.15295.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.15897.124.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.5845.5582.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.9725.1671.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.11186.29307.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.432.23540.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.30820.8518.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.11984.4138.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.4290.27069.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.8813.22807.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.942.18291.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.9011.5167.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.4256.12487.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Vittalia.18899.6079.12975.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79c7d4e4-61f1-4ed4-bc8f-d99d35a4feb2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/814398
Signature
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446809 Sample: codes.zip.exe Startdate: 11/07/2021 Architecture: WINDOWS Score: 64 37 Multi AV Scanner detection for submitted file 2->37 39 Uses an obfuscated file name to hide its real file extension (double extension) 2->39 7 codes.zip.exe 57 2->7         started        process3 file4 17 C:\Users\user\AppData\Local\...\installer.exe, PE32 7->17 dropped 19 C:\Users\user\AppData\Local\...\sciter32.dll, PE32 7->19 dropped 21 C:\Users\user\...\DevLib.resources.dll, PE32 7->21 dropped 23 19 other files (none is malicious) 7->23 dropped 10 installer.exe 2 7->10         started        process5 dnsIp6 25 flow.lavasoft.com 104.18.88.101, 443, 49716, 49722 CLOUDFLARENETUS United States 10->25 27 127.0.0.1 unknown unknown 10->27 29 192.168.2.1 unknown unknown 10->29 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->41 43 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->45 14 GenericSetup.exe 15 9 10->14         started        signatures7 process8 dnsIp9 31 blob.blaprdstr09a.store.core.windows.net 52.239.214.132, 443, 49735 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->31 33 sos.adaware.com 104.16.236.79, 443, 49723, 49726 CLOUDFLARENETUS United States 14->33 35 4 other IPs or domains 14->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d648e8e94c0674e6b1bd537936a33a39c33d3429d34fb70b97ff7f60904c9c84/
Threat name:
Win32.PUA.Presenoker
Create hunting rule
Status:
Malicious
First seen:
2021-07-11 11:55:07 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zeor2kmaz2onmn5kn4tniz2hhbt2nbj2nh3oc4x757wbecmtsca._file
Verdict:
suspicious
Similar samples:
0f9e47562665ef5a863f2b412455f66244c6614dff49a96006473e3604b0c6f8
Adware.Generic
45ccf8e379c900f0c7496e4debe1ad4550256f6162383baba5f1344e5d9ca250
Adware.Generic
5199bcc83cf3eb34e56478868237b872fe3795b3ee5b04395ac805a98425801d
Adware.Generic
63e7fff26714fad07cb3f12293684a40e25c7b2bf2be5f5e5a94c9935a8fc5cd
Adware.Generic
7ff82a6621e0dd7c29c2e6bcd63920f9b58bc254df9479618b912a1e788ff18b
Adware.Generic
96d1a194f5dc6fbecb472b5b39c1c5fddcbe7b8d6f5a879d106f8a5c28aa1334
Adware.Generic
9eb235579cedafa21ced3c3fd2c1f2e43adac5e85b6a5553499742b23af32656
Adware.Generic
a751b1f39e0eb2ab9a6246ad1597c6df78ccacde11c723c710498f01146739d1
Adware.Generic
d27db19db72691d403d38243719346bca79efb3f81b6c44d9fd3cd9dfff83b9d
Adware.Generic
fdc92c2f55c2d75500a2fd3c428f8ffc0b3f060240a70e51c31ed33f5912e611
Adware.Generic
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/210711-a3x5e8ybda/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks for any installed AV software in registry
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
82fec7aed6040d6d74c666e720bdee7eabd90e665e4fdc60025c191cec09e254
MD5 hash:
c21e7f55073112f7c19a7a351f128d14
SHA1 hash:
f9b80013409033089eca366cb2a02ab70d9bd5d7
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
ce735cfac1095f959224b676727c0a0481979e371015b241471a47ed975dfb02
MD5 hash:
6d31668ba88d03253b38a85bed3c9dee
SHA1 hash:
7b62340c57aa81948fa62d217c4abd23bc62fd97
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
c5f7946752a5eb082c712bc96bc975460c83aa07d9362440acee47c247f509e1
MD5 hash:
080c9fa736f1843439518abd9f9cd96a
SHA1 hash:
60b2aed31677ea5d804daa9964e015938be86499
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
5ef5ce438abe0fbda47f84939a589dc2596d794f030d018f2e67228a59870c9e
MD5 hash:
f9985911e464d0145d685bcae4a6b489
SHA1 hash:
4aa09a4757073f53995c5dc742b2d999b3998478
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
cb920dbaa7a09c613867c1639aed296673c0c55c6b6ee323e881e05fc0e653fc
MD5 hash:
b2bea02f855fb6786c050a510bca09c8
SHA1 hash:
3bbc834ff16cfa6821488d7ac00496f1fadba91b
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
e544ba45004d688628f70436ff69cfd7540679346b62133dde2c4c9a5e0e66fb
MD5 hash:
7cd0653a0cbe058b8335c520a35c8ca6
SHA1 hash:
2f0bfad530dc671d4fc3ad1910a3bcd06f41df33
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
042fb25cf5b11d72bc73b3930e39988f720658073ab112b93bcac998c3e58f34
MD5 hash:
f2d7c2af33cc59053218f784ce28a1f8
SHA1 hash:
0e1bc9cf0e3628b84473a49ee598eba9521074e9
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
03080498d08c219afcee9c05652e10a94c28541e954fe192d460ea57407b59ea
MD5 hash:
8666996ba399eefa9987b593d16da7dc
SHA1 hash:
f8444b7f495892fd902f7714df809e9cc723fe3a
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
24397bef8b9909e444d176d6b0d3e583054c6b3e357f9d192b586755ae498eac
MD5 hash:
e9780ca7a8debb4a0a9dd5dce1ff169b
SHA1 hash:
f6d77bf57f07c821835c0c7c71257749f8753e92
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
54cece311f140a4804c276e81e2b4ea184670748b08b14e690f6c385051bbdf2
MD5 hash:
24aa32bbaa182195715a2fc565531cf4
SHA1 hash:
a32b373da158922b767f4c899ef942996bec49ad
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
864e7b321fa66ad14de3334687c23e07b06d76165620da83ffcf563c072bd12f
MD5 hash:
58476d7521e18ba02a082484a2e7a327
SHA1 hash:
a1010ad05b74b551f34b9814534bf1c82a4f953f
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
Parent samples :
7ff82a6621e0dd7c29c2e6bcd63920f9b58bc254df9479618b912a1e788ff18b
96d1a194f5dc6fbecb472b5b39c1c5fddcbe7b8d6f5a879d106f8a5c28aa1334
fdc92c2f55c2d75500a2fd3c428f8ffc0b3f060240a70e51c31ed33f5912e611
9eb235579cedafa21ced3c3fd2c1f2e43adac5e85b6a5553499742b23af32656
63e7fff26714fad07cb3f12293684a40e25c7b2bf2be5f5e5a94c9935a8fc5cd
d648e8e94c0674e6b1bd537936a33a39c33d3429d34fb70b97ff7f60904c9c84
SH256 hash:
269605ffe6efdf69eaff8ad336735490522538d2b22088ba63c8abbef42ab0e9
MD5 hash:
71f9f3839c8a46ec1fae8e06d37fa59e
SHA1 hash:
9b5aaa2d40bc80a702c532a016fc7878cc860a1b
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
31cfefe9e5c7e7188e86a926a4b45a97be998fed46b5dd67cdf4c294d9d74db8
MD5 hash:
ad0cccb87e9e9530a1c5246181d5a11b
SHA1 hash:
8e1e2a8e3e46520a04e55e48595f28232fa93616
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
c615e4b44bfd120fa236abed0949063129e2b200bd99a3ab7f5d5accb5e4bfe0
MD5 hash:
6c86c5f2615767af6d28d36dbed29765
SHA1 hash:
34bd97791652790f3ea1cc88b5bac7c3eb1aff60
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
SH256 hash:
d648e8e94c0674e6b1bd537936a33a39c33d3429d34fb70b97ff7f60904c9c84
MD5 hash:
d857ed44ef2cf4d3e9676ecc68c149c9
SHA1 hash:
90e49995309e8d20ab9596b1b8e6d80a90a5984b
Link:
https://www.unpac.me/results/6bc3f5fd-3d1c-4434-8021-8c20f89021c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d648e8e94c0674e6b1bd537936a33a39c33d3429d34fb70b97ff7f60904c9c84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170827/

Comments