MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7b2ab2296706b8e8586c93424b43546566c201eb971f5c293b9c2ed2aad138c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7b2ab2296706b8e8586c93424b43546566c201eb971f5c293b9c2ed2aad138c
SHA3-384 hash: 788d249422bf3058874c0bd8b9783b8faeafe80a0bee8098818d6f9caa7ba87f1ea7661c7b41c9174344f4886fe1f75d
SHA1 hash: 1be9bf4c35d022cd6e4bf457b44ce24e16a6051b
MD5 hash: 1426afb1b2ca6d16ab765a5e086a327c
humanhash: violet-butter-xray-butter
File name:NEW_DESIGN_SPECIFICATION_SAMPLE_DRAWINGS.cmd
Download: download sample
File size:1'252'951 bytes
First seen:2024-09-13 11:55:24 UTC
Last seen:2024-09-13 12:29:23 UTC
File type:cmd cmd
MIME type:text/plain
ssdeep 24576:t9zeLzb0SUOzmK9F1Yy+lchR22DM3Unmc/TyAV0KOuNXUoLq:zCz4SUG12lcz5DCsLvXUR
TLSH T1994533E31D452F7B020AEB73459B2B3C1B568F63E31EF0E987F916470A6E2419637912
Magika powershell
Reporter smica83
Tags:cmd HUN UNC2452

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BAT.Agent.AXJ.Eldorado.27948.30889.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e4285502c7d3d9942f7571
Tags:
Encryption Execution Infostealer Network Stealth Trojan
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd lolbin powershell
Link:
https://www.filescan.io/uploads/66e42853a3dc5ebf6be26108/reports/c85372dc-9138-4d76-ac0b-7c96a26dc23f/overview
Verdict:
Malicious
Labled as:
Trojan/PS.Encpe
Link:
https://www.hybrid-analysis.com/sample/d7b2ab2296706b8e8586c93424b43546566c201eb971f5c293b9c2ed2aad138c
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1510767
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: TrustedPath UAC Bypass Pattern
Suspicious command line found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510767 Sample: NEW_DESIGN_SPECIFICATION_SA... Startdate: 13/09/2024 Architecture: WINDOWS Score: 100 63 ipinfo.io 2->63 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 8 other signatures 2->73 9 cmd.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        15 cmd.exe 2->15         started        signatures3 process4 dnsIp5 83 Very long command line found 9->83 85 Suspicious command line found 9->85 17 powershell.exe 14 37 9->17         started        22 conhost.exe 9->22         started        24 cmd.exe 1 9->24         started        65 127.0.0.1 unknown unknown 12->65 26 conhost.exe 15->26         started        signatures6 process7 dnsIp8 59 193.124.185.91, 49729, 5042 IHOR-ASRU Russian Federation 17->59 61 ipinfo.io 34.117.59.81, 49728, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 17->61 51 C:\Windows \System32\MLANG.dll, PE32+ 17->51 dropped 53 C:\Users\user\AppData\Local\Temp\MLANG.dll, PE32+ 17->53 dropped 55 C:\Users\user\AppData\Roaming\SC.cmd, ASCII 17->55 dropped 57 C:\Windows \System32\ComputerDefaults.exe, PE32+ 17->57 dropped 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->75 77 Suspicious powershell command line found 17->77 79 Tries to harvest and steal browser information (history, passwords, etc) 17->79 81 2 other signatures 17->81 28 cmd.exe 1 17->28         started        31 powershell.exe 17->31         started        33 powershell.exe 36 17->33         started        35 3 other processes 17->35 file9 signatures10 process11 signatures12 87 Drops executables to the windows directory (C:\Windows) and starts them 28->87 37 conhost.exe 28->37         started        39 ComputerDefaults.exe 12 28->39         started        89 Loading BitLocker PowerShell Module 31->89 41 conhost.exe 31->41         started        43 WmiPrvSE.exe 31->43         started        45 conhost.exe 33->45         started        91 Found many strings related to Crypto-Wallets (likely being stolen) 35->91 47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        process13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d7b2ab2296706b8e8586c93424b43546566c201eb971f5c293b9c2ed2aad138c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7b2ab2296706b8e8586c93424b43546566c201eb971f5c293b9c2ed2aad138c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=26zkwiuwobvy5bmgze2cjnbvizlgyia6xfy7lqutxhbo2kvncoga._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution
Link:
https://tria.ge/reports/240913-n31vlazepn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Indicator Removal: File Deletion
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7b2ab229670/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7b2ab2296706b8e8586c93424b43546566c201eb971f5c293b9c2ed2aad138c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

cmd cmd d7b2ab2296706b8e8586c93424b43546566c201eb971f5c293b9c2ed2aad138c

(this sample)

Executable exe 53493edddf3e4509f791d0e26ea80d8b2283aa95a0f4e263ebb8fc1e7d8d9c82

  
Dropping
SHA256 53493edddf3e4509f791d0e26ea80d8b2283aa95a0f4e263ebb8fc1e7d8d9c82
  
Dropping
MD5 d4f7ff46bb9412b90e8f091f6a9115c3

Comments