MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9ce2ae26ef828242795235373849f97eaf395f19607f1b12258e0608cbc5626. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9ce2ae26ef828242795235373849f97eaf395f19607f1b12258e0608cbc5626
SHA3-384 hash: 449369054d4a5ec2f23ca10bfdca2256a9df852e54dd93c9f6d7768ff6e0071ebac1fc6d8ca463acddae17c5f7adb0a4
SHA1 hash: 9db1406fbc0e89f5185daf37668c3e9d67ca1ec9
MD5 hash: d7f944f146605de5cf91a89d52a44700
humanhash: finch-eleven-paris-robert
File name:d7f944f146605de5cf91a89d52a44700.exe
Download: download sample
File size:1'301'862 bytes
First seen:2023-02-22 11:02:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab9ff6e4872ea2766a5f5c6af5649e9d (20 x CryptOne, 13 x RedLineStealer, 6 x RecordBreaker)
ssdeep 24576:gJr8tE+gHqVURtEVKpVB+E973kjnn1q2y3DtiLGcO1VoLrUp6QyLB:gJ4Nq3SE97YshTHoLrUpUB
Threatray 152 similar samples on MalwareBazaar
TLSH T14C551202BEC149B1D57325351EF2AB30A93C3C612BB28DCB57A4675E6E304D1DA36B63
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d7f944f146605de5cf91a89d52a44700.exe
Verdict:
Malicious activity
Analysis date:
2023-02-22 11:43:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c361395-40d4-44db-8729-0e5f4cfea7d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368973/
Detection(s):
SecuriteInfo.com.Variant.Fugrafa.249470.10364.14457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72197/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63f5f66b42bf85850e3f382a/reports/b6d8b190-fc48-44b6-837c-b03f036b926d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d9ce2ae26ef828242795235373849f97eaf395f19607f1b12258e0608cbc5626
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9c542bd-64d7-404b-a49e-e2eebf06d665
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1180540
Signature
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813375 Sample: IUAMEZyT6Z.exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 64 24 Multi AV Scanner detection for dropped file 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Machine Learning detection for sample 2->28 9 IUAMEZyT6Z.exe 3 8 2->9         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\~zFaoY.cpl, PE32 9->22 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        signatures7 32 Tries to detect sandboxes / dynamic malware analysis system (file name check) 14->32 17 rundll32.exe 14->17         started        process8 process9 19 rundll32.exe 17->19         started        signatures10 30 Tries to detect sandboxes / dynamic malware analysis system (file name check) 19->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9ce2ae26ef828242795235373849f97eaf395f19607f1b12258e0608cbc5626/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 11:03:10 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3hhcvyto7aucij4venjxhbe7s7vphfprsyd7dmjcldqgbdf4kyta._file
Verdict:
malicious
Similar samples:
023ba111fa8dccee3ae3eaff7cbab1927096fb47ee58e8983eb2a5241d4557d7
049c85c420d5b7b01316bd54cac073421f0f2a6d3af1dc6bf49a494bb9356c02
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
70caeb1acf2902a83cc604e44bffed2b43c0698a5e101f12b6f1a6f9eeccc546
b4bd83aafbbe1e231c5793ee0a926878773229d9afe79b776bdb175a544b7567
f0befbf3bc4aab1422ef8653f2a85d6ffa0f1eba7f9cecb5a5279600a6daabee
f36a8b642ad4cbf276e83861df2328926ec3f899794036e30736e63a9d078185
f8ba98c4f7f9ccf0520492b17b56a57e69c7624e497fca78007766cdce05b947
fbf0bff34976f2b3c25bd9b123bbe7639273eae1c0fcd58587dd6722231dbc61
+ 142 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230222-m5qa7sba43/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
d9ce2ae26ef828242795235373849f97eaf395f19607f1b12258e0608cbc5626
MD5 hash:
d7f944f146605de5cf91a89d52a44700
SHA1 hash:
9db1406fbc0e89f5185daf37668c3e9d67ca1ec9
Link:
https://www.unpac.me/results/9f0cb71a-f32f-4ca6-84ee-a21815ef5eac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9ce2ae26ef828242795235373849f97eaf395f19607f1b12258e0608cbc5626

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d9ce2ae26ef828242795235373849f97eaf395f19607f1b12258e0608cbc5626

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2534708/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368973/

Comments