MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473
SHA3-384 hash: 1ea5a6cd502c630f0854298b76e738f59bfb069501c0fbf35d972f186269a294fd4d1ebf903991b00dabeefd1737240f
SHA1 hash: 857ac7db37e6d387f9f1f60a2541567684ce5489
MD5 hash: a7d44a32fcf911de0dae1b535ca3fa1a
humanhash: tango-green-sixteen-skylark
File name:a7d44a32fcf911de0dae1b535ca3fa1a.hta
Download: download sample
File size:5'350 bytes
First seen:2023-03-23 09:44:44 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:EazNSQrH2wsAFBYpy40RXK7iVOEoIhsH3ZWN95+FpAbNtWWOP3hImk9pFxgxsxaS:EazNSQrH2wsiBYpy40RXK7iVOEoIaHJg
TLSH T144B19B3C0B734D6750E3643DE8A82285DFC67C5BFD567B20CA0AA9817562F273A4743A
Reporter abuse_ch
Tags:hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Agent.GDRO.23692.3968.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/641c1fa0109d4db5166a37a6/reports/b6d9a072-9135-4391-8a1c-f77fc1de18e5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1200240
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 833146 Sample: Yln1puFwnb.hta Startdate: 23/03/2023 Architecture: WINDOWS Score: 80 33 Snort IDS alert for network traffic 2->33 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Wscript called in batch mode (surpress errors) 2->39 7 mshta.exe 1 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 41 Bypasses PowerShell execution policy 7->41 12 powershell.exe 15 27 7->12         started        43 Wscript starts Powershell (via cmd or directly) 10->43 17 powershell.exe 15 10->17         started        process5 dnsIp6 27 529f38d0-3744-4286-b484-be860d475d25.usrfiles.com 12->27 29 blogspot.l.googleusercontent.com 142.250.203.97, 443, 49684 GOOGLEUS United States 12->29 31 3 other IPs or domains 12->31 25 C:\ProgramData\...\CypherDeptography.~+~, ASCII 12->25 dropped 45 Uses schtasks.exe or at.exe to add and modify task schedules 12->45 19 conhost.exe 12->19         started        21 schtasks.exe 1 12->21         started        23 conhost.exe 17->23         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-22 20:48:00 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
4 of 37 (10.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ldryipsmqbwylacra2avvuisabkj3mpjxxhjwrvwfpxvcrgwrzq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230323-lq26sagg4t/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dac71c21f264/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HTML Application (hta) hta dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2581152/
  
Delivery method
Distributed via web download

Comments