MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db4d9628d02ae5e9812156655106fddf94c4f09b2702fea9601596c97b9fdae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db4d9628d02ae5e9812156655106fddf94c4f09b2702fea9601596c97b9fdae6
SHA3-384 hash: 46f03f4884a5864f491a4db1d586660f7f9415b490c4e793546b4b76bd7212c0cbf47411f5c4bba8103ffb3246b0cd48
SHA1 hash: 6d4b2b626f43574dc1900866a0c795a51f7ff7c9
MD5 hash: 534e51a46991ffda9320d006a832e397
humanhash: thirteen-undress-floor-west
File name:Windows11InstaIIation.scr
Download: download sample
File size:7'702'865 bytes
First seen:2022-06-29 14:35:49 UTC
Last seen:2022-06-29 15:43:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef14c7211c9daf1fc82bc1c881e40304
ssdeep 196608:bSa8BvRLqFECK9HHyxqyrWj6PaY7/TumI:2a8BvRLqnK9yxqX1m/S
TLSH T1177633837793A1F1C44B4A304F23D16EF7305251C7FACEC7A394265A6D629E6393938A
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter stoerchl
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284276/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22877/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62bc6356a17f249ae3e62a35/reports/b8b03460-ba62-4d93-85f0-569b846bf9b4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18437f23-34e8-494a-81bb-86029182be17
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1021953
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 654449 Sample: Windows11InstaIIation.scr Startdate: 29/06/2022 Architecture: WINDOWS Score: 88 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 4 other signatures 2->69 12 Windows11InstaIIation.scr 2->12         started        process3 signatures4 77 Tries to detect virtualization through RDTSC time measurements 12->77 15 Windows11InstaIIation.scr 19 12->15         started        process5 dnsIp6 59 adminer-trackworld.com 104.21.42.214, 443, 49717, 49718 CLOUDFLARENETUS United States 15->59 61 pronetdataservice.com 104.21.53.189, 443, 49720 CLOUDFLARENETUS United States 15->61 43 C:\Users\user\AppData\Roaming\...\sysctle.exe, PE32 15->43 dropped 45 C:\Users\user\AppData\...\noterers[1].txt, PE32 15->45 dropped 19 sysctle.exe 2 15->19         started        23 powershell.exe 22 15->23         started        file7 process8 file9 53 C:\Users\user\AppData\Local\...\sysctle.tmp, PE32 19->53 dropped 71 Multi AV Scanner detection for dropped file 19->71 73 Obfuscated command line found 19->73 25 sysctle.tmp 3 13 19->25         started        75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 28 conhost.exe 23->28         started        signatures10 process11 file12 55 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->55 dropped 30 sysctle.exe 2 25->30         started        process13 file14 57 C:\Users\user\AppData\Local\...\sysctle.tmp, PE32 30->57 dropped 79 Obfuscated command line found 30->79 34 sysctle.tmp 3 16 30->34         started        signatures15 process16 file17 47 C:\Users\user\AppData\...\is-4AU3K.tmp, PE32 34->47 dropped 49 C:\Users\user\AppData\...\diskinfo.scr (copy), PE32 34->49 dropped 51 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 34->51 dropped 37 taskkill.exe 1 34->37         started        39 diskinfo.scr 34->39         started        process18 process19 41 conhost.exe 37->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db4d9628d02ae5e9812156655106fddf94c4f09b2702fea9601596c97b9fdae6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-06-29 14:36:21 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ngzmkgqfls6tajbkzsvcbx536kmj4e3e4bp5klacwlms6473lta._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220629-ryj8tsbhf4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
db4d9628d02ae5e9812156655106fddf94c4f09b2702fea9601596c97b9fdae6
MD5 hash:
534e51a46991ffda9320d006a832e397
SHA1 hash:
6d4b2b626f43574dc1900866a0c795a51f7ff7c9
Link:
https://www.unpac.me/results/64ca93c0-d741-45f0-86d0-cad54f27abc7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db4d9628d02ae5e9812156655106fddf94c4f09b2702fea9601596c97b9fdae6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:VMProtectStub
Create hunting rule
Author:@bartblaze
Description:Identifies VMProtect packer stub.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe db4d9628d02ae5e9812156655106fddf94c4f09b2702fea9601596c97b9fdae6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/284276/

Comments