MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183
SHA3-384 hash: 2eb24b17960b8beec9e732b385081fbdf387c158943a62b2fdebfb462d24186af41a05e40d9530a3d5a0965906c9af8b
SHA1 hash: 296f7044fbe267530a3ec2c42358dfbc888be716
MD5 hash: 4b841b2225c04a0352899ed423d360a0
humanhash: harry-idaho-kentucky-zulu
File name:02.08.2022.exe
Download: download sample
File size:13'607'144 bytes
First seen:2022-11-09 11:16:21 UTC
Last seen:2022-11-09 12:55:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d1de500e42d2702177623521d4e86120
ssdeep 393216:y/BXKlKJgjelKYITBPoOpLKBO1IlVJHYShYfLN:mXQKJgjeluQoOBMIvJH8
Threatray 17 similar samples on MalwareBazaar
TLSH T1F9D6333AB2B389FFE0C4D5B544AA65A3EC60BD9B0570C0D30D567A346759CE8EE053CA
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Nuitka-9959738-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50476/overview
Behaviour
MalwareBazaar
GetTempPath
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/636b8c31651d1d5cca6468c0/reports/6b8e3d79-a953-430a-b982-0cecbd6676bb/overview
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/011761a4-5f2f-400b-bf00-ee8b2d57cd3d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1109214
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183/
Threat name:
Win64.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2022-08-02 09:14:35 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 41 (29.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ong57k5ms5axilyhri3nvbqq42rr6qdfp2smxdig7dwoqzb4gbq._file
Verdict:
malicious
Similar samples:
348f79dc98ed91d11dea91d8295eac25cbd8a67daaa52ab0120708d2c7bde40c
3fe6c3edb6593444aaed9ae78a6164a3c98a10a32012d32c35ca4aa987db2c61
41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d
438a7ec2cc82a114b13aa6b44ae9b044597d1d0643ec1d138a39fe24628fe4df
6399814e06253b852792dccb2e02cd468233cf5ada2ed39e5f7202e8d24f8901
939cf3bc807b3f9970feb3dbce7c082541f9475bf1d0cc53aa17afc7bab7cd53
a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec
ba8dd9dce58e357ee307686279eae636f20fbc8bb03a441f79697bcba63a009c
cf68ac02858c0053067b47b24338b564aeb92f25310765a2bad8928174285a62
fde6da45bacb901c194e7443ed04aba47a388cb5ee4fb193f0e528e1abc4cabb
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221109-ndp2ssgdd3/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183
MD5 hash:
4b841b2225c04a0352899ed423d360a0
SHA1 hash:
296f7044fbe267530a3ec2c42358dfbc888be716
Link:
https://www.unpac.me/results/14004164-066c-42ee-9edb-cfc9946fa1a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2405982/
  
Delivery method
Distributed via web download

Comments