MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd4a00fe56aabe5a7363d46a01c6197d9c8a860c4ba3bffb6ad9bf9f40874187. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Athena


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd4a00fe56aabe5a7363d46a01c6197d9c8a860c4ba3bffb6ad9bf9f40874187
SHA3-384 hash: 87069bfe3de860e318966947b9b2a2fdd1714288ac55cdee763c2b2589990d84189720497c7b13a25c5ea3f7ab26142f
SHA1 hash: b6a2ea93e9a89ac68bc6ff739f0722b88e0f39b8
MD5 hash: 584ce19705c3c4036039570ff18def4f
humanhash: kilo-august-december-montana
File name:584ce19705c3c4036039570ff18def4f
Download: download sample
Signature Athena
Create hunting rule
File size:193'872 bytes
First seen:2021-06-13 18:08:57 UTC
Last seen:2021-06-13 18:35:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:eiQDkuJjwWhYSjaCICE8XnNa3RTXpArN4i4yrKPmSrqhD/ZZjgx8URjBDfu8llh4:exDkuJMWOGICE8XnNa3RTXpArN4i4yrj
TLSH 0714550D2AC493975813F5F68613F5271AD340096D56CAFF8C2EDEBA96E1B78043D88B
Reporter zbetcheckin
Tags:32 Athena exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
584ce19705c3c4036039570ff18def4f
Verdict:
Malicious activity
Analysis date:
2021-06-13 18:09:55 UTC
Tags:
trojan athena
Link:
https://app.any.run/tasks/ee271a6f-9b53-402d-97ad-818d53851bed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.833.20234.17074.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a UDP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Creating a file in the Windows subdirectories
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54182790-0dc9-4f4e-8733-3b7dd96f4f84
Result
Threat name:
AthenaHTTP
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/801386
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected AntiVM3
Yara detected AthenaHTTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433782 Sample: JQ4asIjf15 Startdate: 13/06/2021 Architecture: WINDOWS Score: 100 71 vweb16.nitrado.hosting 194.169.211.111, 49731, 49734, 49744 MARBISDE Germany 2->71 73 ni2748194-1.web16.nitrado.hosting 2->73 75 192.168.2.1 unknown unknown 2->75 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 13 other signatures 2->85 10 JQ4asIjf15.exe 3 2->10         started        14 68cKHdLxH6badWc.exe 2->14         started        16 svchost.exe 2->16         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 59 C:\Users\user\AppData\...\JQ4asIjf15.exe.log, ASCII 10->59 dropped 89 Injects a PE file into a foreign processes 10->89 21 JQ4asIjf15.exe 15 4 10->21         started        61 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->61 dropped 91 Hides threads from debuggers 14->91 69 127.0.0.1 unknown unknown 16->69 file6 signatures7 process8 dnsIp9 77 furyx.de 104.21.43.105, 443, 49717 CLOUDFLARENETUS United States 21->77 57 C:\Users\user\AppData\Local\...\winlogin.exe, PE32 21->57 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->87 26 winlogin.exe 9 9 21->26         started        file10 signatures11 process12 file13 63 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 26->63 dropped 65 C:\Users\user\AppData\...\68cKHdLxH6badWc.exe, PE32 26->65 dropped 67 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 26->67 dropped 93 Multi AV Scanner detection for dropped file 26->93 95 Machine Learning detection for dropped file 26->95 97 Drops PE files to the startup folder 26->97 99 5 other signatures 26->99 30 cmd.exe 26->30         started        32 powershell.exe 9 26->32         started        34 powershell.exe 8 26->34         started        36 8 other processes 26->36 signatures14 process15 file16 39 conhost.exe 30->39         started        41 timeout.exe 30->41         started        43 conhost.exe 32->43         started        45 conhost.exe 34->45         started        55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 36->55 dropped 47 AdvancedRun.exe 36->47         started        49 conhost.exe 36->49         started        51 conhost.exe 36->51         started        53 4 other processes 36->53 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd4a00fe56aabe5a7363d46a01c6197d9c8a860c4ba3bffb6ad9bf9f40874187/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-10 02:04:00 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3vfab7swvk7fu43d2rvadrqzpwoivbqmjor3763k3g7z6qehigdq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210613-f1kz7p8e8s/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Uses the VBS compiler for execution
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
c33c778a621840e0a320c259278539390359a456bd71da3d31da2fd5584ad28f
MD5 hash:
48b61c240143c825d3536addd778ae51
SHA1 hash:
671086fd9191d8e0627fa329b29790caa0893f43
Link:
https://www.unpac.me/results/3373b3f9-215e-4382-b07d-ba5a7246e39a/
SH256 hash:
948515d78805ee48854e5c9563a808000aa2ccdc116a7a04c595e97fd383ad80
MD5 hash:
f93e0b56d6adecb42f9c240ae788dfc4
SHA1 hash:
1801bc4f1d4a617a679a01d3df89126494fa03ed
Link:
https://www.unpac.me/results/3373b3f9-215e-4382-b07d-ba5a7246e39a/
SH256 hash:
dd4a00fe56aabe5a7363d46a01c6197d9c8a860c4ba3bffb6ad9bf9f40874187
MD5 hash:
584ce19705c3c4036039570ff18def4f
SHA1 hash:
b6a2ea93e9a89ac68bc6ff739f0722b88e0f39b8
Link:
https://www.unpac.me/results/3373b3f9-215e-4382-b07d-ba5a7246e39a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/dd4a00fe56aabe5a7363d46a01c6197d9c8a860c4ba3bffb6ad9bf9f40874187

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AthenaHTTP
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify Athena HTTP
Rule name:AthenaHTTP_v2
Create hunting rule
Author:Jason Jones <jasonjones@arbor.net>
Description:Athena HTTP identification
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Athena

Executable exe dd4a00fe56aabe5a7363d46a01c6197d9c8a860c4ba3bffb6ad9bf9f40874187

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1362093/

Comments