MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb
SHA3-384 hash: a21afe4c11e16665627db22712118d87e886bbf64d45be759bd3178842753f3d8425ef6e923603f13c04123404c8194b
SHA1 hash: 6f53892a92f7ea349c883b7854f705cddb05f68e
MD5 hash: ec81d1b3d7b33c2a4e5c7d83244852c0
humanhash: alabama-xray-emma-wyoming
File name:dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb
Download: download sample
File size:5'500'790 bytes
First seen:2025-04-08 08:40:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (61 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 98304:BgwRwLcUooPKEgORjRUW08c6VsPQ4eG/GycBHcqsZ9qyji8RMfEHKyIn:BgPcUxKEgORjK8c6Vs44zGbVi9qyji8+
TLSH T10E4622D03B56CCBBFB84B175A500AAB17D9EBAE6F6D215CF25CC260E59632B140F0C58
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 74f4ecc4caccc4dc (6 x AveMariaRAT, 6 x Gamaredon, 1 x CobaltStrike)
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Заявка на расчет.rar
Verdict:
Malicious activity
Analysis date:
2025-04-02 10:34:38 UTC
Tags:
everything tool mimic ransomware auto generic
Link:
https://app.any.run/tasks/567bea0d-c815-4f72-aa78-bb253bfc43b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4e35ce011fe619fad27ff
Tags:
virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Creating a service
Launching a service
Creating a file
Moving a recently created file
Searching for analyzing tools
Adding an access-denied ACE
Searching for synchronization primitives
Moving a file to the %AppData% subdirectory
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Changing the Windows explorer settings
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger masquerade microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/67f4e0feeb7eb0aee0426940/reports/21b66316-69c9-4697-ae31-f349b84ce4ee/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed63a77b-7aea-41ed-8854-4a31418fc57a
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1659136
Signature
Antivirus detection for dropped file
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to register a low level keyboard hook
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Writes a notice file (html or txt) to demand a ransom
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1659136 Sample: u5ed6MfIjI.exe Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 106 Antivirus detection for dropped file 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->110 112 5 other signatures 2->112 14 u5ed6MfIjI.exe 8 2->14         started        18 browser.exe 2->18         started        20 browser.exe 2->20         started        22 4 other processes 2->22 process3 file4 66 C:\Users\user\AppData\Local\...\setup.cmd, ASCII 14->66 dropped 164 Contains functionality to register a low level keyboard hook 14->164 24 cmd.exe 1 14->24         started        68 C:\Users\user\...\HowToRestoreFiles.txt, ASCII 18->68 dropped 166 Connects to many different private IPs via SMB (likely to spread or exploit) 18->166 168 Connects to many different private IPs (likely to spread or exploit) 18->168 170 Query firmware table information (likely to detect VMs) 18->170 172 Hides threads from debuggers 20->172 174 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->174 176 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->176 27 WerFault.exe 21 16 22->27         started        29 WerFault.exe 2 22->29         started        signatures5 process6 signatures7 130 Suspicious powershell command line found 24->130 31 enc-build.exe 2 8 24->31         started        35 7za.exe 9 24->35         started        37 powershell.exe 26 24->37         started        39 6 other processes 24->39 process8 file9 70 C:\Users\user\AppData\Local\...\browser.exe, PE32 31->70 dropped 72 C:\Users\user\AppData\...verything32.dll, PE32 31->72 dropped 74 C:\Users\user\AppData\...verything.exe, PE32 31->74 dropped 76 C:\Users\user\AppData\Local\...\7za.exe, PE32 31->76 dropped 94 Multi AV Scanner detection for dropped file 31->94 96 Query firmware table information (likely to detect VMs) 31->96 98 Creates an undocumented autostart registry key 31->98 104 3 other signatures 31->104 41 browser.exe 31->41         started        86 4 other malicious files 35->86 dropped 78 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 37->78 dropped 100 Loading BitLocker PowerShell Module 37->100 102 Powershell drops PE file 37->102 80 C:\Users\user\AppData\Local\...\enc-build.exe, PE32 39->80 dropped 82 C:\Users\user\AppData\...verything32.dll, PE32 39->82 dropped 84 C:\Users\user\AppData\...verything.exe, PE32 39->84 dropped signatures10 process11 signatures12 140 Multi AV Scanner detection for dropped file 41->140 142 Query firmware table information (likely to detect VMs) 41->142 144 Tries to detect sandboxes and other dynamic analysis tools (window names) 41->144 146 5 other signatures 41->146 44 browser.exe 41->44         started        process13 signatures14 148 Query firmware table information (likely to detect VMs) 44->148 150 Hides threads from debuggers 44->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 44->152 154 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 44->154 47 browser.exe 44->47         started        process15 signatures16 178 Query firmware table information (likely to detect VMs) 47->178 180 Hides threads from debuggers 47->180 182 Tries to detect sandboxes / dynamic malware analysis system (registry check) 47->182 184 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 47->184 50 browser.exe 47->50         started        process17 signatures18 114 Query firmware table information (likely to detect VMs) 50->114 116 Hides threads from debuggers 50->116 118 Tries to detect sandboxes / dynamic malware analysis system (registry check) 50->118 120 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 50->120 53 browser.exe 50->53         started        process19 signatures20 122 Query firmware table information (likely to detect VMs) 53->122 124 Hides threads from debuggers 53->124 126 Tries to detect sandboxes / dynamic malware analysis system (registry check) 53->126 128 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 53->128 56 browser.exe 53->56         started        process21 signatures22 132 Query firmware table information (likely to detect VMs) 56->132 134 Hides threads from debuggers 56->134 136 Tries to detect sandboxes / dynamic malware analysis system (registry check) 56->136 138 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 56->138 59 browser.exe 56->59         started        process23 dnsIp24 88 192.168.2.100 unknown unknown 59->88 90 192.168.2.101 unknown unknown 59->90 92 98 other IPs or domains 59->92 64 C:\HowToRestoreFiles.txt, ASCII 59->64 dropped 156 Query firmware table information (likely to detect VMs) 59->156 158 Creates an undocumented autostart registry key 59->158 160 Creates a Image File Execution Options (IFEO) Debugger entry 59->160 162 4 other signatures 59->162 file25 signatures26
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb/
Threat name:
ByteCode-MSIL.Ransomware.CryptoLocker
Create hunting rule
Status:
Malicious
First seen:
2025-03-27 10:40:23 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wmxgrg44pmzjzljsfjnokwiqgcjfhphbgyksqtpqvymqiswe75q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution privilege_escalation upx
Link:
https://tria.ge/reports/250408-kk7cwastav/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Access Token Manipulation: Create Process with Token
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Checks for any installed AV software in registry
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/524820a7-4e1b-479b-9d6e-aeca94e11fa2
Unpacked files
SH256 hash:
dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb
MD5 hash:
ec81d1b3d7b33c2a4e5c7d83244852c0
SHA1 hash:
6f53892a92f7ea349c883b7854f705cddb05f68e
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
e7d6b1060fcf55d767d5a0e5451af393305566779be5e70377e530b27567c769
MD5 hash:
73fa2a6fa47881f336e17ef7a4f781a8
SHA1 hash:
4ca30fff99bd2d7eb229146014b5381d5d7b01ef
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
e49efcf2a33bcd9e5db6e6e9c3dbfe844253cea0f76be5c8fbc873dc7e42ed50
MD5 hash:
720cbaadfa7d3c8adf474a43a7df4fdf
SHA1 hash:
595cb0147944bc6d4b40e46819f26e0ad268bad6
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
e91d13617556ac645ed3b0bc010375d2fa4235ea5f3f9ce558e56a7044fff217
MD5 hash:
19e2beb54d60ddbbc180bfc7d1030cef
SHA1 hash:
4a68ce4636aef4e170441d95b48d8b0413971125
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
9f505ed576063298ee096de6f6c4389ff78bafc2a6a00375c15054df90399c4d
MD5 hash:
ca9ba210ee09e997a343885441ff0bd9
SHA1 hash:
452a4c7a26ec74140ad62ce498a47b38b4519783
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
d4ec30b71c3843329c9d18eda7a5bab54b1ae3f5d8ba01f8079492050fff0214
MD5 hash:
d67414840bfb3c8fc52148906c1aa893
SHA1 hash:
f865a4ab18ffa658ef9c3cbb62b504dab7159323
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
7916c7ad1a33531f941d9ada771ade2f5825ef4fc9f8473f8a988ecb16525dd8
MD5 hash:
2da8ab1192187d1f9cf02aed04b0d0b7
SHA1 hash:
326db513af5a9f898c4870ebbc62e7cd5fd71690
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
b6301160d2cceb9df1bb2d0548d65c31ecc38b694fa5efe67899935f19870fce
MD5 hash:
46857dedd8ea45006ec3ebff24739f8b
SHA1 hash:
47bd7d9f2eb13d178327769b964043887258390e
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
SH256 hash:
f457b1cb1b146ab07117e34dc50881ef787946a0311467d82469fdaa3e54884c
MD5 hash:
52b7073101ce2f83c85ed698f1ee0445
SHA1 hash:
cd2f016c79de7d4bf20d1366cc9483b610b4ffc2
Link:
https://www.unpac.me/results/5f4b5383-f356-4b41-9c83-002992074991/
Malware family:
Mimic
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd997344dce3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments