MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de05a1d52264370195aae40fdd5430e1dd33e8536083b832ad7f16b67452b86f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de05a1d52264370195aae40fdd5430e1dd33e8536083b832ad7f16b67452b86f
SHA3-384 hash: 59a9349198eac57909dd16218f1ea926b357497d5364983bd80c50e3aa3e4a17a48c64fdc28cdccee251eb049a0aef99
SHA1 hash: bbfc39629068b6a825f83ef6d33030d07be038c3
MD5 hash: 3ee490464ee3410f5b657fab4f6766f2
humanhash: three-mirror-eighteen-march
File name:3ee490464ee3410f5b657fab4f6766f2.exe
Download: download sample
File size:15'360 bytes
First seen:2022-02-03 14:45:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ddf1a9beaf59fd32e2044aac367d903f
ssdeep 384:UUKoypNqfTjprTFenIzV5eq8ejeyBevekPZY6WhJ3732:UUspkf3DkIeqHjMGgZbMJ373
Threatray 523 similar samples on MalwareBazaar
TLSH T10562F82B6FB308FEE83AC234C4F2623BB232B62153B617CF529014AD2D36551B950E5D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/232274/
Detection(s):
SecuriteInfo.com.Generic.Malware.2.53465AB7.5362.12355.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Launching a process
Creating a window
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm evasive fingerprint netsh.exe packed stealer
Link:
https://www.filescan.io/uploads/61fc31606d25ac9e7901e064/reports/85f93c91-b726-4ba2-ae0c-8f2e863a67bf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f54fc36-096c-49b0-aa50-24544fa50d54
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/933456
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de05a1d52264370195aae40fdd5430e1dd33e8536083b832ad7f16b67452b86f/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-02 11:54:57 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
007ee67c4bec255a19ab2b6fa0f159e9d9636c74dde34f9ddbf3b45ced74cebe
26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd
3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
547a73effa2789bdb7c8d66e020e0ec86974de321362e97319be1e6d3fdaf8d2
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
b69638517ea368465f93cdea93c7daa7941a1ee21409ce471159b88a64f05bf6
d4e5ea6e804aee0817c61b11e1ed009f649ff37d30bafa7056bf82d45e83f44d
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
+ 513 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220203-r5ayqsaeg2/
Behaviour
Enumerates system info in registry
Gathers network information
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Unpacked files
SH256 hash:
de05a1d52264370195aae40fdd5430e1dd33e8536083b832ad7f16b67452b86f
MD5 hash:
3ee490464ee3410f5b657fab4f6766f2
SHA1 hash:
bbfc39629068b6a825f83ef6d33030d07be038c3
Link:
https://www.unpac.me/results/1a0ec35b-8e05-47ee-8b25-c1cc204dd834/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de05a1d52264370195aae40fdd5430e1dd33e8536083b832ad7f16b67452b86f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe de05a1d52264370195aae40fdd5430e1dd33e8536083b832ad7f16b67452b86f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2026306/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/232274/

Comments