MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de4abe01eb6864f00aea5ec59c9284853db91453165dae34a9bd1f7170461fcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments 1

SHA256 hash:	de4abe01eb6864f00aea5ec59c9284853db91453165dae34a9bd1f7170461fcd
SHA3-384 hash:	d5338ad7e707a5bef1339ac36d88a59e9186d7bb4e39215344255496c38fce0fa8fc3593da168f8a7b05b0441c504a5b
SHA1 hash:	328857efe777a112d5e938e3e26a11f270341394
MD5 hash:	35a8a168792771736762cf4c2759389f
humanhash:	eighteen-lactose-batman-north
File name:	35a8a168792771736762cf4c2759389f.exe
Download:	download sample
File size:	264'704 bytes
First seen:	2021-05-20 14:32:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b7513c9180d9c4b81797d95ecb76f0a9 (1 x DanaBot, 1 x RedLineStealer, 1 x Stop)
ssdeep	3072:2Mim7+XhqrFowX7Y/6pjzkYUhPG/JCSh/PsMWeHdTWiOfeY4QrLrLXJXPSRnpM5U:r/c/QjYAJCSh/06W9feYrj8C5512G
Threatray	23 similar samples on MalwareBazaar
TLSH	EE446C30A691C035F5FF12F889FA8279A53A79A16B3450FF52D426EE56346E4AC3034F
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

35a8a168792771736762cf4c2759389f.exe

Verdict:

Malicious activity

Analysis date:

2021-05-20 15:03:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2eedf506-7d84-4076-be74-0795d2377cd9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/159730/

Detection(s):

Win.Malware.Pwsx-9863541-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %AppData% subdirectories

Launching a process

Creating a process from a recently created file

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/786296

Signature

Contains functionality to compare user and computer (likely to detect sandboxes)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de4abe01eb6864f00aea5ec59c9284853db91453165dae34a9bd1f7170461fcd/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-05-20 14:32:24 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Verdict:

unknown

0acde2ca52d8d5a8999f26b4ce04b42b48e10475ac2af7c7f593d9f5432232d2

4d4675e6cd3321c2a913c5880a2f9b729ee42315e1754923357091b63d05e6aa

8896dd2a44120202a979a9c6caa747861d0a5bb77d46ca475384c000e7f0bd57

88b4dc586771eaca754612a6b980f435506220cb1bf9ff7a4b6ac3bcbe08b0f8

a990f23cc27493dc2ad2d71e2b6b0fea99678e75356bf55c36e4643bffeadff3

b49705b778cdfbc7540bc70f8ec02b313f302f600b5fed77803c342376853fe8

cca3580005fea3f7e2b73fa7160826aa8c6d9e9be2fca3237d3c52752e0e67b3

fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022

fe0262c3dba421abb7ce6bf46a36ee46cdc39239a150798b299e3fa1139a3df0

+ 13 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210520-1xsqh24yzn/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Glupteba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de4abe01eb6864f00aea5ec59c9284853db91453165dae34a9bd1f7170461fcd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe de4abe01eb6864f00aea5ec59c9284853db91453165dae34a9bd1f7170461fcd

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1250931/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/159730/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-20 15:02:19 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0045] File System Micro-objective::Copy File
4) [C0047] File System Micro-objective::Delete File
5) [C0049] File System Micro-objective::Get File Attributes
6) [C0051] File System Micro-objective::Read File
7) [C0052] File System Micro-objective::Writes File
8) [C0033] Operating System Micro-objective::Console
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0043] Process Micro-objective::Check Mutex
11) [C0041] Process Micro-objective::Set Thread Local Storage Value
12) [C0018] Process Micro-objective::Terminate Process
13) [C0039] Process Micro-objective::Terminate Thread