MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfd756ed5e954ad5c3f86829365e56d96a5b4b458e98e750f27185470ce1b938. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfd756ed5e954ad5c3f86829365e56d96a5b4b458e98e750f27185470ce1b938
SHA3-384 hash: 47f5f6162f0c5f9e1bca95bd5c5522052c46913e236e32b8e9ab001869a18067828622ec8b71a4eb280af3a42e8129a6
SHA1 hash: ded39c45d0cb5d9e719dfeb212214a88629a5cb5
MD5 hash: 4cf216abbdbe9c6ce9c48f01778733f5
humanhash: uniform-nitrogen-north-crazy
File name:XMZU3.exe
Download: download sample
File size:799'744 bytes
First seen:2022-08-02 22:02:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:vc8ZsZyZ/s2ixgV19jNlK8KnbR06nnjqKoe:kgVD8/jqKoe
Threatray 5'164 similar samples on MalwareBazaar
TLSH T16505AE13348AA758DF39A3B923C580506BE5DC6BC208E61D6F9533578BF7EA10D32627
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f2909696969ef66e (42 x AgentTesla, 42 x SnakeKeylogger, 13 x Formbook)
Reporter AndreGironda
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
XMZU3.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 05:44:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/366f4806-d31a-4a14-a279-5b37b28222cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296030/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen18.28299.UNOFFICIAL
Create hunting rule

Win.Trojan.Generic-9907631-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Forced system process termination
Launching cmd.exe command interpreter
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed strictor
Link:
https://www.filescan.io/uploads/62e99f1c5c07b66577ef09f3/reports/574cbb9d-f037-4b6b-a188-1b29887ee51d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26a3366c-0ef9-4a0f-ab41-9e313185585d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045277
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates an undocumented autostart registry key
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 677766 Sample: XMZU3.exe Startdate: 03/08/2022 Architecture: WINDOWS Score: 100 74 loadcash.duckdns.org 2->74 88 Multi AV Scanner detection for domain / URL 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for dropped file 2->92 94 12 other signatures 2->94 10 XMZU3.exe 6 2->10         started        signatures3 process4 file5 66 C:\Users\user\AppData\Roaming\pVJpshg.exe, PE32 10->66 dropped 68 C:\Users\user\AppData\Local\Temp\tmp56.tmp, XML 10->68 dropped 70 C:\Users\user\AppData\Local\...\XMZU3.exe.log, ASCII 10->70 dropped 108 Uses schtasks.exe or at.exe to add and modify task schedules 10->108 110 Writes to foreign memory regions 10->110 112 Injects a PE file into a foreign processes 10->112 14 RegSvcs.exe 15 5 10->14         started        19 schtasks.exe 1 10->19         started        21 RegSvcs.exe 10->21         started        23 2 other processes 10->23 signatures6 process7 dnsIp8 78 raw.githubusercontent.com 185.199.109.133, 443, 49755 FASTLYUS Netherlands 14->78 80 192.168.2.1 unknown unknown 14->80 72 C:\Users\user\...\owefdxaykpemqqdq.exe, PE32 14->72 dropped 82 Writes to foreign memory regions 14->82 84 Allocates memory in foreign processes 14->84 86 Injects a PE file into a foreign processes 14->86 25 owefdxaykpemqqdq.exe 14->25         started        29 cvtres.exe 14->29         started        32 explorer.exe 3 133 14->32         started        34 conhost.exe 19->34         started        file9 signatures10 process11 dnsIp12 58 C:\Users\user\AppData\Roaming\r77-x86.dll, PE32 25->58 dropped 60 C:\Users\user\AppData\Roaming\r77-x64.dll, PE32+ 25->60 dropped 62 r77-f35eb49632554e...c648b4202b0-x86.dll, PE32 25->62 dropped 64 r77-5ebb40bc07594d...5277f8c0a5b-x64.dll, PE32+ 25->64 dropped 98 Antivirus detection for dropped file 25->98 100 Multi AV Scanner detection for dropped file 25->100 102 Creates an undocumented autostart registry key 25->102 104 Machine Learning detection for dropped file 25->104 36 cmd.exe 25->36         started        76 loadcash.duckdns.org 107.182.129.16, 49772, 49778, 49780 META-ASUS Reserved 29->76 106 Adds a directory exclusion to Windows Defender 29->106 38 cmd.exe 29->38         started        41 cmd.exe 29->41         started        43 conhost.exe 29->43         started        file13 signatures14 process15 signatures16 45 conhost.exe 36->45         started        48 taskkill.exe 36->48         started        96 Adds a directory exclusion to Windows Defender 38->96 50 conhost.exe 38->50         started        52 powershell.exe 38->52         started        54 conhost.exe 41->54         started        56 powershell.exe 41->56         started        process17 signatures18 114 DLL side loading technique detected 45->114
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfd756ed5e954ad5c3f86829365e56d96a5b4b458e98e750f27185470ce1b938/
Threat name:
ByteCode-MSIL.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-07-27 14:33:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
47
AV detection:
32 of 41 (78.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=37lvn3k6svfnlq7ynautmxsw3fvfws2fr2moouhsogcuodhbxe4a._file
Verdict:
malicious
Similar samples:
0931c4d9c3b9aa6500e654be85d3415d0fbafff6241c9fa2952e646cd533ec17
2863d59554f71daaca458ebf5f9d290771630f3945b54bef7a5cdc91ed963b6e
3db2d90c67f5a960eedc85a63d731ef5c889e8aedb0bc447d227e5868173f686
411022818cec2591dcd94d4dec69f992060eb05fd63d6804809380fc1e0370ab
76582a89906c218bd6da0b6e1fd8f5b27ec527fed425c66b74a6b7afa350f947
88e8a04609753df7f1310ce60432f67f7ef5472d62c1b122bb98956cebf64ddc
bb671dbc4bb59548908a3bb9b9bb67c07e059ae50b2d347d04e7786a2e4527e5
d31c93c082d1f410c4ff31dbb88d43b96b1fc06ccbf78293aa3159a317350de8
d467bfa9ec5c3d63189dbd0c3ef7cf377d2a3fc16207db32aaf5e0bdae81d2a4
db795c462c9daf26c0cb92d895f569f7b1e0f98354f50b4784759700e3b011c3
+ 5'154 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220802-1yccnadchk/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies AppInit DLL entries
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
2ce411f8c1f0d275f2c323e7b44a8bde264d6c31939eae9ad0967a3030b29448
MD5 hash:
34a352bda55f0c1d4b379ff4ed79bed3
SHA1 hash:
c4170af8e2fe87ab74bd4ffb515f1cf4964c55f9
Link:
https://www.unpac.me/results/c23b2593-264e-4c4b-965b-daa1acca339f/
SH256 hash:
5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6
MD5 hash:
01800f6b045def8d90c649842f56d752
SHA1 hash:
f8434a4636d0772d01aac44bb3f9753a41f01d34
Link:
https://www.unpac.me/results/c23b2593-264e-4c4b-965b-daa1acca339f/
SH256 hash:
8f76b51d7a9b2500715958df67c8b087921b946ab61957bd66b9e2adafa75271
MD5 hash:
34c24f2a9127c84206500a74c9559d21
SHA1 hash:
60a21bcead1d5774e318ed2e5334b36ae61b03c1
Link:
https://www.unpac.me/results/c23b2593-264e-4c4b-965b-daa1acca339f/
SH256 hash:
91ea2548ea181a8956a4aee65adce69a61bb00bfae42f03e23ad1221270c8b8b
MD5 hash:
23fee25ca2bf45548c783644906bd6e0
SHA1 hash:
3abbf8bc4b8b35c91cb2dc2c60facafef44793b8
Link:
https://www.unpac.me/results/c23b2593-264e-4c4b-965b-daa1acca339f/
SH256 hash:
dfd756ed5e954ad5c3f86829365e56d96a5b4b458e98e750f27185470ce1b938
MD5 hash:
4cf216abbdbe9c6ce9c48f01778733f5
SHA1 hash:
ded39c45d0cb5d9e719dfeb212214a88629a5cb5
Link:
https://www.unpac.me/results/c23b2593-264e-4c4b-965b-daa1acca339f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfd756ed5e954ad5c3f86829365e56d96a5b4b458e98e750f27185470ce1b938

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe dfd756ed5e954ad5c3f86829365e56d96a5b4b458e98e750f27185470ce1b938

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/296030/

Comments