MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e49a09c8b47f21970536a21d7a04e462ec244356901646381ac1e380b91a564a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e49a09c8b47f21970536a21d7a04e462ec244356901646381ac1e380b91a564a
SHA3-384 hash: ef9545a1ab7bdfab652913c54a24029e31ac269c68cc1a2f5016346569ce2a015d2b5bf45159c5d87107da1da1c37a1f
SHA1 hash: bdd60abead97d8dbf3f55f467c3555401f94208a
MD5 hash: ee613018522aad5eeea373ddbebf21f6
humanhash: seven-lactose-charlie-april
File name:ee613018522aad5eeea373ddbebf21f6
Download: download sample
File size:6'416'239 bytes
First seen:2021-12-05 23:57:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:JXhAmwO8eJ3psRK4b/CHzcDTxSL0Y2X5mMTvYefq52Bim9ga/VfIllxTUu8e7m:1hbP88psRK4b6II2X4MT9fZ9gQWxYK7m
Threatray 1'110 similar samples on MalwareBazaar
TLSH T15D563343F4226DB2D6015D7692191A30A67A7F224F2C8BDFB3E45A16D6742E073312FB
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ee613018522aad5eeea373ddbebf21f6
Verdict:
Malicious activity
Analysis date:
2021-12-06 00:01:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ad7170c-2820-452b-a50d-9803177fb7a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211563/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/982/overview
Behaviour
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61ad52124d8e6f3a5e130aae/reports/7a57dedc-c175-47dc-b795-ebe22f7d163c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5b864c6-f69c-45f4-8c88-c40da0f75064
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/901877
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Conti Backup Database
Sigma detected: Disable or Delete Windows Eventlog
Sigma detected: PowerShell SAM Copy
Sigma detected: Suspicious PowerShell Invocations - Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e49a09c8b47f21970536a21d7a04e462ec244356901646381ac1e380b91a564a/
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-05 17:28:00 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d
105897c4dd3369b8c8ae8956ef2e8d945c33e7172022d81e0791546d9c17b21f
1733e38a94926a2b46825946f9602eabebecad6f2659af685b2474c15724c961
2443683c507125b6d089b3537e9cb78ef67f0dd8ba5822a7a7ee78ca84feeba8
66626e96234ecf2d900ee0fb9d1e74922d80e4438437c7424df04e0eb25a9e53
9371abbf0b553023b6ddd05e91a3acaf95f4b5a1a38db5bf8634c1aca7e18d34
9e4c568731522cf955733d58b9cdd40d80b3b9117913576ef9025ee8e0341fae
a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542
+ 1'100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211205-3z6n1afhc3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f89e0f32c17aa198c1d3d57df1545c42e43d97bafb948754ebcbe61d27838e0e
MD5 hash:
cd7685595f36b2fcb966bfb432fed636
SHA1 hash:
d659af67e340e216bea12e1ea7472ec13af97065
Link:
https://www.unpac.me/results/2bceb021-a936-47de-89fb-a2cd812b34f9/
SH256 hash:
76650bb0751c2b8edcb3f35fc841c6b8b1b80b10e1a88c0ccef7f5e10953e1d8
MD5 hash:
6deef4177aacc31fda2c68c57e2fda1e
SHA1 hash:
d6fbeac8f54f2fc0bcd8ea4d94345bd9d156f6be
Link:
https://www.unpac.me/results/2bceb021-a936-47de-89fb-a2cd812b34f9/
SH256 hash:
ed8d1e60d527586be174787738168ea79cc18ffa930458124304591238198711
MD5 hash:
33744a6e6634a8b343520e139b6860b5
SHA1 hash:
dc14e9c255aa363d7180849322c5f1d409b3fbee
Link:
https://www.unpac.me/results/2bceb021-a936-47de-89fb-a2cd812b34f9/
SH256 hash:
c14498fc5b7c8c1dc632b26ed3b0d9ceae5a544a671b1fac5df4102de3ce8b45
MD5 hash:
69cbabd0b936c8a43bf0c9f30c344191
SHA1 hash:
47dd85d74dcd5b0c3010b771ac429e9fc7b4994f
Link:
https://www.unpac.me/results/2bceb021-a936-47de-89fb-a2cd812b34f9/
SH256 hash:
e49a09c8b47f21970536a21d7a04e462ec244356901646381ac1e380b91a564a
MD5 hash:
ee613018522aad5eeea373ddbebf21f6
SHA1 hash:
bdd60abead97d8dbf3f55f467c3555401f94208a
Link:
https://www.unpac.me/results/2bceb021-a936-47de-89fb-a2cd812b34f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e49a09c8b47f21970536a21d7a04e462ec244356901646381ac1e380b91a564a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e49a09c8b47f21970536a21d7a04e462ec244356901646381ac1e380b91a564a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1856883/
Cape
Cape
https://www.capesandbox.com/analysis/211563/

Comments


Avatar
zbet commented on 2021-12-05 23:57:47 UTC

url : hxxps://elon21.org/5s/Release2.exe