MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481
SHA3-384 hash:	195b0dd95bad39c6a822b18b74c5551989f32172eff8101e40d47f6edbe41ffceae347d67986f76fe30a501e4d3f9d3e
SHA1 hash:	bd14fc15c15fdeb9093a1c3da74ecae56d398f42
MD5 hash:	27ceb1c7e235c84242239263fc230893
humanhash:	whiskey-skylark-lemon-uranus
File name:	001.exe
Download:	download sample
File size:	6'984'192 bytes
First seen:	2025-03-15 16:47:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:P7LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzqo9Y:jLJlC6j0CX4XmvWHVcd62uT9
Threatray	44 similar samples on MalwareBazaar
TLSH	T1B566F39B5ECC82E2FD3E06314062F676A6647EE907D14FCB62F80D47FA502E46C7119A
TrID	58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.4% (.EXE) Win64 Executable (generic) (10522/11/4) 5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	2huMarisa
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

389

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

001.zip

Verdict:

Malicious activity

Analysis date:

2024-02-04 01:51:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/97a17df2-d8d6-432f-ac86-18694acd26ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d5c12d3962f1a6f471b0a6

Tags:

autorun locky

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Setting a global event handler

Creating a file in the %temp% directory

Running batch commands

Сreating synchronization primitives

Searching for synchronization primitives

Searching for the window

Using the Windows Management Instrumentation requests

Changing a file

Creating a file

Launching a process

Blocking a possibility to launch for the Windows Task Manager (taskmgr)

Blocking a possibility to launch for the Windows registry editor (regedit.exe)

Launching a tool to kill processes

Forced shutdown of a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context crypt explorer keylogger lolbin obfuscated xpack

Link:

https://www.filescan.io/uploads/67d5af6001edd28374b0c89b/reports/434ceb8d-b016-469e-94f0-34d84e7eb432/overview

Verdict:

Malicious

Labled as:

Ursu.Generic

Link:

https://www.hybrid-analysis.com/sample/e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481

Result

Verdict:

MALICIOUS

Malware family:

Diztakun

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e4dbdee-1a76-4aee-a49d-940088348094

Result

Threat name:

n/a

Detection:

malicious

Classification:

rans.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1639492

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes the wallpaper picture

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to log keystrokes (.Net Source)

Disable Task Manager(disabletaskmgr)

Disables the Windows registry editor (regedit)

Disables the Windows task manager (taskmgr)

Drops PE files to the startup folder

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Creation TXT File in User Desktop

Uses shutdown.exe to shutdown or reboot the system

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481/

Threat name:

ByteCode-MSIL.Trojan.Diztakun

Status:

Malicious

First seen:

2021-11-16 00:17:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4xr7yns2h77kjzry4c6fbgds6lmnf7qlgk2eetdk3gkqcgptusaq._file

Verdict:

malicious

Label(s):

koadic

75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

8fc9d465bcff096b9b7b2a47e093d1e178a8b657749f763ab406b93b3c0c9359

9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd

c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc

error

fb6bf8580ff8831da630b82fab6bcdd0de64f28368e522a83366a2c078bd232e

+ 34 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery persistence ransomware

Link:

https://tria.ge/reports/250315-va526sx1h1/

Behaviour

Kills process with taskkill

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Sets desktop wallpaper using registry

Enumerates connected drives

Modifies WinLogon

Disables Task Manager via registry modification

Verdict:

Malicious

Tags:

Win.Malware.Generic-9828792-0

YARA:

n/a

Link:

https://app.threat.zone/submission/8d9cd42e-4464-4530-8a7e-790a871cbb8b

Unpacked files

SH256 hash:

e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481

MD5 hash:

27ceb1c7e235c84242239263fc230893

SHA1 hash:

bd14fc15c15fdeb9093a1c3da74ecae56d398f42

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

SH256 hash:

e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76

MD5 hash:

5cac4fe734fc8454ccb847e030beee38

SHA1 hash:

34298fe220e35f614b2c837cf1dc2604ab0882d6

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

SH256 hash:

ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0

MD5 hash:

a35ee23aaab26afc575ac83df9572b57

SHA1 hash:

81ea38c694ce9702faddfb961f17c1bbf628a76d

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

SH256 hash:

00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb

MD5 hash:

bd1f243ee2140f2f6118a7754ea02a63

SHA1 hash:

cdf7dd7dd1771edcc473037af80afd7e449e30d9

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

SH256 hash:

0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4

MD5 hash:

13d3997b43c3d5cbafb0ff10b6f0dee1

SHA1 hash:

e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

SH256 hash:

0b8a0195523b23318e7dfc2c3b4733c337ce07418eb8f293d599369a0f9af749

MD5 hash:

b9f7caa64e377963c337f969e56f8c4e

SHA1 hash:

4f57b2f48fd8879a5c014f91892a1a3df247f66d

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

SH256 hash:

638052cf8fd437da5e60f0e690242272f9c1d22a4a5e42b6f29906b815e368e0

MD5 hash:

d00930e2b4f8a36c0ba4c60f478d62c2

SHA1 hash:

fa0e08b9978fe10904b993fae03bf619df1ed0eb

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

SH256 hash:

dc6ee4edbbbe1116a200b928f2b62dbc55594a9f79152bbb0076161a58546c11

MD5 hash:

979b597855746aee2f30ee74f9d7c163

SHA1 hash:

56dd0b4bbc5ddcc3fab99ea2e8f781d8b7c7c05f

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

SH256 hash:

70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

MD5 hash:

9232120b6ff11d48a90069b25aa30abc

SHA1 hash:

97bb45f4076083fca037eee15d001fd284e53e47

Detections:

win_koadic_auto

Link:

https://www.unpac.me/results/6aa0d399-755a-42aa-b6e6-905f81e0cc1c/

Parent samples :

4d5ee9d005508709e50b4a44656d0765c4c1e0e050bc8c20f10748d2a58cef45
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481
5eed2b5832483191e67f2ffbdcf349a6256039a8a7f934fb6bb9188873f8a73b

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e5e3fc365a3f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Zbot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/e5e3fc365a3ffea4e638e0bc509872f2d8d2fe0b32b4424c6ad9950119f3a481

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	kill_explorer Create hunting rule
Author:	iam-py-test
Description:	Detect files killing explorer.exe

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample