MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e62a32a33a570f93a15d0b1d4e8faf1ed30ea1aa15ec3e8bd9a0050cf557675d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e62a32a33a570f93a15d0b1d4e8faf1ed30ea1aa15ec3e8bd9a0050cf557675d
SHA3-384 hash: 52e681be04bfd164f31c4cdbbb2de3bf1afa42750922eda2144a009977a4cd6bca69d5c10462a652738f066cfd467f65
SHA1 hash: e5435cdf546489f22235082d0e8cf72cd4e6405e
MD5 hash: 6feaa90c136a027714b61e18c8e84222
humanhash: paris-nevada-nevada-uranus
File name:1.exe
Download: download sample
File size:4'488'192 bytes
First seen:2023-06-18 10:20:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:eB+SpDsqaHd8NrEE9cydzmFMbghuUGcleh4npIvazrasdAWboqKvcw8GUyXdHyc0:
Threatray 614 similar samples on MalwareBazaar
TLSH T1AE26AFE9D16F40D2EC072EC568287AC74B317673DEE40024376F7D488F7B9A98149E9A
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter obfusor
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 10:23:15 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/e8745cc4-78bf-46ae-94b9-5e0ac7532bd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400055/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/648eda8f31578e30d15ccbc8/reports/cd419bd6-a18f-459f-af5e-4c294877470c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e62a32a33a570f93a15d0b1d4e8faf1ed30ea1aa15ec3e8bd9a0050cf557675d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/30d5e1e5-0adf-4435-a3d1-17cce091f80a
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256829
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 889849 Sample: 1.exe Startdate: 18/06/2023 Architecture: WINDOWS Score: 100 35 72.245.12.0.in-addr.arpa 2->35 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 .NET source code contains potential unpacker 2->47 49 3 other signatures 2->49 8 1.exe 1 5 2->8         started        12 Qpwhwo.exe 2->12         started        14 Qpwhwo.exe 2->14         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\Ftsaigqjt.exe, PE32+ 8->27 dropped 29 C:\Users\user\AppData\Local\Qpwhwo.exe, PE32+ 8->29 dropped 31 C:\Users\user\...\Qpwhwo.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\...\1.exe.log, CSV 8->33 dropped 51 Modifies the context of a thread in another process (thread injection) 8->51 53 Injects a PE file into a foreign processes 8->53 16 Ftsaigqjt.exe 8->16         started        19 cmd.exe 1 8->19         started        21 1.exe 8->21         started        55 Antivirus detection for dropped file 12->55 57 Multi AV Scanner detection for dropped file 12->57 59 Machine Learning detection for dropped file 12->59 signatures6 process7 signatures8 37 Antivirus detection for dropped file 16->37 39 Multi AV Scanner detection for dropped file 16->39 41 Machine Learning detection for dropped file 16->41 23 powershell.exe 17 19->23         started        25 conhost.exe 19->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e62a32a33a570f93a15d0b1d4e8faf1ed30ea1aa15ec3e8bd9a0050cf557675d/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-18 10:21:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yvdfiz2k4hzhik5bmou5d5pd3jq5inkcxwd5c6zuacqz5kxm5oq._file
Verdict:
unknown
Similar samples:
163f0f159705867530e310ee48ffb66a057fba8a236ca2473c3de1d2f9ea48c9
6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e
8e81c784f79eb9358991ca3b1bab8c5d1ddaaa70a849fe7527ed005063d6c092
9f95cdb078e60a80bdd71e706885ad253f43fe98b4b61868600799a3becb41e5
b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424
ef7534cbfb9701ec011fa5354837d6504aa36631e67ee7e328e33e2b751ba413
f9b536d2ba94bc4720cebc07ed39fc7643bdaea35b09b7112a09fef013123ca6
+ 604 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230618-mdm2rsfg4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
e62a32a33a570f93a15d0b1d4e8faf1ed30ea1aa15ec3e8bd9a0050cf557675d
MD5 hash:
6feaa90c136a027714b61e18c8e84222
SHA1 hash:
e5435cdf546489f22235082d0e8cf72cd4e6405e
Link:
https://www.unpac.me/results/314d9c77-8486-4f14-8e45-8cdbb5b4419f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e62a32a33a570f93a15d0b1d4e8faf1ed30ea1aa15ec3e8bd9a0050cf557675d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400055/

Comments