MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e69ebaafa96ca91f70472ad65cfbc6483f65911e715c8eede2707697aca8f077. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e69ebaafa96ca91f70472ad65cfbc6483f65911e715c8eede2707697aca8f077
SHA3-384 hash: f4d823b28a2e602dcf095fafc8ae65b31494b02199a2728cababe0e97a71acc403e084aad8817f00a640939722ddee2d
SHA1 hash: 21c80a6071b5ab1866f4ded5f8e564f3ce069b1b
MD5 hash: 9cef7c54f7733083aa9581ddfd24932b
humanhash: california-twelve-nine-virginia
File name:9cef7c54f7733083aa9581ddfd24932b
Download: download sample
File size:6'623'232 bytes
First seen:2021-07-08 10:15:05 UTC
Last seen:2021-07-08 10:53:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:7k2gvehC9glNxm87/7clNqzJdaL++3Y1W2wD:o2gvN9QxmiQlQJdK+2Ys2wD
Threatray 371 similar samples on MalwareBazaar
TLSH T12D663357BFB91140C58D6936C624C4200A39EE2FE7E6EB122ADD73877973364CC4D2A9
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9cef7c54f7733083aa9581ddfd24932b
Verdict:
No threats detected
Analysis date:
2021-07-08 10:16:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4209b9af-353a-44dd-bdb4-47eaaa6e4eea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170388/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37199669.14735.31709.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7caef989-8748-41cb-997a-62426a357de5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/813378
Signature
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445789 Sample: rLt3wcE5Ig Startdate: 08/07/2021 Architecture: WINDOWS Score: 84 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Sigma detected: WScript or CScript Dropper 2->48 50 Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring 2->50 8 rLt3wcE5Ig.exe 3 12 2->8         started        process3 file4 32 C:\Users\user\AppData\Roaming\...\VGA.exe, PE32+ 8->32 dropped 34 C:\Users\user\AppData\...\rLt3wcE5Ig.exe, PE32+ 8->34 dropped 36 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->36 dropped 38 3 other malicious files 8->38 dropped 52 Creates an undocumented autostart registry key 8->52 54 Writes to foreign memory regions 8->54 56 Modifies the context of a thread in another process (thread injection) 8->56 58 Injects a PE file into a foreign processes 8->58 12 wscript.exe 1 8->12         started        15 rLt3wcE5Ig.exe 8->15         started        18 AdvancedRun.exe 1 8->18         started        20 2 other processes 8->20 signatures5 process6 dnsIp7 60 Wscript starts Powershell (via cmd or directly) 12->60 22 powershell.exe 20 12->22         started        40 cryptogenerator.club 2.56.59.59, 49743, 8899 GBTCLOUDUS Netherlands 15->40 62 Multi AV Scanner detection for dropped file 15->62 42 192.168.2.1 unknown unknown 18->42 24 AdvancedRun.exe 18->24         started        26 AdvancedRun.exe 20->26         started        28 conhost.exe 20->28         started        signatures8 process9 process10 30 conhost.exe 22->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e69ebaafa96ca91f70472ad65cfbc6483f65911e715c8eede2707697aca8f077/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 02:51:00 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
520fae27134b14bb92d3858083c08496cee8b1c7631f0a374c5e168adfa799f2
63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
d89c68b81a492812f334c6485f8867419efb302da480f13d56ce1e9801c20096
e111f6f2fa1deba59df581d3c6ef269c3e3628b2649cb728e30092d8d30e258c
+ 361 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/210708-1ng89vsjrn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Unpacked files
SH256 hash:
e69ebaafa96ca91f70472ad65cfbc6483f65911e715c8eede2707697aca8f077
MD5 hash:
9cef7c54f7733083aa9581ddfd24932b
SHA1 hash:
21c80a6071b5ab1866f4ded5f8e564f3ce069b1b
Link:
https://www.unpac.me/results/b1710468-e1c4-4687-9752-3b123a0dfa13/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/e69ebaafa96ca91f70472ad65cfbc6483f65911e715c8eede2707697aca8f077

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e69ebaafa96ca91f70472ad65cfbc6483f65911e715c8eede2707697aca8f077

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170388/
  
URLhaus
https://urlhaus.abuse.ch/url/1435829/

Comments


Avatar
zbet commented on 2021-07-08 10:15:05 UTC

url : hxxp://porncamsworld.com/payload.exe