MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e9e7f04e5834c13899e35b6f5e35adce5a8b6005f24a02a9e4156b903d5c93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6e9e7f04e5834c13899e35b6f5e35adce5a8b6005f24a02a9e4156b903d5c93
SHA3-384 hash: 412a48a6b55a69a695a797cdf1fcde17f04b2d5286ec733174c913ef85b3dc83a42be2d3a3fdf9f89e4663b18fcacc68
SHA1 hash: dd4fffb6aea6bfb50191776eaa2792f8305b7e47
MD5 hash: 6902b4158d8148c200ce8b7882bdb37a
humanhash: xray-pizza-saturn-fruit
File name:Trojan.Autorun.ATA_virussign.com_6902b4158d8148c200ce8b7882bdb37a
Download: download sample
File size:718'158 bytes
First seen:2023-09-07 11:12:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3cbd6e8f81da85f6bf0529e69de9251
ssdeep 6144:/qDAwl0xPTMiR9JSSxPUKYGdodH/baqE7Al8jk2jcbaqE7Al8C:/+67XR9JSSxvYGdodH/1CVc1CC
Threatray 7 similar samples on MalwareBazaar
TLSH T17FE4D512221B8858F390D27791618AE6ED605FC62CE2C502FABE7F197F20F534EBD525
Reporter Turkeytmfounder
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trojan.Autorun.ATA_virussign.com_6902b4158d8148c200ce8b7882bdb37a
Verdict:
Malicious activity
Analysis date:
2023-09-07 11:16:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/829f8f72-830c-4afa-8dbd-6e262ad64e63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447090/
Detection(s):
PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Win.Malware.Generic-9918314-0
Create hunting rule

Win.Malware.Generic-9918315-0
Create hunting rule

Win.Trojan.Generic-9918316-0
Create hunting rule

Win.Malware.Dqqw-9951425-0
Create hunting rule

Win.Malware.Zusy-6804618-0
Create hunting rule

Win.Trojan.QQPass-5710308-0
Create hunting rule

Win.Trojan.Agent-1376264
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
Enabling autorun
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer greyware keylogger lolbin overlay packed packed scar shell32
Link:
https://www.filescan.io/uploads/64f9b0422a262962b7966e8c/reports/38ad23ed-9d2c-4def-b329-6cfdd7d52f0b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e6e9e7f04e5834c13899e35b6f5e35adce5a8b6005f24a02a9e4156b903d5c93
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
QQPass
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5a57e22-e567-4b84-ab00-12277456fccd
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1305488
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305488 Sample: 9quYRvwvzd.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 84 106 Antivirus detection for dropped file 2->106 108 Antivirus / Scanner detection for submitted sample 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 3 other signatures 2->112 14 9quYRvwvzd.exe 1 4 2->14         started        process3 file4 94 C:\Users\user\AppData\...\Sysqemxgnvf.exe, PE32 14->94 dropped 96 C:\Users\user\AppData\...\Sysqamqqvaqqd.exe, PE32 14->96 dropped 152 Creates an undocumented autostart registry key 14->152 18 Sysqemxgnvf.exe 2 14->18         started        signatures5 process6 file7 70 C:\Users\user\AppData\...\Sysqemhxbqv.exe, PE32 18->70 dropped 114 Multi AV Scanner detection for dropped file 18->114 22 Sysqemhxbqv.exe 2 18->22         started        signatures8 process9 file10 76 C:\Users\user\AppData\...\Sysqemfryrf.exe, PE32 22->76 dropped 122 Antivirus detection for dropped file 22->122 124 Multi AV Scanner detection for dropped file 22->124 126 Machine Learning detection for dropped file 22->126 26 Sysqemfryrf.exe 2 22->26         started        30 Sysqemweihb.exe 22->30         started        signatures11 process12 file13 86 C:\Users\user\AppData\...\Sysqemfkipk.exe, PE32 26->86 dropped 140 Antivirus detection for dropped file 26->140 142 Multi AV Scanner detection for dropped file 26->142 144 Machine Learning detection for dropped file 26->144 32 Sysqemfkipk.exe 2 26->32         started        88 C:\Users\user\AppData\...\Sysqemeegfb.exe, PE32 30->88 dropped 36 Sysqemeegfb.exe 30->36         started        signatures14 process15 file16 66 C:\Users\user\AppData\...\Sysqemhyqfl.exe, PE32 32->66 dropped 100 Antivirus detection for dropped file 32->100 102 Multi AV Scanner detection for dropped file 32->102 104 Machine Learning detection for dropped file 32->104 38 Sysqemhyqfl.exe 2 32->38         started        68 C:\Users\user\AppData\...\Sysqemrsztu.exe, PE32 36->68 dropped 42 Sysqemrsztu.exe 36->42         started        signatures17 process18 file19 78 C:\Users\user\AppData\...\Sysqemeduke.exe, PE32 38->78 dropped 128 Antivirus detection for dropped file 38->128 130 Multi AV Scanner detection for dropped file 38->130 132 Machine Learning detection for dropped file 38->132 44 Sysqemeduke.exe 2 38->44         started        80 C:\Users\user\AppData\...\Sysqemdnpml.exe, PE32 42->80 dropped 48 Sysqemdnpml.exe 42->48         started        signatures20 process21 file22 90 C:\Users\user\AppData\...\Sysqemcacqq.exe, PE32 44->90 dropped 146 Antivirus detection for dropped file 44->146 148 Multi AV Scanner detection for dropped file 44->148 150 Machine Learning detection for dropped file 44->150 50 Sysqemcacqq.exe 44->50         started        92 C:\Users\user\AppData\...\Sysqemounvm.exe, PE32 48->92 dropped 54 Sysqemounvm.exe 48->54         started        signatures23 process24 file25 72 C:\Users\user\AppData\...\Sysqemfhsgr.exe, PE32 50->72 dropped 116 Antivirus detection for dropped file 50->116 118 Multi AV Scanner detection for dropped file 50->118 120 Machine Learning detection for dropped file 50->120 56 Sysqemfhsgr.exe 50->56         started        74 C:\Users\user\AppData\...\Sysqemtwxni.exe, PE32 54->74 dropped 60 Sysqemtwxni.exe 54->60         started        signatures26 process27 file28 82 C:\Users\user\AppData\...\Sysqemupfle.exe, PE32 56->82 dropped 134 Antivirus detection for dropped file 56->134 136 Multi AV Scanner detection for dropped file 56->136 138 Machine Learning detection for dropped file 56->138 62 Sysqemupfle.exe 56->62         started        84 C:\Users\user\AppData\...\Sysqemttxmw.exe, PE32 60->84 dropped signatures29 process30 file31 98 C:\Users\user\AppData\...\Sysqempsthp.exe, PE32 62->98 dropped 154 Antivirus detection for dropped file 62->154 156 Multi AV Scanner detection for dropped file 62->156 158 Machine Learning detection for dropped file 62->158 signatures32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6e9e7f04e5834c13899e35b6f5e35adce5a8b6005f24a02a9e4156b903d5c93/
Threat name:
Win32.Infostealer.QqPass
Create hunting rule
Status:
Malicious
First seen:
2023-06-28 07:44:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43u6p4cola2mcoez4nnw6xrvvxhfvc3aaxzeuavj4qkwxeb5lsjq._file
Verdict:
malicious
Similar samples:
2105b0c130a9494a9c7918cf64a87340cebaef44cba966f9cd6937cdf913c9dd
39f00d9056a5e0f8fedb37a3b14f82853ce6505af5386c3e41dd1b3c9d94d955
3c5fbaa54f57c6aa504ada30ad5b069eebf797244a61b84c518f4758f8fa5ab3
43a9484d6c09351a17be27e1a5203f8b3551ec830c7776bea8a3dd08f1f22cfd
53e68b598b766cbaa2429f8c42de835d93061b9672ca73f6fc94e85905a97d14
7203f57b029e6942d06250400cfcfa58ab92afd76f51865848e1eeff89bbaee2
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230907-nbd7hsha95/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
e6e9e7f04e5834c13899e35b6f5e35adce5a8b6005f24a02a9e4156b903d5c93
MD5 hash:
6902b4158d8148c200ce8b7882bdb37a
SHA1 hash:
dd4fffb6aea6bfb50191776eaa2792f8305b7e47
Link:
https://www.unpac.me/results/7981f9eb-d0ee-4146-a4e3-b9bda8f912fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6e9e7f04e5834c13899e35b6f5e35adce5a8b6005f24a02a9e4156b903d5c93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PECompactv2xx
Create hunting rule
Author:malware-lu
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447090/

Comments