MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e741fb9d0eb11801dd163875479a8b56eff8ae5f3ca1987b996026f752693641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e741fb9d0eb11801dd163875479a8b56eff8ae5f3ca1987b996026f752693641
SHA3-384 hash: 937f1d09edb93233482272cd2feeb43a13e08d6a692edbbada9e20d282726cf0e5d322349b4d7237fcf9944a917451bb
SHA1 hash: b0c6aff2a1725520bf76755375c2900ccfb2f742
MD5 hash: 1359c6354ca6f617b36c738abdb993bb
humanhash: iowa-massachusetts-neptune-indigo
File name:e741fb9d0eb11801dd163875479a8b56eff8ae5f3ca1987b996026f752693641
Download: download sample
File size:327'680 bytes
First seen:2023-06-04 14:38:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1df8cb8522279878b0df9a32811e38ae (1 x Sality)
ssdeep 3072:0OXQ2G+IpQZQne73qe8UzT+nWwXjDRJWwXjDRgjDRbL7oZC:7vGlpQE4qNUzCr
TLSH T143645C4296765AD1D818CD30059324F556FE2C1238079E56F36BFB1F39BBED0AE0E622
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1c9aa4baa2a2a000 (1 x Floxif, 1 x Brontok, 1 x Worm.Svich)
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Asif P.exe.zip
Verdict:
Malicious activity
Analysis date:
2022-10-25 15:10:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97f64c39-ee9d-43af-b4fc-8e1fdfe77cfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/395552/
Detection(s):
Win.Malware.Daws-6827444-0
Create hunting rule

Win.Trojan.Agent-1276092
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Launching cmd.exe command interpreter
DNS request
Enabling the 'hidden' option for recently created files
Launching a process
Launching the process to interact with network services
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Unauthorized injection to a recently created process by context flags manipulation
Creating a file in the mass storage device
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89323/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun lolbin poison shell32.dll threat zusy
Link:
https://www.filescan.io/uploads/647ca20707ae46a8644a0391/reports/327cc9b4-18ae-4dac-84f8-0fc9b0112fd9/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/e741fb9d0eb11801dd163875479a8b56eff8ae5f3ca1987b996026f752693641
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a713dabb-0c29-4295-b85f-02176c5fac08
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094475
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Gathers network related connection and port information
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs a network lookup / discovery via ARP
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 727113 Sample: Asif P.exe Startdate: 20/10/2022 Architecture: WINDOWS Score: 100 56 Antivirus / Scanner detection for submitted sample 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 6 other signatures 2->62 12 Asif P.exe 2->12         started        15 wmimgmt.exe 2->15         started        process3 signatures4 72 Injects a PE file into a foreign processes 12->72 17 Asif P.exe 4 12->17         started        20 wmimgmt.exe 15->20         started        process5 file6 50 C:\ProgramData\wmimgmt.exe, PE32 17->50 dropped 52 C:\ProgramData\wmimgmt.exe:Zone.Identifier, ASCII 17->52 dropped 22 wmimgmt.exe 17->22         started        process7 signatures8 64 Antivirus detection for dropped file 22->64 66 Multi AV Scanner detection for dropped file 22->66 68 Detected unpacking (changes PE section rights) 22->68 70 5 other signatures 22->70 25 wmimgmt.exe 1 7 22->25         started        process9 dnsIp10 54 192.168.2.1 unknown unknown 25->54 28 cmd.exe 4 25->28         started        process11 signatures12 74 Uses cmd line tools excessively to alter registry or file data 28->74 76 Uses netstat to query active network connections and open ports 28->76 78 Uses ipconfig to lookup or modify the Windows network settings 28->78 80 2 other signatures 28->80 31 systeminfo.exe 1 1 28->31         started        34 NETSTAT.EXE 28->34         started        36 net.exe 1 28->36         started        38 18 other processes 28->38 process13 signatures14 82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->84 86 Writes or reads registry keys via WMI 31->86 40 cmd.exe 34->40         started        42 net1.exe 1 36->42         started        44 net1.exe 1 38->44         started        46 net1.exe 38->46         started        process15 process16 48 ROUTE.EXE 40->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e741fb9d0eb11801dd163875479a8b56eff8ae5f3ca1987b996026f752693641/
Threat name:
Win32.Worm.Hilgild
Create hunting rule
Status:
Malicious
First seen:
2014-09-03 04:17:00 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
36 of 37 (97.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45a7xhiowemadxiwhb2upgulk3x7rls7hsqzq64zmatpoutjgzaq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/230604-rz96mscd93/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers network information
Gathers system information
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Grants admin privileges
Unpacked files
SH256 hash:
dbe00190bb079a0aeb7710fa4ebb119aa78c5314a3144f99eaa856f4bf617a60
MD5 hash:
d8b49bdc063736a75a88819bc294f300
SHA1 hash:
1a5dfd601b74405e8e190a51105389a0e3ee5e1b
Link:
https://www.unpac.me/results/e9653060-25de-4d26-a050-adc8fc25b545/
SH256 hash:
e741fb9d0eb11801dd163875479a8b56eff8ae5f3ca1987b996026f752693641
MD5 hash:
1359c6354ca6f617b36c738abdb993bb
SHA1 hash:
b0c6aff2a1725520bf76755375c2900ccfb2f742
Link:
https://www.unpac.me/results/e9653060-25de-4d26-a050-adc8fc25b545/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e741fb9d0eb11801dd163875479a8b56eff8ae5f3ca1987b996026f752693641

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e741fb9d0eb11801dd163875479a8b56eff8ae5f3ca1987b996026f752693641

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/395552/

Comments