MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7bebacfd1f9b8da56abd31cdae5be1fd29246d2761439cb8a07993e0d16441c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7bebacfd1f9b8da56abd31cdae5be1fd29246d2761439cb8a07993e0d16441c
SHA3-384 hash: 566f76a0101e0fd5e1abd2f7acbe54c3bb9888d8dac8c17c877d6a4dbfc3d1c6a272efbf3c7441462fd478d29b68a2e7
SHA1 hash: 3eabb5ac2f1c55fc6c6cb52c8f275e2b3173c940
MD5 hash: 5dabe12587fe8a00defe796fbc10f44d
humanhash: iowa-paris-fillet-jersey
File name:DumpedB64Str-B64Decoded.bin
Download: download sample
File size:49'152 bytes
First seen:2022-06-10 17:53:38 UTC
Last seen:2022-06-10 18:49:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a50e815adb2cfe3e58d388c791946db8 (2 x njrat, 2 x DCRat, 1 x Lucifer)
ssdeep 768:Upm7BcEKNvBcvL6VeRNL1a6ZO4PTPz+o+CKr3zQ4NuVVWgP4+zCM2zrIZrnbcuyW:UpfEKNCj6VoJl9Go5K7s4Nu3oanouy8d
Threatray 183 similar samples on MalwareBazaar
TLSH T1AE23F143E6C979EAE068A0785C5F2C646FCCD73972D08375F8D1377A6EA0A070B2D619
TrID 41.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
25.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Ledtech3
Tags:exe


Avatar
Ledtech3
Extracted B64 string from 2 layer obfuscation JS.
This is the base64 decoded exe.

Intelligence

File Origin
# of uploads :
2
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice payment.js
Verdict:
Malicious activity
Analysis date:
2022-06-10 16:51:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09d93d3f-c380-49ad-855a-c92b9a71207a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278748/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll wacatac
Link:
https://www.filescan.io/uploads/62a3857973b91c38f67e1864/reports/98b84a10-4793-4d63-b2b3-ee80a439da74/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a4959529-bb17-400e-a29a-b87dfe74ca54
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1011046
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Disables Windows Defender (via service or powershell)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 643539 Sample: DumpedB64Str-B64Decoded.bin Startdate: 10/06/2022 Architecture: WINDOWS Score: 72 23 Antivirus detection for URL or domain 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 7 DumpedB64Str-B64Decoded.exe 8 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        signatures5 31 Disables Windows Defender (via service or powershell) 9->31 12 powershell.exe 9->12         started        15 powershell.exe 21 9->15         started        17 powershell.exe 22 9->17         started        19 17 other processes 9->19 process6 dnsIp7 21 192.168.2.1 unknown unknown 12->21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7bebacfd1f9b8da56abd31cdae5be1fd29246d2761439cb8a07993e0d16441c/
Threat name:
Win32.Hacktool.DefeatDefend
Create hunting rule
Status:
Malicious
First seen:
2022-06-10 17:33:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
18 of 26 (69.23%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=467lvt6r7g4nuvvl2monvzn6d7jjerwsoykdts4ka6mt4diwiqoa._file
Verdict:
unknown
Similar samples:
0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
7943a6d36a817ca1a9c78a7c47841ae13b558a1aa8ae7d7771d7cc3f77bf3610
9c719aaa5adbdf8ba903ae66183fcbcdd1092ed8b5b4fb2e1029a9a8bd42bb48
beedb7cc465933bc983dab4c41f8464d985ec15680f60dec4f27e0a96e88939d
cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13
d0f8a2be536ca434da7734bd318d2a88ea5005f47d518c30ff611185f42c3701
f8836908ca99f66289c94aa2f71948d9edd985d4320116a10c8d926af67987e0
+ 173 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion exploit upx
Link:
https://tria.ge/reports/220610-wgvqfsdhcr/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Modifies file permissions
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Possible privilege escalation attempt
UPX packed file
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
https://filebin.net/b5aekxnrmokmhn8s/win.js
Unpacked files
SH256 hash:
a0bb62f64b56c9ba7cf6672ffc30141b83763fb7fece4c55284d1fab65529ac6
MD5 hash:
935efee52d7c9761b93bf19470a233b2
SHA1 hash:
49310de06329d5b0d275d445f3e1d27e8ba5a868
Link:
https://www.unpac.me/results/c4bfb49b-9188-4f7d-975a-1d37e71f49df/
SH256 hash:
e7bebacfd1f9b8da56abd31cdae5be1fd29246d2761439cb8a07993e0d16441c
MD5 hash:
5dabe12587fe8a00defe796fbc10f44d
SHA1 hash:
3eabb5ac2f1c55fc6c6cb52c8f275e2b3173c940
Link:
https://www.unpac.me/results/c4bfb49b-9188-4f7d-975a-1d37e71f49df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7bebacfd1f9b8da56abd31cdae5be1fd29246d2761439cb8a07993e0d16441c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/278748/

Comments