MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e85f82c94a0ec6fedcc459c5ceee48e5f56c2708c704890420ee56e7c240f0b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e85f82c94a0ec6fedcc459c5ceee48e5f56c2708c704890420ee56e7c240f0b7
SHA3-384 hash: 8154b3cd579c5514ab9cb9ae6235064ba89534264718e87339e054b396c86fd61f5130314872c463b36f422f8c1864ba
SHA1 hash: 2b1f1b36dbc62d52d98f989e6bb90487dccb3a12
MD5 hash: 3a6ebd3377afdb9efc2195e7b6a00a69
humanhash: magnesium-arkansas-wisconsin-robert
File name:3a6ebd3377afdb9efc2195e7b6a00a69.exe
Download: download sample
File size:2'059'890 bytes
First seen:2022-01-15 08:40:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 24576:08qXhDyUY86L1xqRMjgEo5QfBU7HfLGLhBExe6KY/LJ6Wjv74xJ4s:084cxSyFpULadBa/dbjv74xJ4s
Threatray 1'131 similar samples on MalwareBazaar
TLSH T118950308A147E2BBFCFD08E3445090D4C29C7FAA7B128DCDE97AD58A141F542B7B6D86
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://crackedrar.com/
Verdict:
Malicious activity
Analysis date:
2022-01-14 11:02:14 UTC
Tags:
evasion trojan loader rat redline stealer vidar raccoon
Link:
https://app.any.run/tasks/bc179e84-8d38-40a2-823c-d0adbd1a69fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219471/
Detection(s):
SecuriteInfo.com.Heur.14498.18692.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4262/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/61e288a2f2e8ec86fe00e7b8/reports/6484eee4-9d65-4d41-8900-93eb493de490/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/921096
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Shell32 DLL Execution in Suspicious Directory
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553573 Sample: DJ2JDjsgAa.exe Startdate: 15/01/2022 Architecture: WINDOWS Score: 68 22 Antivirus detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for dropped file 2->26 28 2 other signatures 2->28 9 DJ2JDjsgAa.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\SutZB.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e85f82c94a0ec6fedcc459c5ceee48e5f56c2708c704890420ee56e7c240f0b7/
Threat name:
Win32.Ransomware.CerberCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-15 08:41:40 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3aa947c9f9eafb67064ea9cf2f0d1ec335a301a81e89f24faefefec3f6a0a2a3
3ca51190ba7eaccc49fe4f9194a9200eddd97b794564694a383dca290127e6b5
7147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
8393c3c10fcfaad79ef8ae38575d1b26aa2d3ae45fb6ed47b4f506f7abda6b1b
951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c
ab7553549ec32422ee868e71eb96fae87439a4c1333e400d455f31d0b74c8ef2
c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
+ 1'121 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220115-klfljsddf9/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
e85f82c94a0ec6fedcc459c5ceee48e5f56c2708c704890420ee56e7c240f0b7
MD5 hash:
3a6ebd3377afdb9efc2195e7b6a00a69
SHA1 hash:
2b1f1b36dbc62d52d98f989e6bb90487dccb3a12
Link:
https://www.unpac.me/results/b3119e02-e63f-41b2-b2c1-2b6bed001fba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e85f82c94a0ec6fedcc459c5ceee48e5f56c2708c704890420ee56e7c240f0b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219471/

Comments