MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8681efd888395026e420acffe3df7b45e990d0a917aec3f09c741d4d8ccfba6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8681efd888395026e420acffe3df7b45e990d0a917aec3f09c741d4d8ccfba6
SHA3-384 hash: 9a5cbc01db044768bca9afe076ac20482922164062550a0a3d2cee40c35071453b12459583a4bdc124d694e11b822841
SHA1 hash: e1f3138e173736985cdcf7b71a07d2c9db2481d0
MD5 hash: 02b2d1e3bc6e924e7ec11bdd9c32435d
humanhash: zulu-jersey-wisconsin-batman
File name:Накладная №12-6317-3621.exe
Download: download sample
File size:357'889 bytes
First seen:2021-11-15 08:23:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:gOYGXaPNxdgSdcq2pVZPOJHAbK/egjnOtOjgndMJ36lrc:0GqN/XdctpVtkPewnOtHdMp6l
Threatray 1'185 similar samples on MalwareBazaar
TLSH T1ED74CF02F6D188B2D57319325A35EB256E3C7D201F349B2FA3D469AD9A312C27235F63
File icon (PE):PE icon
dhash icon 74e4d4d6d4c4d4d4 (2 x DarkWatchman)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Накладная №12-6317-3621.rar
Verdict:
Malicious activity
Analysis date:
2021-11-15 06:19:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40aeded1-730c-493c-a62a-e1e829ac3bca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205801/
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine.2110.19075.28917.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Modifying an executable file
Creating a file
Moving a file to the %temp% directory
Deleting a recently created file
Creating a process with a hidden window
Launching a service
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Moving of the original file
Deleting volume shadow copies
Deleting of the original file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61921924a00afa9663a81dcd/reports/bc5c9c7f-367c-43d7-9d17-a346bfc99dac/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15da6460-b50c-4e36-9341-7f615fd9b863
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889327
Signature
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Deletes shadow drive data (may be related to ransomware)
Encrypted powershell cmdline option found
Installs a global keyboard hook
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious PowerShell Invocations - Generic
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521802 Sample: #U041d#U0430#U043a#U043b#U0... Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for submitted file 2->41 43 Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities 2->43 45 Suspicious powershell command line found 2->45 47 10 other signatures 2->47 8 wscript.exe 3 20 2->8         started        12 powershell.exe 25 2->12         started        15 #U041d#U0430#U043a#U043b#U0430#U0434#U043d#U0430#U044f #U211612-6317-3621.exe 3 9 2->15         started        process3 dnsIp4 37 bfdb1290.top 91.208.206.44, 443, 49762, 49763 ALEXHOSTMD unknown 8->37 39 192.168.2.1 unknown unknown 8->39 51 System process connects to network (likely due to code injection or exploit) 8->51 53 Tries to harvest and steal browser information (history, passwords, etc) 8->53 55 Creates processes via WMI 8->55 33 C:\Users\user\AppData\...\2szbevyy.cmdline, UTF-8 12->33 dropped 57 Installs a global keyboard hook 12->57 17 csc.exe 3 12->17         started        20 conhost.exe 12->20         started        35 C:\Users\user\AppData\Local\...\134121811.js, ASCII 15->35 dropped 22 wscript.exe 3 4 15->22         started        file5 signatures6 process7 file8 31 C:\Users\user\AppData\Local\...\2szbevyy.dll, PE32 17->31 dropped 25 cvtres.exe 1 17->25         started        49 Deletes shadow drive data (may be related to ransomware) 22->49 27 vssadmin.exe 1 22->27         started        signatures9 process10 process11 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8681efd888395026e420acffe3df7b45e990d0a917aec3f09c741d4d8ccfba6/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 08:24:07 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bub57miqokqe3scblh74ppxwrpjsdiksf5oypyjy5a5jwgm7ota._file
Verdict:
malicious
Similar samples:
4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417
59dde91666a7dfcb1d2c8ad1f5e4a8ed7ede43b084ac1c13be4be00a0342afee
5c1ef7cfd4682402744f14978af8383c9153e52db9ecf4926596b898f1dd32da
61ee3bd82bed03dd0f3fb9bc9b76b7da972a90d3c12c8e4d5e967440a2f04c00
85d76035d54c26a27f643b8206fae99762ec70c76de69ac6ec5161837a941ecf
b63239750d318dd30d49256b14c3d82841b562fb1bdabd8ba93f85c18e6edade
c03005da40fab995feb7ab61994ce2421b206164e8a72192be8f3835cc2a5a3a
c4a61b581890f575ba0586cf6d7d7d3e0c7603ca40915833d6746326685282b7
ce06efe2c18c75da9d9535b4328677f4136a3f04ea666d037bf55dce7c9b7c57
e9200c8a5ccb0bca2e40d3f618b056a552fbd7247396904a0d8ea70164fee886
+ 1'175 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware spyware stealer
Link:
https://tria.ge/reports/211115-kaqblshfb6/
Behaviour
Checks processor information in registry
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Deletes itself
Blocklisted process makes network request
Deletes shadow copies
Process spawned unexpected child process
Unpacked files
SH256 hash:
e8681efd888395026e420acffe3df7b45e990d0a917aec3f09c741d4d8ccfba6
MD5 hash:
02b2d1e3bc6e924e7ec11bdd9c32435d
SHA1 hash:
e1f3138e173736985cdcf7b71a07d2c9db2481d0
Link:
https://www.unpac.me/results/eada0abd-2c18-49d5-8e9b-a77ac3021346/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e8681efd8883/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8681efd888395026e420acffe3df7b45e990d0a917aec3f09c741d4d8ccfba6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205801/

Comments