MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eabfca6fb37cd39ac18b5d72c3c6c7c8dd795f59833d65bf0bf2f2d9fa9d5bcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eabfca6fb37cd39ac18b5d72c3c6c7c8dd795f59833d65bf0bf2f2d9fa9d5bcc
SHA3-384 hash: f58e89bea6f4760e86c3c6817c1603d519c054c0366585fbd0343621759c47e7b58e6e98438abda8a6e9165c497e14ad
SHA1 hash: 22be3de842dc49ff2aab6ea2d5e7c283b05ec916
MD5 hash: f9d327c5065f1b317c4db0148d15a3e7
humanhash: lamp-kansas-single-carpet
File name:f9d327c5065f1b317c4db0148d15a3e7
Download: download sample
File size:17'766'051 bytes
First seen:2021-08-23 14:02:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d1f0da408c33eebb70b9bfa17b7fddc (4 x njrat, 1 x Jadtre)
ssdeep 393216:A98bEQqMRzQi9zYJARA47oNfcqttWvkAKPUuj9cfQKRHZECk/l:A0EQqI9LAaonSv/KPpCfr1kN
Threatray 119 similar samples on MalwareBazaar
TLSH T13507336235A75433DDFA42700434E374DD31EDB9A340A57FBB84AA3A6A30FC64762927
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f9d327c5065f1b317c4db0148d15a3e7
Verdict:
Malicious activity
Analysis date:
2021-08-23 14:09:14 UTC
Tags:
installer
Link:
https://app.any.run/tasks/0c6d2900-685e-4a0e-ad7c-6aa4c58dc514

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Deleting a recently created file
Replacing files
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4e52faa-f4eb-4304-b106-576f6e1a9b65
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/837578
Signature
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Anomaly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470010 Sample: hxWznLF6cs Startdate: 23/08/2021 Architecture: WINDOWS Score: 76 34 Antivirus detection for dropped file 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 2 other signatures 2->40 8 hxWznLF6cs.exe 314 2->8         started        process3 file4 26 C:\Users\user\Desktop\xConquer Launcher.exe, PE32 8->26 dropped 28 C:\Users\user\Desktop\play.exe, PE32 8->28 dropped 30 C:\Users\user\Desktop\AutoPatchRestart.exe, PE32 8->30 dropped 32 5 other files (1 malicious) 8->32 dropped 11 play.exe 6 8->11         started        process5 signatures6 42 Contains functionality to compare user and computer (likely to detect sandboxes) 11->42 14 cmd.exe 1 11->14         started        16 cmd.exe 1 11->16         started        process7 process8 18 regsvr32.exe 58 14->18         started        20 conhost.exe 14->20         started        22 regsvr32.exe 16->22         started        24 conhost.exe 16->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eabfca6fb37cd39ac18b5d72c3c6c7c8dd795f59833d65bf0bf2f2d9fa9d5bcc/
Threat name:
Win32.Virus.Kudj
Create hunting rule
Status:
Malicious
First seen:
2021-08-13 11:07:35 UTC
AV detection:
33 of 46 (71.74%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
09f671389b1751b349057fbb454c9a8263e95fbb8af54f47a016abad4a925472
329e8814efa351d1c58c275981a39cf0a9ef0f50d8eb8db9bbb8f70020d75204
3494fdebd477fb45b537334f415f6e7b56ad7aa2764f80472ee7cb705d30eb65
4d4b219a3788d8e40bd7083d421e3d7d399a065bd53afb6e74d3fb7ab2bc09bd
7097b016e2aead3d213343e1de7332fddc4d83e2e8c2f8329460738cb2dbea4d
79ffbaa84a7808f62c8d2453e7e7ad96312da7e7b2e0b62c02d38f4de75eb3ca
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
8747896fc2d331a7dc2f3f216e4af54da9b02fecc3e17172de74ed0b85f9ce09
8b366eb1d6c2c558154131e350708add274315d91733f89a29d8306f53c4d09c
9e2bea46ed015f98e1fb7591e83f1cac52c51f5e3f004cc6a57c508dcef134e0
+ 109 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210823-xxdakeyxan/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
3963a3ee47280c670c68f4db26be5d7d68f0c5261e4e237b3c2bac200400312c
MD5 hash:
e476f8569a98df917d89e44bafc4941a
SHA1 hash:
bf26ee0bfabd984b5d57d47e6fb0098ec3efbe25
Link:
https://www.unpac.me/results/f82f1e71-5373-4d11-a35b-90d494ebf4ad/
SH256 hash:
eabfca6fb37cd39ac18b5d72c3c6c7c8dd795f59833d65bf0bf2f2d9fa9d5bcc
MD5 hash:
f9d327c5065f1b317c4db0148d15a3e7
SHA1 hash:
22be3de842dc49ff2aab6ea2d5e7c283b05ec916
Link:
https://www.unpac.me/results/f82f1e71-5373-4d11-a35b-90d494ebf4ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eabfca6fb37cd39ac18b5d72c3c6c7c8dd795f59833d65bf0bf2f2d9fa9d5bcc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe eabfca6fb37cd39ac18b5d72c3c6c7c8dd795f59833d65bf0bf2f2d9fa9d5bcc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1557432/

Comments


Avatar
zbet commented on 2021-08-23 14:02:10 UTC

url : hxxp://185.107.96.180/patches/7251.exe