MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb55211ca3b233555397cecf32ac0a86ec85983a1fd1f50bb04d727dddf6b1ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb55211ca3b233555397cecf32ac0a86ec85983a1fd1f50bb04d727dddf6b1ec
SHA3-384 hash: 769f8ac3ed9ffeb4204e90d4550aea72d704878930498a7c9a7a737a2725aa73c9d6fbed76b59d4024fb872c7aa6cc6b
SHA1 hash: 98827c8abb2c0978b9bd07112e19eae749e32ea8
MD5 hash: 134f38893e5e9d1a83601dd197799c30
humanhash: white-sweet-xray-mars
File name:AlphaSeed2.dll
Download: download sample
File size:8'501'760 bytes
First seen:2023-05-18 14:02:00 UTC
Last seen:2023-05-20 14:52:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4c4fb8544301dd3b209a1faaf92a626
ssdeep 196608:QnNx32jvLKtt+uUtEYgT4TYMwccgXx2TIkkcdB3J5Epja:QnNcjDKCuM7gTXMwc9x2N/3eja
TLSH T1558623BD727833A8C01EC9345533ED06B3F9562F95E8CA6A76CFB9C06F9A4009681F45
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JaffaCakes118

Intelligence

File Origin
# of uploads :
2
# of downloads :
47
Origin country :
GB GB
Vendor Threat Intelligence
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed packed
Link:
https://www.filescan.io/uploads/646631094cca7adb7c9335d0/reports/cb6c0599-fec9-46ee-a45c-12c6b32ce0d1/overview
Verdict:
Malicious
Labled as:
Trojan[Packed]/Win64.VMProtect
Link:
https://www.hybrid-analysis.com/sample/eb55211ca3b233555397cecf32ac0a86ec85983a1fd1f50bb04d727dddf6b1ec
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4e47987c-cee3-4dbc-975a-da9527c80f03
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1236310
Signature
Detected VMProtect packer
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 869305 Sample: AlphaSeed2.dll.exe Startdate: 18/05/2023 Architecture: WINDOWS Score: 92 96 nid.naver.com 2->96 98 mail.naver.com.nheos.com 2->98 100 2 other IPs or domains 2->100 130 Multi AV Scanner detection for dropped file 2->130 132 Multi AV Scanner detection for submitted file 2->132 134 Detected VMProtect packer 2->134 136 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->136 11 loaddll64.exe 1 2->11         started        14 regsvr32.exe 2->14         started        17 regsvr32.exe 1 2->17         started        signatures3 process4 dnsIp5 158 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->158 160 Tries to evade analysis by execution special instruction (VM detection) 11->160 162 Tries to detect debuggers (CloseHandle check) 11->162 19 rundll32.exe 3 11->19         started        23 regsvr32.exe 4 11->23         started        25 cmd.exe 1 11->25         started        36 3 other processes 11->36 126 mail.naver.com.nheos.com 14->126 128 mail.naver.com 14->128 164 Hides threads from debuggers 14->164 27 cmd.exe 14->27         started        29 chrome.exe 14->29         started        31 cmd.exe 17->31         started        33 chrome.exe 17->33         started        signatures6 process7 dnsIp8 90 C:\Users\user\...\tmp5fc048558f41a.dat (copy), PE32+ 19->90 dropped 138 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->138 140 Tries to detect debuggers (CloseHandle check) 19->140 142 Hides threads from debuggers 19->142 38 cmd.exe 19->38         started        50 3 other processes 19->50 92 C:\Users\user\.edge\powermgmt.dat, PE32+ 23->92 dropped 144 System process connects to network (likely due to code injection or exploit) 23->144 146 Uses cmd line tools excessively to alter registry or file data 23->146 148 Tries to evade analysis by execution special instruction (VM detection) 23->148 40 cmd.exe 1 23->40         started        52 3 other processes 23->52 43 rundll32.exe 25->43         started        54 2 other processes 27->54 45 chrome.exe 29->45         started        56 2 other processes 31->56 94 192.168.2.1 unknown unknown 33->94 48 chrome.exe 33->48         started        file9 signatures10 process11 dnsIp12 58 regsvr32.exe 2 38->58         started        62 conhost.exe 38->62         started        150 Uses cmd line tools excessively to alter registry or file data 40->150 64 conhost.exe 40->64         started        66 reg.exe 1 1 40->66         started        152 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 43->152 154 Tries to detect debuggers (CloseHandle check) 43->154 156 Hides threads from debuggers 43->156 114 ssl.pstatic.net.nheos.com 45->114 116 ssl.pstatic.net 45->116 122 4 other IPs or domains 45->122 118 ssl.pstatic.net.nheos.com 48->118 120 ssl.pstatic.net 48->120 124 4 other IPs or domains 48->124 68 conhost.exe 50->68         started        74 3 other processes 50->74 70 conhost.exe 52->70         started        72 conhost.exe 52->72         started        76 2 other processes 52->76 signatures13 process14 dnsIp15 108 127.0.0.1 unknown unknown 58->108 110 mail.naver.com.nheos.com 58->110 112 mail.naver.com 58->112 166 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 58->166 168 Tries to detect debuggers (CloseHandle check) 58->168 170 Hides threads from debuggers 58->170 78 cmd.exe 58->78         started        81 chrome.exe 58->81         started        signatures16 process17 signatures18 172 Uses cmd line tools excessively to alter registry or file data 78->172 83 conhost.exe 78->83         started        85 reg.exe 78->85         started        87 chrome.exe 81->87         started        process19 dnsIp20 102 ssl.pstatic.net.nheos.com 87->102 104 ssl.pstatic.net 87->104 106 4 other IPs or domains 87->106
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb55211ca3b233555397cecf32ac0a86ec85983a1fd1f50bb04d727dddf6b1ec/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nkschfdwizvku4xz3htflakq3wilgb2d7i7kc5qjvzh3xpwwhwa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230518-rb9j7scb98/
Behaviour
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
eb55211ca3b233555397cecf32ac0a86ec85983a1fd1f50bb04d727dddf6b1ec
MD5 hash:
134f38893e5e9d1a83601dd197799c30
SHA1 hash:
98827c8abb2c0978b9bd07112e19eae749e32ea8
Link:
https://www.unpac.me/results/4d737af9-f90b-4043-87e2-c0d10a8d51f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/eb55211ca3b233555397cecf32ac0a86ec85983a1fd1f50bb04d727dddf6b1ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments