MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecc0875b6f8ee2c3f8a2a6f89878ae855fa4f927ee5eb95f74a1c9c121c28119. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Healer

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	ecc0875b6f8ee2c3f8a2a6f89878ae855fa4f927ee5eb95f74a1c9c121c28119
SHA3-384 hash:	cbf9b6fb334fdaedccb22f928fc339fb22ac8da1fb63cec2f89d9330c11ca9640c0fc1ade2a08ce078d1fbea0319a77c
SHA1 hash:	d5c1ffd9fa85a5f94acfb7ac35d31c9cc9f2de05
MD5 hash:	6b4c31ed187d3cb945cb31fd46945550
humanhash:	december-south-kitten-oranges
File name:	Lisect_AVT_24003_G1A_35.exe
Download:	download sample
Signature	Healer Create hunting rule
File size:	1'780'736 bytes
First seen:	2024-07-25 01:57:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	49152:mkp1T0pn6D783K0ctdvgfJaJ6bqwm4FM+Lb:/p1T0pn843K0ctdIfkJGG+Lb
Threatray	1'338 similar samples on MalwareBazaar
TLSH	T1C98533E80C69704AC0C6ABF1ABF55777A69C42A1B5E8D7C6DDA4C01B2783313BB4DC51
TrID	66.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 17.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.9% (.EXE) Generic Win/DOS Executable (2002/3) 7.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	Anonymous
Tags:	exe Healer

Anonymous

this malware sample is very nasty!

Intelligence

File Origin

# of uploads :

# of downloads :

286

Origin country :

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Malware.Wapomi-10020301-0

Win.Packed.Zusy-10021181-0

Win.Packed.Misc-10021254-0

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Changing an executable file

Creating a window

Connection attempt to an infection source

Sending an HTTP GET request to an infection source

Сreating synchronization primitives

Searching for analyzing tools

Searching for the window

Launching a service

Modifying an executable file

Creating a file

Query of malicious DNS domain

Blocking the Windows Defender launch

Disabling the operating system update service

Infecting executable files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed packed shell32 themidawinlicense

Link:

https://www.filescan.io/uploads/66a1b130bd793c18bfb673ac/reports/0421c35a-0b5b-4cee-9b04-074e4d85356a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Bdaejec

Detection:

malicious

Classification:

spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1481159

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses known network protocols on non-standard ports

Yara detected Bdaejec

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ecc0875b6f8ee2c3f8a2a6f89878ae855fa4f927ee5eb95f74a1c9c121c28119

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ecc0875b6f8ee2c3f8a2a6f89878ae855fa4f927ee5eb95f74a1c9c121c28119/

Threat name:

Win32.Virus.Jadtre

Status:

Malicious

First seen:

2024-07-25 01:58:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 38 (94.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5taiow3pr3rmh6fcu34jq6foqvp2j6jh5zplsx3uuhe4ciocqemq._file

Verdict:

malicious

Healer

5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b

Healer

5976758d76e46816931952000e2ec351fa11bc23fce04dc4d98bb1bcef567847

Healer

8f0b03436a56098a1f5b48c955b355f459503da260010df40ebd6b548894f6dc

Healer

cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56

Healer

+ 1'328 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

aspackv2 discovery evasion trojan

Link:

https://tria.ge/reports/240725-cdvfqsvckc/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

ASPack v2.12-2.42

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Windows security modification

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Defender Real-time Protection settings

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/482365b0-ce8b-4dd8-a082-9774a5521710

Unpacked files

SH256 hash:

9e2201212513f74fe05d58e4313c3e8b1e717b13a46a8608d51dec23e93a39e5

MD5 hash:

f7b307184453f9374bf9880253c4d82b

SHA1 hash:

8753709e3710cc6dfe48d07baf43ec6e4509274b

Detections:

win_unidentified_045_auto

win_unidentified_045_g0

Link:

https://www.unpac.me/results/9c61b77f-5386-4a08-bf01-f36be15f37af/

SH256 hash:

ecc0875b6f8ee2c3f8a2a6f89878ae855fa4f927ee5eb95f74a1c9c121c28119

MD5 hash:

6b4c31ed187d3cb945cb31fd46945550

SHA1 hash:

d5c1ffd9fa85a5f94acfb7ac35d31c9cc9f2de05

Link:

https://www.unpac.me/results/9c61b77f-5386-4a08-bf01-f36be15f37af/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Healer

exe ecc0875b6f8ee2c3f8a2a6f89878ae855fa4f927ee5eb95f74a1c9c121c28119

(this sample)

Link

https://bbs.kafan.cn/forum-31-1.html

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (NX_COMPAT)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample