MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed8c742d1b4bcee625de4199c1392004568abc7bf677c9657e462756bce95c77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	ed8c742d1b4bcee625de4199c1392004568abc7bf677c9657e462756bce95c77
SHA3-384 hash:	5789bb7a55d64478cbdae448182792d56dcd237e4425ed0ae91d54011b13b5607ce7d85d19745cd503577368bc430276
SHA1 hash:	9eab5dfaee92816e7480f281f34b85539f3666fa
MD5 hash:	c6664fa3239eeb78300dcd61b03e88d9
humanhash:	equal-zulu-early-earth
File name:	c6664fa3239eeb78300dcd61b03e88d9.exe
Download:	download sample
File size:	2'839'390 bytes
First seen:	2023-09-01 20:21:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fa8d20faea9ef7b4e2b7fbfe93442593 (17 x RedLineStealer, 4 x CoinMiner, 3 x AgentTesla)
ssdeep	49152:mDkUrjENlk6WYGX+v7J/JQYe4KRKO31s+U/sLXuzo:m4UkNlnDPc4KRKOlsvqX3
Threatray	90 similar samples on MalwareBazaar
TLSH	T1CCD523217AC189B6D0325C3025E4A7B16F7DBD311B328BC79744AE3EAE704C16936B67
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c6664fa3239eeb78300dcd61b03e88d9.exe

Verdict:

Suspicious activity

Analysis date:

2023-09-01 20:34:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1a22efc4-bf36-4fac-b852-f00801290220

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/445693/

Detection(s):

SecuriteInfo.com.Trojan.Uztuby.4.19274.32072.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware lolbin overlay packed replace setupapi shdocvw shell32

Link:

https://www.filescan.io/uploads/64f247eeb7dd6394f70fa42c/reports/4d75d297-bbe5-4144-9b12-7cd1b0eb79e8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ed8c742d1b4bcee625de4199c1392004568abc7bf677c9657e462756bce95c77

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1e6f4080-8ab1-4138-bcaf-dff9337673fb

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1301928

Signature

Antivirus detection for dropped file

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ed8c742d1b4bcee625de4199c1392004568abc7bf677c9657e462756bce95c77/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2023-08-31 10:04:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5wghili3jphomjo6igm4cojaarlivpd36z34szl6iytvnphjlr3q._file

Verdict:

malicious

427b5d1b32a8e17b94097a085094afcf86e857dcc8db0fd0b4bf7c50e6f3f349

63c4a15cd773f238eff00aa96951811734883b01d9460389aee9cdbe3edc437b

865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e

8ee0b8f40e58ae7ff46cb2779d8b0796071873d554d9d6ec4ae7207c9e26b865

9caad784222d3fb486822446983ef20eb408845146c9bf954bf2e185fb4e35d1

b4c2ff718a6f5c872387c54960848ea4798b78ac9ea50928106cf66a4bdffeb1

b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05

df4f2bd477daed3aa0c4665f2b989157fa971af504981ebd35c4af660d82ccb1

ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

+ 80 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230901-y5kaqshh42/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

ed8c742d1b4bcee625de4199c1392004568abc7bf677c9657e462756bce95c77

MD5 hash:

c6664fa3239eeb78300dcd61b03e88d9

SHA1 hash:

9eab5dfaee92816e7480f281f34b85539f3666fa

Link:

https://www.unpac.me/results/30ada57f-b985-4d40-beee-7b0837feb6e5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ed8c742d1b4bcee625de4199c1392004568abc7bf677c9657e462756bce95c77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ed8c742d1b4bcee625de4199c1392004568abc7bf677c9657e462756bce95c77

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2708245/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/445693/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample