MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6
SHA3-384 hash: 4a89761530ffc1714ff508c8e53933abd824d7b50fc6187dba9ec43200a3f18edb9b4a0fd2b2c30f9f171398ea8c82eb
SHA1 hash: fc8930cd264393552727a457efbbea67e60e49e5
MD5 hash: 13d8c2f2cdf5f6208c3e999621019304
humanhash: robert-mobile-green-lake
File name:13d8c2f2cdf5f6208c3e999621019304.exe
Download: download sample
Signature Adhubllka
Create hunting rule
File size:905'728 bytes
First seen:2022-12-01 13:50:28 UTC
Last seen:2022-12-01 17:31:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:qJm9QjL9Qa8P6artQ2EIcs8A5jX7BIBi8pV4VpQWsNTAvc1NfpHsVfdc:qQ6jJQa8PTt5EIcs8WpB8pnzTUcO
Threatray 5'101 similar samples on MalwareBazaar
TLSH T19415ADEA13955D93D9097DBF5ECCB84E22AE09B3CFFE95C81E14B84106B66598E00FC1
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:Adhubllka exe Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
534
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13d8c2f2cdf5f6208c3e999621019304.exe
Verdict:
Malicious activity
Analysis date:
2022-12-01 13:51:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/437fe33f-1261-4e97-b76a-f37d8763ce1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341135/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.12539.29240.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Changing a file
Moving a recently created file
Сreating synchronization primitives
Modifying an executable file
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Launching a process
Encrypting user's files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6388b148ec3dbefe49123c9f/reports/cd739078-eb9b-4ef3-ab11-a766a217a5c0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb46645e-0a9d-4449-9c2c-3aa7378272af
Result
Threat name:
Cryptolocker, ObzCrypt
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1125518
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Cryptolocker ransomware
Yara detected ObzCrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 13:11:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5w34cjjpytktu4z27znxjx5lmok3zwioulb46bte4o3bb2coetla._file
Verdict:
malicious
Similar samples:
0e69af9159b216996061639ebb6ab0a2a4ef9e1cf02be2053c9f1b3aabecd9ef
Adhubllka
31f84b5a677f3be143c04055bf0d6dc79433332d98e7fd89c68429c2192ac385
Adhubllka
32016cf36c5e99a6c8fba8fd4ffad8b5f301cac55439ae73fec5db799ac341ab
Adhubllka
58be72276a78ced78ea15069fa062d2df265c15839935ce38ec664817b7cc07c
Adhubllka
5bfba90917bc5e5acd1b61ac2ffdcbbd8fec71eb7fdfb0b681207cc2371d5b94
Adhubllka
8ecd99368b83efde6f0d0d538e135394c5aec47faf430e86c5d9449eb0c9f770
Adhubllka
ab3c989ae1c183636154ed334ade394295ecfd44fd97c87481f212ae51ba4bc3
Adhubllka
cda57d12ed16414f52bfcfe2f3234d0fa5eb259aa20a59568cf040f6958047eb
Adhubllka
d0f5e14e8b6be5032261a2bd5b2941b90a51a0be18ec2ef35ad5b03994c3a8ca
Adhubllka
def1513f311912ff63f0c478e2b3533223008c89730bf360189a76c7088c9126
Adhubllka
+ 5'091 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/221201-q5v38sha8z/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Modifies Installed Components in the registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b6234467-3f92-489b-ac36-2afb1ae2ea52
Unpacked files
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
12038912f9038bfdfe3a0c8fed6a5d0ca3519ec9f1ab57e0ccf239e32944cd34
MD5 hash:
a54f230f14b9196720b31c37a85ce2f0
SHA1 hash:
63c03ff569356fe9bd066890608d5e15e275fe36
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
269a4d7b29b8e1883c505676dc03357f317f9214af0854f518d4778cfad1f7f5
MD5 hash:
6794e632ac61a87e6c53c7cf4086798a
SHA1 hash:
142dc4f2ea0dd132d9614f86b9bcda03c7d5cc77
Detections:
win_adhubllka_auto
Create hunting rule
win_adhubllka_a0
Create hunting rule
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
Parent samples :
edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6
10c57150f54d66920e6dd383c996f77f27f5f34fc95f5b41d427be230b365f50
SH256 hash:
5826a994056ef7c781c0965bf0ac9802d5ba6c5f28478b2187c208992aca5b3e
MD5 hash:
e1e4638e747a5a0b2a3bbac230c05689
SHA1 hash:
8854df05277927d2d1f815fc4d5c8baeed4bd743
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
dddd6c322082b3fd7bab65d06cc977652f2fe25c01acaaf69fc1ef219a45caa1
MD5 hash:
68d556831db9ae562a50b2adba551994
SHA1 hash:
fabfbab5645a62d91b8ad967f216c2e28edfed69
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
7114e643f891fc4a6d81138d9f1a773366d632ad7e41a36f50ba4a82d14df9ad
MD5 hash:
1463ca65807b52912581a0cba24dbe8f
SHA1 hash:
f177421e6bcab34a75846aeb4c4763c18c527beb
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
5fd51b234cdf078ea24d5d65ffadd2e75932e81bc227fc023e70c25f4e85bd64
MD5 hash:
399f19d153346a0f91cbf31cbff6104f
SHA1 hash:
e975c87859350deb5f8db3bf1d7a1fc163255e93
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
82d63303fd49f3a9d52e95393fc5bb581bbe9d650d67ee7ccf3f4a0b5554630a
MD5 hash:
6de80def7e5cd1405b1f45b0432946f4
SHA1 hash:
e21dd25de14a142e85cb6fd593b7fdd0b107a24b
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
8bb26764d7891d0f048cad5d84c999756d7041a128574b8225e7b62e195bdac6
MD5 hash:
dd2b341d6b85f7dacfb449bd05583d6a
SHA1 hash:
55b579fb8903b106c6582d861175fe53bfde3890
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
SH256 hash:
edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6
MD5 hash:
13d8c2f2cdf5f6208c3e999621019304
SHA1 hash:
fc8930cd264393552727a457efbbea67e60e49e5
Link:
https://www.unpac.me/results/eb2f98aa-84d6-457f-a7d4-f39cca11018f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/edb7c1252fc4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adhubllka

Executable exe edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2440838/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/341135/

Comments