MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee90eed51dae78e750028e905b9f3dd61af7407bf82b19c666e9549b6e982a62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	ee90eed51dae78e750028e905b9f3dd61af7407bf82b19c666e9549b6e982a62
SHA3-384 hash:	8fa8748f5431d756161990be1f9080b980ce0b7664bc5e9bae0295028c17e65005233e4011bef9870e81c87d22cc3d98
SHA1 hash:	6079f8fa3c80d99d54c4ae25233b831f3badd327
MD5 hash:	977a7637cdb3530d61315a694cd84bf0
humanhash:	jersey-india-ten-zebra
File name:	ee90eed51dae78e750028e905b9f3dd61af7407bf82b19c666e9549b6e982a62
Download:	download sample
File size:	641'863 bytes
First seen:	2020-03-23 15:58:03 UTC
Last seen:	2020-03-23 16:17:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	484fbc0ffce59a425af0c5d5969262ff
ssdeep	12288:0qv5dQPaVvHLyHWS4f/UKDW7CR8dlk1uxe/aUwEF7h4aX:7v7WULy2SJKDWWR8dlk1uIiUBV6aX
Threatray	166 similar samples on MalwareBazaar
TLSH	83D49F22F5C5C076C2A232B19F7FF76A973E65360322D2D727C82D715EA04416B2A763
Reporter	Marco_Ramilli
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Win.Trojan.Hacktool-1470

Gathering data

Threat name:

Win32.Trojan.Proxychanger

Status:

Malicious

First seen:

2019-07-13 04:58:49 UTC

AV detection:

29 of 47 (61.70%)

Threat level:

2/5

Verdict:

malicious

62e2d0479075cb28a37635972b9d3ad111e77b86b70de000409e11fe3f1d025a

647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249

6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36

8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc

aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7

c5b5ff5c176413573053cc64019bff9c9ca516d27fcbf2611505083c892c2751

dce0fd32e1a722b27a3d60dc55016edbbfe763d3ec5aa10de6a6455e062b1432

ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d

fb400e7c4b16ab67fa5c080f8b1e7f7db965b77d097526a6a28ef5ca34f24bd9

+ 156 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ee90eed51dae78e750028e905b9f3dd61af7407bf82b19c666e9549b6e982a62

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/217933/

URLhaus

https://urlhaus.abuse.ch/url/221870/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::CopySid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetAce USER32.dll::GetUserObjectSecurity ADVAPI32.dll::InitializeAcl ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl ADVAPI32.dll::GetTokenInformation
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::UnlockServiceDatabase
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample