MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d
SHA3-384 hash: 5aa3a82bff5308c357e1f57b711bd9f8b0942b7e5bfd4cd40656677e36aaf28b1aca6c90d8f26ca5e54564ce79067e77
SHA1 hash: b8499d3cb5d906b6e3c3e381a348298fc28225c2
MD5 hash: 45299d77edb17dc48eccec70e928d9ea
humanhash: early-november-bacon-sweet
File name:win.exe
Download: download sample
File size:905'728 bytes
First seen:2022-10-11 11:51:12 UTC
Last seen:2022-11-17 02:16:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f602d8bfef6549a83e5cdb863ea92452
ssdeep 12288:VLwIQ6PoWYgeWYg955/155/ZEAm5wUMJlizoJBmvDx6cVKBmhkyfxGJH5q/Z1bLI:hwIQ6PEAmSUcGp7xtnxGw
Threatray 2'774 similar samples on MalwareBazaar
TLSH T18B15DF8AA3A407F8E0BBC03889524646E772BC0547719BDF23E4566A5F331E25E3F761
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d8949494d4b8f8e3 (2 x ARCrypter)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
win.exe
Verdict:
Malicious activity
Analysis date:
2022-10-11 11:51:24 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/650946ca-aebb-4f97-91de-b24412dc8e8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318930/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62541666.31032.15586.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Creating a file
Launching a process
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Modifying an executable file
Delayed reading of the file
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42491/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/634558e433e66132ed02abf6/reports/934e1e49-1d48-42be-b63b-5c6e7699abe7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb7c3bb7-e5df-4b6f-9629-c707f34da17a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1087939
Signature
Found Tor onion address
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720531 Sample: win.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 52 28 Multi AV Scanner detection for submitted file 2->28 30 Found Tor onion address 2->30 7 win.exe 2 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        12 cmd.exe 1 7->12         started        14 conhost.exe 7->14         started        file5 26 C:\Users\user\Desktop\win.exe, ASCII 9->26 dropped 16 taskkill.exe 1 9->16         started        18 taskkill.exe 1 9->18         started        20 taskkill.exe 1 9->20         started        24 8 other processes 9->24 22 timeout.exe 1 12->22         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d/
Threat name:
Win64.Ransomware.ChileLocker
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 21:33:46 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53qpf5vskjcjr6bip6k52gcifcqeiz3xadlb4lakccmgn465kbgq._file
Verdict:
malicious
Similar samples:
32708c5d376f130b48bf3bd706879c1945a2d701036d94e25aceea41a4042052
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
8e8caa79da5237c8973fa2490bfd316a5001e5ed3a5175c9f7d5d2f84cd009f7
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
b14cde376a8a7a9d7ad34cdfd07108c132ad8be7f60c5c0a0f17b6b63eb28b49
d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00
de05a1d52264370195aae40fdd5430e1dd33e8536083b832ad7f16b67452b86f
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
+ 2'764 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221011-n1q8dachd5/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bc5704f3-1e5a-4797-a0d1-63973dcf3eda
Unpacked files
SH256 hash:
eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d
MD5 hash:
45299d77edb17dc48eccec70e928d9ea
SHA1 hash:
b8499d3cb5d906b6e3c3e381a348298fc28225c2
Link:
https://www.unpac.me/results/1412fe04-af72-44c8-86a5-057d120d6bf6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318930/

Comments