MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1
SHA3-384 hash: 5316370146d08adb5c38b40e9ff5d8d554573573493d184f23da70cfd0e1a086804e505f0e52baad43970af849eacb99
SHA1 hash: 22d80be7d7916763648a98a0afdb7c0c7e42b3d9
MD5 hash: 25a14e50486c738bc92da69c02063e23
humanhash: september-pennsylvania-princess-charlie
File name:Situation at the EU borders with Ukraine.exe
Download: download sample
File size:334'336 bytes
First seen:2022-02-28 15:07:24 UTC
Last seen:2022-02-28 17:44:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9ec96deafa2bb17eb11b7dd194d076d6
ssdeep 3072:2qa2hU346MLSIVt/ls3qar1sfgu93M1Z9AN:22U34PmIVt/fusfIZaN
Threatray 5'511 similar samples on MalwareBazaar
TLSH T1AA6409C07B96DC3BF885B574A68481247D8EBFE4F9E21ACE219CF64A453279144F0D2B
File icon (PE):PE icon
dhash icon 74f4e4cceac2c4dc (7 x AgentTesla, 6 x AveMariaRAT, 3 x CobaltStrike)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://www.zyber-i[.]com/europa/2022.zip
Verdict:
Malicious activity
Analysis date:
2022-02-28 14:55:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0528b9c4-9493-415f-bdf7-1691648a68ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245380/
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.97.8279.19330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Searching for the window
Creating a window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7634/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/621ce55fb94fb38cb42560ba/reports/73bc28e7-3ac6-4955-8a4b-eb0d20981905/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/100e1dda-f53b-487e-ae8a-7eab80c5214b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/947490
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 579971 Sample: Situation at the EU borders... Startdate: 28/02/2022 Architecture: WINDOWS Score: 60 23 store-images.s-microsoft.com 2->23 27 Multi AV Scanner detection for submitted file 2->27 29 Initial sample is a PE file and has a suspicious name 2->29 8 Situation at the EU borders with Ukraine.exe 4 3 2->8         started        signatures3 process4 dnsIp5 25 103.107.104.19, 49726, 49760, 49774 ADCDATACOM-AS-APADCDATACOMHK Hong Kong 8->25 21 C:\Users\user\AppData\Local\...\FontEDL.exe, PE32 8->21 dropped 12 cmd.exe 1 8->12         started        15 WINWORD.EXE 22 25 8->15         started        file6 process7 signatures8 31 Uses ping.exe to sleep 12->31 33 Uses ping.exe to check the status of other devices and networks 12->33 17 conhost.exe 12->17         started        19 PING.EXE 1 12->19         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-28 15:08:14 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
20 of 28 (71.43%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
0df42ceb0f7e0c630c6fc2daab7ed954c5e8995a4bb9f1ac64211c58f52de060
142dc674a687ade3bc56e2e78f0a6dc0603d81f176f8a9d794d909b6839bcc5b
1db2ec499c11b096c4a468a878a9e6bb791183ca2156eb2e8c233fd7b172b607
283c309822c3c69f102123a2721b61f81e303efdc249aec068b1f32179850935
4f48ef3036b8e2b724cbf9ec618f35baf7cb5e2017dc5fae4825659a28b58e68
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
aed186971032970a807b97d9bb6dcb48787e511ce7a5a0153696aa8fe4b7deca
bd5c9eebb94c8738cb18f714b9b4c870b1536bd5ef3cb6dca6d905a51c553d96
eee3d70ef0eb418264c10075b901845b097297613637892efb77aecb236c5e11
+ 5'501 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220228-shwscsfhbq/
Behaviour
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1
MD5 hash:
25a14e50486c738bc92da69c02063e23
SHA1 hash:
22d80be7d7916763648a98a0afdb7c0c7e42b3d9
Link:
https://www.unpac.me/results/a7ce99a8-f9e9-4487-b672-657914f23bd5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/245380/

Comments