MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f209641462dfac4501ff2b7d79ae2c04cff1041d2ae7a74d3137aaf535ff625b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f209641462dfac4501ff2b7d79ae2c04cff1041d2ae7a74d3137aaf535ff625b
SHA3-384 hash: 14a76ccc400972c1ce54f3cbbdbbf9525187e526f8dfe2d7fc329cc7d0798162b7b3eb6ec5e1843da71555eda62b12cd
SHA1 hash: c7034c63eb4c04265bb9ca104badbbbfd2367db4
MD5 hash: 369807f9c37c4f71af8ec3a9dcc9eb06
humanhash: three-grey-ack-oxygen
File name:369807f9c37c4f71af8ec3a9dcc9eb06.exe
Download: download sample
File size:4'599'777 bytes
First seen:2021-09-19 06:22:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:3ZWQcy9gX4QDmnqFXTA9PeJX9lMg48EVNa5a1oe4ZPrAi5tf7ofoA6g1uPFl:3sA44QD5lTA9PiagVMa5VbrAiHiN60uH
Threatray 489 similar samples on MalwareBazaar
TLSH T1FE2633A7BDA93078E44903310FAD9906EA5ADF5F0C604757FA8431BC7563BD4F8A8B42
File icon (PE):PE icon
dhash icon f2cecc8e86cce892 (6 x DanaBot, 1 x CyberGate, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
614683_HWiNFO-710-Buil.zip
Verdict:
Malicious activity
Analysis date:
2021-09-19 00:32:40 UTC
Tags:
stealer trojan loader evasion opendir
Link:
https://app.any.run/tasks/6329751a-be9f-4dda-bef1-9b1520f90c5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189022/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Searching for the window
Creating a file in the Windows subdirectories
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d8106a0-99f1-4287-b911-51da7360c47c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853427
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485858 Sample: eRa2mtKSZi.exe Startdate: 19/09/2021 Architecture: WINDOWS Score: 100 80 iplogger.org 2->80 82 clientconfig.passport.net 2->82 104 Antivirus / Scanner detection for submitted sample 2->104 106 Multi AV Scanner detection for dropped file 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 7 other signatures 2->110 13 eRa2mtKSZi.exe 25 2->13         started        16 IntelRapid.exe 2->16         started        19 IntelRapid.exe 2->19         started        signatures3 process4 file5 70 C:\Users\user\AppData\Local\...\vidduivp.exe, PE32 13->70 dropped 72 C:\Users\user\AppData\Local\...\feared.exe, PE32+ 13->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 13->74 dropped 76 3 other files (none is malicious) 13->76 dropped 21 vidduivp.exe 19 13->21         started        25 feared.exe 4 13->25         started        90 Query firmware table information (likely to detect VMs) 16->90 92 Hides threads from debuggers 16->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->94 signatures6 process7 file8 62 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 21->62 dropped 116 Multi AV Scanner detection for dropped file 21->116 118 Machine Learning detection for dropped file 21->118 27 cmd.exe 1 21->27         started        64 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 25->64 dropped 120 Query firmware table information (likely to detect VMs) 25->120 122 Hides threads from debuggers 25->122 124 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->124 30 IntelRapid.exe 25->30         started        signatures9 process10 signatures11 126 Submitted sample is a known malware sample 27->126 128 Obfuscated command line found 27->128 130 Uses ping.exe to check the status of other devices and networks 27->130 32 cmd.exe 3 27->32         started        35 conhost.exe 27->35         started        132 Query firmware table information (likely to detect VMs) 30->132 134 Hides threads from debuggers 30->134 136 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->136 process12 signatures13 96 Obfuscated command line found 32->96 37 Hai.exe.com 32->37         started        40 PING.EXE 1 32->40         started        43 findstr.exe 1 32->43         started        process14 dnsIp15 114 Uses nslookup.exe to query domains 37->114 46 Hai.exe.com 1 37->46         started        86 127.0.0.1 unknown unknown 40->86 68 C:\Users\user\AppData\Roaming\Hai.exe.com, Targa 43->68 dropped file16 signatures17 process18 dnsIp19 88 TyNEAAOqElOMWAdYPaps.TyNEAAOqElOMWAdYPaps 46->88 78 C:\Users\user\AppData\Roaming\nslookup.exe, PE32 46->78 dropped 98 Uses nslookup.exe to query domains 46->98 100 Writes to foreign memory regions 46->100 102 Maps a DLL or memory area into another process 46->102 51 nslookup.exe 46->51         started        54 nslookup.exe 3 18 46->54         started        58 nslookup.exe 46->58         started        file20 signatures21 process22 dnsIp23 112 May check the online IP address of the machine 51->112 84 ip-api.com 208.95.112.1, 49754, 80 TUT-ASUS United States 54->84 66 C:\Users\user\AppData\...\tuqwaiexnrgn.vbs, ASCII 54->66 dropped 60 wscript.exe 54->60         started        file24 signatures25 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f209641462dfac4501ff2b7d79ae2c04cff1041d2ae7a74d3137aaf535ff625b/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 21:32:28 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
027e8e4c1ceb0fd7444db0509a32cd812caa15e3a0c5625a01dee747ad1e984c
0a3c1d6736893714d0e5552795fb8ba026ba2bd3f5e34afd975b9d463c1e46fe
2afd735ca5d2ad8a8478c4832e4827b150e30d5f0b7c1dc174ce934017ee1d76
c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3
f4da967e84e593cadb3e0a622f59dc4bbc7393c4aeef1a29df60b37b57548299
fe0921df62f37332cab9e56fbbfe050e204e196e55eb323657c1f0469a6ff27b
+ 479 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210919-g5gfeabgb5/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1
MD5 hash:
09c2e27c626d6f33018b8a34d3d98cb6
SHA1 hash:
8d6bf50218c8f201f06ecf98ca73b74752a2e453
Link:
https://www.unpac.me/results/2d0ee375-ac4a-4fcd-85f5-6bfebf6da327/
SH256 hash:
751c75db30a81d6ddcf0abf05c6be26fa53625610db7aec11d4dc5ee4030e69c
MD5 hash:
cd51948ae75ce694b6d47141bda6be7a
SHA1 hash:
a0fd1dd1d4bc72fa9a1115ba158a2011498bbc7f
Link:
https://www.unpac.me/results/2d0ee375-ac4a-4fcd-85f5-6bfebf6da327/
SH256 hash:
aed9f33d7f61a3e6e545e0eb031e42725883a06fa7ba9af84244b93291c30b4d
MD5 hash:
de6d05d618e437ccc45d8411c80982c4
SHA1 hash:
aa5927ef890705138e7fe9380cb07eb53577b777
Link:
https://www.unpac.me/results/2d0ee375-ac4a-4fcd-85f5-6bfebf6da327/
SH256 hash:
30adb3204fb771d98c5ff28c84dfe316e77e4bd69dfdb5defae5e99ddc2afa86
MD5 hash:
402993b318305f12e75486bf97e4617c
SHA1 hash:
11365cc50dcc37cdef89d0c59d9385f55e246641
Link:
https://www.unpac.me/results/2d0ee375-ac4a-4fcd-85f5-6bfebf6da327/
SH256 hash:
f209641462dfac4501ff2b7d79ae2c04cff1041d2ae7a74d3137aaf535ff625b
MD5 hash:
369807f9c37c4f71af8ec3a9dcc9eb06
SHA1 hash:
c7034c63eb4c04265bb9ca104badbbbfd2367db4
Link:
https://www.unpac.me/results/2d0ee375-ac4a-4fcd-85f5-6bfebf6da327/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f209641462dfac4501ff2b7d79ae2c04cff1041d2ae7a74d3137aaf535ff625b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f209641462dfac4501ff2b7d79ae2c04cff1041d2ae7a74d3137aaf535ff625b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1630052/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189022/

Comments