MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Havoc


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616
SHA3-384 hash: ba8c11035ebd27f10e66018df817708aa67fc156a4d2e95d3e70e887e4124b5c23fc6ee09220827de78626c12afe34e2
SHA1 hash: c2858f7fae9b8e42d78220d80f6be7079e5c30db
MD5 hash: 55461180284dcdf6ad0f3edaf8d68307
humanhash: saturn-ceiling-maryland-monkey
File name:55461180284dcdf6ad0f3edaf8d68307
Download: download sample
Signature Havoc
Create hunting rule
File size:346'834 bytes
First seen:2023-12-14 08:14:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 6144:DE+yclwQKjdn+WPtYVJIoBf/fwWvs5++1Hzs5i:DBdlwHRn+WlYV+ufwW0E+BGi
Threatray 32 similar samples on MalwareBazaar
TLSH T11874D012B6C180B2D5722A325A75D721AABDB8100F75CBDF53D0487DEE352C29B31BA7
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 13331333690d3749 (11 x Formbook, 5 x AgentTesla, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe Havoc

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467428/
Detection(s):
Win.Trojan.Nsisx-9979076-0
Create hunting rule

Win.Packed.Babar-10012967-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm havoc installer lolbin overlay packed packed replace setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/657ab98d3f60a810349130a0/reports/9d4a90a7-c4bc-4891-a08f-af94500df698/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c3af74d8-7261-487e-85ab-9fc46f7a62e1
Result
Threat name:
Havoc
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1362016
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Havoc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1362016 Sample: ge3W2hLPfF.exe Startdate: 14/12/2023 Architecture: WINDOWS Score: 88 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Havoc 2->30 32 Machine Learning detection for sample 2->32 8 ge3W2hLPfF.exe 3 7 2->8         started        process3 file4 22 C:\Users\user\Desktop\upsync.exe, PE32+ 8->22 dropped 11 upsync.exe 8->11         started        15 Acrobat.exe 20 74 8->15         started        process5 dnsIp6 26 66.228.60.47, 443, 49701, 49720 LINODE-APLinodeLLCUS United States 11->26 34 Antivirus detection for dropped file 11->34 36 Multi AV Scanner detection for dropped file 11->36 38 Machine Learning detection for dropped file 11->38 17 AcroCEF.exe 70 15->17         started        signatures7 process8 process9 19 AcroCEF.exe 4 17->19         started        dnsIp10 24 23.196.176.131, 443, 49713 AKAMAI-ASUS United States 19->24
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616/
Threat name:
Win32.Trojan.HavokizMarte
Create hunting rule
Status:
Malicious
First seen:
2023-12-14 08:15:06 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kgr2kygr5hu7n66mcowmpal4fiqfeugetghyvwkbykg3g2h4yla._file
Verdict:
malicious
Similar samples:
206636cc3e595d020c3fb557356566da123ee9a9f59e02c7fbf5ac32acfb80bb
Havoc
3aad93d064d729509e499014d59f0c5b3d290f5d130bcba94e2d8f069d8881dd
Havoc
7355962a0b9eb57bbedbec7dd55c7a668a9229f5b9b1a9cdb747f2b5c5f8b974
Havoc
7c6bd535738cf0b1a2e8c259e52e271ee2199e22ae50ce311ff0809e237548d1
Havoc
8c0be5f83ceabd02114ffe1eacfe59ef011bc09fe08a4eb22c6cc14fbd80bce7
Havoc
e2762ea7c59520a1a989cb3d6798b00ffba323e82a5db2cd0f778573feddfa60
Havoc
f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616
Havoc
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231214-j5j8eadgd7/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616
MD5 hash:
55461180284dcdf6ad0f3edaf8d68307
SHA1 hash:
c2858f7fae9b8e42d78220d80f6be7079e5c30db
Link:
https://www.unpac.me/results/2d9dbb03-cc84-4840-8183-f03b52fc2fde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Havoc

Executable exe f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467428/
  
URLhaus
https://urlhaus.abuse.ch/url/2740464/

Comments


Avatar
zbet commented on 2023-12-14 08:14:06 UTC

url : hxxp://66.228.60.47:8000/statem_pdf.exe