MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiskWriter


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a
SHA3-384 hash: 3fbab282836be4d82bf73eef39d66e2ed39b2f427ed1d40d2c9dfd5536158d049cb7a645d76e5a0a710494bdf1aeb7e4
SHA1 hash: e739ae999746b89ec0b7ea14852a522153b25eb2
MD5 hash: f7406692d0a70430455e280cf2bd3f8b
humanhash: sad-dakota-hotel-william
File name:f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a
Download: download sample
Signature DiskWriter
Create hunting rule
File size:3'711'928 bytes
First seen:2022-05-20 11:23:19 UTC
Last seen:2022-05-20 11:57:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:IBJR7ClRCCJeTc8QtAXIA1FYVLunEGJ4sqjgNDKPiJquSiR4SsqySUHyzR3qmP6+:yDevJt3gFY2EK50KJRSiWqHtnP6QZhF
Threatray 170 similar samples on MalwareBazaar
TLSH T1A8063351BAC194F1D4B328370A26AB31B63D7D101B768ADB23E0295FEA211E1DF35736
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:DiskWriter EFIlock exe Killmbr

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a
Verdict:
Suspicious activity
Analysis date:
2022-05-20 11:35:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0df28f3-bddb-40b1-bd11-4a2d9874dc20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WobbyChipMBR
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272977/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader22.9658.20612.2653.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19216/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/62877a37eba388bb867d587f/reports/3f0aebb6-c353-4256-9e88-df8a84c3ff8e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f8ed19a-3d31-4bd7-a264-436efe2d3e5b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/998500
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes the wallpaper picture
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631001 Sample: 5dsSG5M8qx Startdate: 20/05/2022 Architecture: WINDOWS Score: 76 75 Snort IDS alert for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 15 other signatures 2->81 9 5dsSG5M8qx.exe 3 36 2->9         started        13 Music.UI.exe 81 36 2->13         started        16 ._cache_DRAFT.exe 2->16         started        18 Synaptics.exe 2->18         started        process3 dnsIp4 55 C:\Program Files\DRAFT.exe, PE32 9->55 dropped 85 Antivirus detection for dropped file 9->85 87 Machine Learning detection for dropped file 9->87 20 DRAFT.exe 1 5 9->20         started        23 cmd.exe 1 9->23         started        73 settings-ssl.xboxlive.com 13->73 26 schtasks.exe 16->26         started        file5 signatures6 process7 file8 49 C:\ProgramData\Synaptics\Synaptics.exe, PE32 20->49 dropped 51 C:\ProgramData\Synaptics\RCX789A.tmp, PE32 20->51 dropped 53 C:\Program Files\._cache_DRAFT.exe, PE32 20->53 dropped 28 Synaptics.exe 20->28         started        33 ._cache_DRAFT.exe 20->33         started        83 Uses cmd line tools excessively to alter registry or file data 23->83 35 reg.exe 1 23->35         started        37 reg.exe 1 23->37         started        39 conhost.exe 23->39         started        43 2 other processes 23->43 41 conhost.exe 26->41         started        signatures9 process10 dnsIp11 67 docs.google.com 142.250.186.46, 443, 49793, 49794 GOOGLEUS United States 28->67 69 freedns.afraid.org 69.42.215.252, 49795, 80 AWKNET-LLCUS United States 28->69 71 xred.mooo.com 28->71 57 C:\Users\user~1\...\U9j3t2lr.exe (copy), PE32 28->57 dropped 59 C:\Users\user\Documents\JSDNGYCOWY\~$cache1, PE32 28->59 dropped 61 C:\Users\user\Desktop\5dsSG5M8qx.exe, PE32 28->61 dropped 65 3 other malicious files 28->65 dropped 89 Antivirus detection for dropped file 28->89 91 Multi AV Scanner detection for dropped file 28->91 93 Drops PE files to the document folder of the user 28->93 97 2 other signatures 28->97 63 C:FI\Boot\bootx64.efi, PE32+ 33->63 dropped 45 schtasks.exe 33->45         started        95 Changes the wallpaper picture 35->95 file12 signatures13 process14 process15 47 conhost.exe 45->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 03:15:34 UTC
File Type:
PE (Exe)
Extracted files:
88
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2ca6095540ff0d50021a7191653b2d002cf1a4122330ecbd4e1891c67849e1b0
DiskWriter
5ff2763a7af9c5e8d274be89a3df9e75d9a0b281878def38c44085395178f01e
DiskWriter
7110059a2bb0e2b4e6ee39ff235c283864152200d0daca4fb123f3b7c7315095
DiskWriter
a4b821d0cadc92c344c8b60f5290a5e5520fd1fb3813b88c529c48d285b72c63
DiskWriter
addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918
DiskWriter
b2fb5fa4aab3329297f4f06a3596a9f640826252f473cc0f62b21c8f1a8b0cfa
DiskWriter
b634a8041412c63c42bbc10264b4c70b6a84d8aeb01a7d75d89731bb551835ac
DiskWriter
ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4
DiskWriter
dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb
DiskWriter
+ 160 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220520-nhpxlaahc7/
Behaviour
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
9e7185ff78c677ab1082f45cb23584324fedcf94b8b85fdb6b15c40140e4b5d6
MD5 hash:
c73c275aa22682f49812ee9b88374bc9
SHA1 hash:
924e9cadce52a6cc29456e7cb08732af1bde82ac
Link:
https://www.unpac.me/results/c117dbd3-990c-4ea1-becf-238e07155a82/
SH256 hash:
f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a
MD5 hash:
f7406692d0a70430455e280cf2bd3f8b
SHA1 hash:
e739ae999746b89ec0b7ea14852a522153b25eb2
Link:
https://www.unpac.me/results/c117dbd3-990c-4ea1-becf-238e07155a82/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f57a62e80191/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272977/

Comments