MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5faf1f6336d82c464b59af3e68141fa2fcdb43804f30ec258c09b11c486d58b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5faf1f6336d82c464b59af3e68141fa2fcdb43804f30ec258c09b11c486d58b
SHA3-384 hash: d17aacce437c332b3479eb99b9a2f40f8c31b4777cf048583bbb7f0740f7403876840a91ca47e519db4f9c1b563c9669
SHA1 hash: 54baeefa69f320204bb6ca113da920d2ec90396d
MD5 hash: 101751c5caf15d750da338680c522213
humanhash: bacon-indigo-golf-autumn
File name:101751c5caf15d750da338680c522213.exe
Download: download sample
File size:500'224 bytes
First seen:2022-11-03 20:15:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a735299a225b68515bf0965ccc42aca
ssdeep 12288:xZYp1Scdg1IVZQLvqK/lGRgOUqmq9kR6lhKXE4bpZhrsRbl:46c21IVZQLvqK/cRgOnmq9g6HkjBsRh
Threatray 2'170 similar samples on MalwareBazaar
TLSH T122B4E0422445C36CDCAA2DB6E50EFDF315703DA9C046644FA0FA7E55B2F8F42A412EA6
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 1865676565a52158 (3 x RedLineStealer, 1 x Neurevt, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ficker
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-03 19:02:36 UTC
Tags:
installer evasion loader trojan ficker stealer vidar
Link:
https://app.any.run/tasks/8abc42bc-97c9-4b60-ab98-77dbb1b192f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328139/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Creating a window
DNS request
Adding an access-denied ACE
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll xtreme
Link:
https://www.filescan.io/uploads/636421847c05b82f9fccbed3/reports/15dfd836-bd88-4984-9ce0-7c1227286199/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/936306b9-d8ec-4909-8b89-000a66e01429
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1104797
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 737457 Sample: TMr1WQZ4HZ.exe Startdate: 03/11/2022 Architecture: WINDOWS Score: 88 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Machine Learning detection for sample 2->42 44 2 other signatures 2->44 7 TMr1WQZ4HZ.exe 18 2->7         started        12 IntelGAS-Ver8.3.4.3.exe 2->12         started        process3 dnsIp4 34 82.115.223.9, 45219, 49685 MIDNET-ASTK-TelecomRU Russian Federation 7->34 36 icanhazip.com 104.18.115.97, 49684, 80 CLOUDFLARENETUS United States 7->36 30 C:\ProgramData\...\IntelGAS-Ver8.3.4.3.exe, PE32 7->30 dropped 32 IntelGAS-Ver8.3.4.3.exe:Zone.Identifier, ASCII 7->32 dropped 46 May check the online IP address of the machine 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 14 icacls.exe 1 7->14         started        16 icacls.exe 1 7->16         started        18 schtasks.exe 1 7->18         started        20 icacls.exe 1 7->20         started        50 Antivirus detection for dropped file 12->50 52 Machine Learning detection for dropped file 12->52 file5 signatures6 process7 process8 22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5faf1f6336d82c464b59af3e68141fa2fcdb43804f30ec258c09b11c486d58b/
Threat name:
Win32.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2022-11-03 20:12:38 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6x5pd5rtnwbmizfvtlz6nakb7ix43nbyatzq5qsyycnrdreg2wfq._file
Verdict:
unknown
Similar samples:
0dea9964c6e2ad110ad9a26a2e25417afa7b2ed990362faa746fa81cb8a303cd
10c8242c6a5d98f805dbafc6f19e4673067010f967cc5bb47203f8680e6eb6cd
1d1bce6c4a6cdb2b2db0aa80629110db005a108d02127bcc3876f28c93ef7e4d
21659f7b55d30fd92b976f7eff8fc635d3e536926536ffeee79364afa68b77e9
30a261fb001f66df09d1eb84f378b8d43e61a13770de476601ea9d4457b7a8cb
a334fa92fab1199f16a272b0f2f63465750f98bed946d23f8f7ae498206ca553
f5c4bb6ee5864d97c03c3826c4083b3c346d6d1099bef9bdc1bb1acdd9598823
fe6ac02e4c9283f8e678e7f0409f49c03234e9a4d72c529ce2b736b742702526
+ 2'160 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/221103-y15qwagggq/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Modifies file permissions
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5cb3ba73-9381-4470-aaf9-e7e341e06e16
Unpacked files
SH256 hash:
1c0ecfec619aee78b4e2a4c44b7c13aa8c316ad76ac1db9f6a931b3fe620258b
MD5 hash:
4457f02a7871a8a0a7d527601a96f80c
SHA1 hash:
4fc5d46349f8bc9a73bf53587fd7a351e9d04023
Link:
https://www.unpac.me/results/23201d59-fbb6-4853-a354-cd5958953121/
SH256 hash:
f5faf1f6336d82c464b59af3e68141fa2fcdb43804f30ec258c09b11c486d58b
MD5 hash:
101751c5caf15d750da338680c522213
SHA1 hash:
54baeefa69f320204bb6ca113da920d2ec90396d
Link:
https://www.unpac.me/results/23201d59-fbb6-4853-a354-cd5958953121/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5faf1f6336d82c464b59af3e68141fa2fcdb43804f30ec258c09b11c486d58b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f5faf1f6336d82c464b59af3e68141fa2fcdb43804f30ec258c09b11c486d58b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2381532/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/328139/

Comments