MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6e01e745aac03b46befca8daff61626ab55cbabbef93e31c2c3b01928f9c756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6e01e745aac03b46befca8daff61626ab55cbabbef93e31c2c3b01928f9c756
SHA3-384 hash: 9695153594d2614bb65a30013270807437b91104e3934c9e5895446f10d346946a237ace4fe26c3dc0ac430fa4d32e71
SHA1 hash: 4fc7e4a076fc06c1b2118c9960c5611aeea3f94d
MD5 hash: f7b84bc8e435cc4dd024f66cd53b3609
humanhash: eleven-oxygen-summer-uranus
File name:SecuriteInfo.com.W32.AIDetect.malware1.1878.8214
Download: download sample
File size:1'725'112 bytes
First seen:2021-05-22 01:02:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:q5+hFK2dd+z9n7kUsRvkK1gvfCOtXjKg6h0N9+IoElv:q5aFNdSCb1gS0Kh0N97v
Threatray 143 similar samples on MalwareBazaar
TLSH D68523317BDA80B7C59322706F05A37196BDEE294B02AAC793C43D5B7C712D18B392D5
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://185.215.113.57/setup2.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-22 00:30:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab679591-b908-4e3a-9959-167d0a15fa49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/160623/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.1878.8214.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/787950
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 420346 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 22/05/2021 Architecture: WINDOWS Score: 84 39 Potential malicious icon found 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 .NET source code contains potential unpacker 2->43 8 SecuriteInfo.com.W32.AIDetect.malware1.1878.exe 7 2->8         started        12 WUFServices.exe 3 2->12         started        process3 file4 33 C:\Users\user\AppData\Local\...\WUDFHost.exe, PE32+ 8->33 dropped 51 Contains functionality to register a low level keyboard hook 8->51 14 WUDFHost.exe 1 7 8->14         started        18 cmd.exe 1 8->18         started        35 C:\Users\user\AppData\...\sihost32.exe, PE32+ 12->35 dropped 20 sihost32.exe 3 12->20         started        signatures5 process6 file7 37 C:\Users\user\AppData\...\WUFServices.exe, PE32+ 14->37 dropped 53 Antivirus detection for dropped file 14->53 55 Machine Learning detection for dropped file 14->55 22 WUFServices.exe 4 14->22         started        25 sihost32.exe 2 14->25         started        27 conhost.exe 18->27         started        29 WUFServices.exe 20->29         started        signatures8 process9 signatures10 45 Antivirus detection for dropped file 22->45 47 Machine Learning detection for dropped file 22->47 31 sihost32.exe 2 22->31         started        49 Multi AV Scanner detection for dropped file 25->49 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6e01e745aac03b46befca8daff61626ab55cbabbef93e31c2c3b01928f9c756/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-21 22:07:50 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
06607b04da0cd27e4a7abff3df7ee0be86df8226e81a5706351526a3101d2aa2
3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c169c9fb4adb317f1d571f
73188b6122dcf35a0d26fedf3679c9713e6f21ccf78499d8788ed39feb7fdb4a
79638b28279f6fc16f4d3a24a73ac67a405aa548aa09d6ca09f485b8e7e13901
7af76f869eab565b2b7d3ec5f141e5d8cd94551a6b1b31e0d8af7c3ea2b5a7db
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
+ 133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210522-74ydhmx456/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6e01e745aac03b46befca8daff61626ab55cbabbef93e31c2c3b01928f9c756

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f6e01e745aac03b46befca8daff61626ab55cbabbef93e31c2c3b01928f9c756

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1267514/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/160623/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-22 02:05:13 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0002.001] Collection::Application Hook
1) [F0002.002] Collection::Polling
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0017] Process Micro-objective::Create Process
15) [C0038] Process Micro-objective::Create Thread
16) [C0054] Process Micro-objective::Resume Thread
17) [C0018] Process Micro-objective::Terminate Process