MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f805289346faa5efd7236e0d70094df7983b2bde22ff24a4955fd7a8cb7983a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f805289346faa5efd7236e0d70094df7983b2bde22ff24a4955fd7a8cb7983a4
SHA3-384 hash: 3ca7d4a064c2a8894fae55fb50fed734aae6a445b7f3ee0a8087794545866f2febafdf45a8fb6e1db634977300bac7ff
SHA1 hash: 232dfb33ccf2b14d61f30cb850f03e34831d19a5
MD5 hash: 5c250d44aa3f00746bcb4849b36e081e
humanhash: pizza-glucose-asparagus-cardinal
File name:IHATEYOU.EXE
Download: download sample
File size:79'827 bytes
First seen:2022-12-01 05:25:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ddc61c29b89667e8bc4915ad05daedc
ssdeep 768:3OdqXJ2CESr31i0c8VtwHswuwPzYTbr0GqFK/jo0GvalO65TecekUteEkjW04R:oKJ2CESz1heIbrsfXuO65TecekULpv
Threatray 3'422 similar samples on MalwareBazaar
TLSH T1D47318D47E899DD7EA05233C60EA82317238F6E08A534717793C76311F13BD06EDAA5A
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
VN VN
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IHATEYOU.EXE
Verdict:
No threats detected
Analysis date:
2022-11-30 04:11:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/faca6900-e421-4415-9db5-c554788248c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/340974/
Detection(s):
Win.Worm.Heath-1
Create hunting rule

Win.Worm.Mantan-1
Create hunting rule

Win.Worm.LoveLetter-20
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Running batch commands
Launching a process
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay spyeye
Link:
https://www.filescan.io/uploads/6388451d3403eaeb7279503c/reports/1bad72fb-cef2-4a61-90a4-cdd963fcb8d2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/835d9bf6-f839-4a7b-9c95-9dc0fe1ab326
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1124922
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
VBScript found in memory of PE file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 757645 Sample: IHATEYOU.EXE.exe Startdate: 01/12/2022 Architecture: WINDOWS Score: 72 20 Antivirus detection for dropped file 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 2 other signatures 2->26 7 IHATEYOU.EXE.exe 2 2->7         started        process3 file4 18 C:\Users\user\Desktop\ctmp.tmp, C 7->18 dropped 10 cmd.exe 1 7->10         started        12 conhost.exe 7->12         started        14 cmd.exe 1 7->14         started        process5 process6 16 wscript.exe 10->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f805289346faa5efd7236e0d70094df7983b2bde22ff24a4955fd7a8cb7983a4/
Threat name:
Win64.Worm.LoveLetter
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 03:13:23 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 40 (47.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7acsre2g7ks67vzdnygxackn66mdwk66el7sjjevl7l2rs3zqosa._file
Verdict:
unknown
Similar samples:
13d8b891a0f9c00af8c624a5bfd24f42d15fba3e19225d29b9af39cd9f8cea03
293e46a6a6b995b7a2528d658b56cb957a4a77e011909261bfa6cc5838723b71
2954a47a08fc2a79ab0644550c68c380b67ace8d62c0c58933b756e4a541d91d
3d7d08118935757fe3f528538abde2e16f054264127b6f420c2ee44e6fcff568
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
e5120ba9e08623e6f047e1c50aacc2787631e53d8fd547f5d45cd7af81fd7494
+ 3'412 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221201-f4wm9sgh77/
Behaviour
Suspicious use of WriteProcessMemory
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f8255668-1e89-4195-ba50-01f84c084eae
Unpacked files
SH256 hash:
f805289346faa5efd7236e0d70094df7983b2bde22ff24a4955fd7a8cb7983a4
MD5 hash:
5c250d44aa3f00746bcb4849b36e081e
SHA1 hash:
232dfb33ccf2b14d61f30cb850f03e34831d19a5
Link:
https://www.unpac.me/results/00df802c-7554-4b61-8dbf-03a463771f38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/f805289346faa5efd7236e0d70094df7983b2bde22ff24a4955fd7a8cb7983a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:OBFUS_PowerShell_Common_Replace
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the common usage of replace for obfuscation

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/340974/

Comments