MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525
SHA3-384 hash: 98d9b0330becd41c2c731b3c4d660fdf3c8c465a3a34550477f50d7d305d88a72a082c63dcc490f8c4824dd1f7398293
SHA1 hash: e401952414c89de08a5e843be9ed50657ea85cc8
MD5 hash: 74af37ad3a58d6451ba2643bf2af3838
humanhash: seven-ten-don-high
File name:file
Download: download sample
File size:5'230'533 bytes
First seen:2022-12-07 02:23:13 UTC
Last seen:2022-12-07 16:59:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:2DBxzruER6dA5/lZ8ExRs3P/J4J27KNJ6tKXv5UdK:QXrLk67dxRQnJ4E7KNJ6uj
Threatray 16'738 similar samples on MalwareBazaar
TLSH T1F8363321BFC9A254C8A176B7E397F1272578BFE5821E93ED055FBA2D0182F1D3A44321
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from http://91.213.50.36/files/hamburger.exe

Intelligence

File Origin
# of uploads :
36
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-07 02:26:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/839f4a8b-de99-4173-8ee1-bf36df1beaf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343678/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.22600.4850.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Launching a process
Сreating synchronization primitives
Creating a file
Creating a window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638ff946485d8463dc40ccf7/reports/81088864-5b79-4434-b041-2d9ca6a6874c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d9ff90f-352f-4c0b-902c-806d6b016939
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1129546
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-07 02:24:18 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7li3sk3h2zijuxirjnbtsw6ufc4p75vye4myba7rvpeadkohqusq._file
Verdict:
unknown
Similar samples:
739a3e0733b75f4d7fcd2bc746422ea269ee8cb04e30fcad6d3b1e1163ececf1
792d8bfb5e0660c8967fa84902963bbd3ccc345f9e17f777c6d016343655afdf
841572da329176a7f23da214406a8c5d19c4107206df3d83bfcd8dd6dc906ecf
9a9b6177e715c7461d686b2773507d48c7ee7ce96e26aef62b25e0249e392fef
a484a486e4ccce5d89bed7fd21d3aef4802a85b3147a0445ccca16b3df95267a
a7b9f85870179430e1d8776a0fe5b2bfde0dfee26a168c5ace0287a7a461835c
c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112
e21d4e0b2f711e72b6251d1a0a5f1a703baffb7c7ddd1d1b087bc9068f17aaa8
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
+ 16'728 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/221207-cvqh4sfg79/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Themida packer
Modifies Installed Components in the registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e59cb5c6-63bd-413d-9008-c883e4e3dd22
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/a9f1ca47-884c-434a-b42f-fc99c3ffdee0/
SH256 hash:
fbd03ca05dae845e8adee5715698c513c1f46eb3db71e7495bddc35ac744fdc6
MD5 hash:
dc4bbcd210d034747248add96bc35b63
SHA1 hash:
554ccf5141bd8d582c24ce4bd6c895858723a353
Link:
https://www.unpac.me/results/a9f1ca47-884c-434a-b42f-fc99c3ffdee0/
SH256 hash:
fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525
MD5 hash:
74af37ad3a58d6451ba2643bf2af3838
SHA1 hash:
e401952414c89de08a5e843be9ed50657ea85cc8
Link:
https://www.unpac.me/results/a9f1ca47-884c-434a-b42f-fc99c3ffdee0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2446783/
Cape
Cape
https://www.capesandbox.com/analysis/343678/

Comments