MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb6ad7d945d9e0e17e8ac3a5d1bf51fbb3d9afc9bef01b6861ce60053ba3d4b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb6ad7d945d9e0e17e8ac3a5d1bf51fbb3d9afc9bef01b6861ce60053ba3d4b7
SHA3-384 hash: c2c6d0608a14d7a0a61b2e1ab2bbe1ad5a89fb355832f5359a0b67500e49d9869c0713684d86e688ad433172e9e0bef5
SHA1 hash: e35928f100ad30f3ca02f318ed9bd4926e34b0cd
MD5 hash: 5805aec9385d2facbda94ba33ee504d2
humanhash: alanine-green-delaware-delaware
File name:5805aec9385d2facbda94ba33ee504d2
Download: download sample
File size:2'562'900 bytes
First seen:2021-11-05 13:55:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 511cff895609a1cf1f0a80aeee92ffc8 (3 x ZeuS, 2 x CryptBot)
ssdeep 49152:MePSRUVDniMK3NMOPQtGzIy4oiPTkj/j/97qQf8KEITLJbke8cZLXd:DniMK3NMw0tLkj/j/9usTLNkef
TLSH T1DAC533B2BBA007A5D66C473B5AF46219870409DE3BF65E8EDF9FDCE8321821D4367502
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuilClipper
Create hunting rule
Link:
https://www.capesandbox.com/analysis/202749/
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d96da85e-62d3-4144-88aa-b3dfb6f3e57e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/884084
Signature
Binary is likely a compiled AutoIt script file
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potential time zone aware malware
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses Windows timers to delay execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 516527 Sample: 10tELGz4h0 Startdate: 05/11/2021 Architecture: WINDOWS Score: 84 26 Multi AV Scanner detection for submitted file 2->26 28 Binary is likely a compiled AutoIt script file 2->28 30 Machine Learning detection for sample 2->30 32 PE file contains section with special chars 2->32 7 10tELGz4h0.exe 1 2->7         started        10 WMVSDECD.exe 2->10         started        12 WMVSDECD.exe 2->12         started        14 2 other processes 2->14 process3 signatures4 34 Query firmware table information (likely to detect VMs) 7->34 36 Uses Windows timers to delay execution 7->36 38 Hides threads from debuggers 7->38 40 Potential time zone aware malware 7->40 16 cmd.exe 1 7->16         started        42 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->42 44 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->44 process5 process6 18 conhost.exe 16->18         started        20 icacls.exe 1 16->20         started        22 icacls.exe 1 16->22         started        24 icacls.exe 1 16->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb6ad7d945d9e0e17e8ac3a5d1bf51fbb3d9afc9bef01b6861ce60053ba3d4b7/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-11-05 13:56:08 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  1/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion themida trojan
Link:
https://tria.ge/reports/211105-q8pevsbhd8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
autoit_exe
Checks whether UAC is enabled
Checks BIOS information in registry
Modifies file permissions
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
42c0d5f6cef0d8dc5b2c210e96822d61cd84378277e51688fa8d3eac7ea5fb14
MD5 hash:
9f91ebe688925042950737cc9b7d1c6f
SHA1 hash:
6434059e2121d9f8b29053d778446baaf228bff1
Link:
https://www.unpac.me/results/925c3988-7722-45b6-adcc-6f0aa5f7a563/
SH256 hash:
fb6ad7d945d9e0e17e8ac3a5d1bf51fbb3d9afc9bef01b6861ce60053ba3d4b7
MD5 hash:
5805aec9385d2facbda94ba33ee504d2
SHA1 hash:
e35928f100ad30f3ca02f318ed9bd4926e34b0cd
Link:
https://www.unpac.me/results/925c3988-7722-45b6-adcc-6f0aa5f7a563/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fb6ad7d945d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fb6ad7d945d9e0e17e8ac3a5d1bf51fbb3d9afc9bef01b6861ce60053ba3d4b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fb6ad7d945d9e0e17e8ac3a5d1bf51fbb3d9afc9bef01b6861ce60053ba3d4b7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1754425/
Cape
Cape
https://www.capesandbox.com/analysis/202749/

Comments


Avatar
zbet commented on 2021-11-05 13:55:31 UTC

url : hxxp://45.95.235.77/dzbg.exe