MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb6bf8580ff8831da630b82fab6bcdd0de64f28368e522a83366a2c078bd232e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb6bf8580ff8831da630b82fab6bcdd0de64f28368e522a83366a2c078bd232e
SHA3-384 hash: 1c8531162e3c82b8c5de6e10a1e6d9ee222582ee9e26e59007f5ecebf46b1d8753411203d81277ec2620c4548735ad85
SHA1 hash: d9c1a97c07e4150edd379b275d42f6e02ccab028
MD5 hash: 97f9f40399a65bb1b059f9f0a8546b08
humanhash: happy-tennis-social-zulu
File name:joker.exe
Download: download sample
File size:7'340'032 bytes
First seen:2022-03-11 02:54:08 UTC
Last seen:2022-03-11 04:37:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash db509f0d296d268770c3b20bf5581bd7 (1 x DiskWriter)
ssdeep 24576:7UPeUPeUPelUPeUPeUPeUPeUPeUPeUPeUPeUPeUPeUPeUPeUPeUPeUPlUPeUPeUZ:
Threatray 1'362 similar samples on MalwareBazaar
TLSH T14F764B83B6C147B2C68146B145A13AB7D7359B3E87159FD3D30CAA06AFA44F1CCB12DA
File icon (PE):PE icon
dhash icon 7e707674f6d6d474
Reporter adm1n_usa32
Tags:exe forkbomb

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
joker.exe
Verdict:
No threats detected
Analysis date:
2022-03-11 02:52:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d7d483d0-c400-4686-b9d4-41e94d574c41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249267/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop6.61460.16212.17909.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Modifying an executable file
Creating a file
Launching a process
Creating a file in the Windows directory
Creating a file in the system32 directory
Launching cmd.exe command interpreter
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun overlay packed packed shell32.dll virus
Link:
https://www.filescan.io/uploads/622aba0db94fb38cb4582e85/reports/fdb6237a-96b1-4fa0-9182-d82d8ef3b160/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7010b7ff-8712-42b7-bc4b-528fd77fe6da
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954632
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 587110 Sample: joker.exe Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 84 time.windows.com 2->84 92 Antivirus detection for dropped file 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 5 other signatures 2->98 9 joker.exe 6 2->9         started        11 30047.exe 6 2->11         started        13 37609.exe 6 2->13         started        15 3 other processes 2->15 signatures3 process4 process5 17 cmd.exe 51 9->17         started        21 cmd.exe 26 11->21         started        23 cmd.exe 22 13->23         started        25 cmd.exe 15->25         started        27 cmd.exe 15->27         started        file6 66 C:\Windows\37609.exe, PE32 17->66 dropped 68 C:\Users\user\Desktop\18927.exe, PE32 17->68 dropped 70 C:\Users\user\AppData\Roaming\...\9046.exe, PE32 17->70 dropped 74 33 other files (10 malicious) 17->74 dropped 86 Uses cmd line tools excessively to alter registry or file data 17->86 88 Drops PE files to the startup folder 17->88 90 Modifies existing user documents (likely ransomware behavior) 17->90 29 reg.exe 1 1 17->29         started        32 cmd.exe 1 17->32         started        34 cmd.exe 1 17->34         started        42 16 other processes 17->42 72 C:\Users\user\Desktop\13790.exe, PE32 21->72 dropped 76 13 other files (7 malicious) 21->76 dropped 36 reg.exe 1 21->36         started        38 cmd.exe 21->38         started        44 9 other processes 21->44 78 10 other files (4 malicious) 23->78 dropped 46 9 other processes 23->46 80 5 other files (2 malicious) 25->80 dropped 82 8 other files (none is malicious) 27->82 dropped 40 conhost.exe 27->40         started        signatures7 process8 signatures9 100 Creates an autostart registry key pointing to binary in C:\Windows 29->100 48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        54 conhost.exe 38->54         started        56 conhost.exe 42->56         started        58 conhost.exe 42->58         started        60 4 other processes 42->60 62 3 other processes 44->62 64 4 other processes 46->64 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb6bf8580ff8831da630b82fab6bcdd0de64f28368e522a83366a2c078bd232e/
Threat name:
Win32.Trojan.Witch
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 13:34:00 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00a6aee5810a2f37be3722b8c05c363e9954e782f49e558f451c4097bbd6f217
2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279
371aab310f82dd4f64f09981c1d3d8974f18227c98679af43bd0559ec6752dde
37c3db846b611722768b95c17585624f476def65d0332b3cfb93709c1273a685
5ef0b6ab46bb6853ddf281a6b12ca1b6c9d77a6b25a8db00e5f0771e793357a5
730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
e04732a7a7207be7219222c607009220d68c047fc3eeed1d5925f790b1c7cd63
ecdb551acbb05c3be0675aba91a1c7ec767681ca52e0088f0995953044e0e44d
+ 1'352 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/220311-degrpsacfl/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Unpacked files
SH256 hash:
fb6bf8580ff8831da630b82fab6bcdd0de64f28368e522a83366a2c078bd232e
MD5 hash:
97f9f40399a65bb1b059f9f0a8546b08
SHA1 hash:
d9c1a97c07e4150edd379b275d42f6e02ccab028
Link:
https://www.unpac.me/results/e2aa6626-c653-4d8d-8c84-a3d73130d6e7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fb6bf8580ff8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb6bf8580ff8831da630b82fab6bcdd0de64f28368e522a83366a2c078bd232e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249267/

Comments