MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbdc74e4a2733561fa077873a008e9aba4cf1415af1c6aaea2d8cb3ab435ddad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbdc74e4a2733561fa077873a008e9aba4cf1415af1c6aaea2d8cb3ab435ddad
SHA3-384 hash: a60e0c74d98c96272c2c239ed5788ea782da2facb457a3432c8f2f117ccd71c0d6a569ff1816da2ca0f80e8c7ba03a13
SHA1 hash: c459315c5a7c4e014867d8e27b1209c6de7f2fa2
MD5 hash: ceb4847592b0b9ddc2b9c239fa48c471
humanhash: delta-burger-butter-lion
File name:Statement of undeclared funds (Enforcement Rules of the Value Added Tax Act).hwp.lnk
Download: download sample
File size:70'097'157 bytes
First seen:2023-12-14 00:54:48 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 3072:6I0dUkYRw0Oz+EQpmj3GGuP6MMbYEXLL3Tg80csCWv:dHRdOz+EQpG3GNP6ZLLjYj
TLSH T181E7CE54B3E82504F5B21B340BFC25350B6B781A2831EDBF142C41E98BEBD86B964B76
Reporter smica83
Tags:apt APT37 lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade powershell
Link:
https://www.filescan.io/uploads/657a5269da3178d99ce42d43/reports/3c94e9d1-2187-466c-b886-4d25de621977/overview
Verdict:
Malicious
Labled as:
Trojan.Multi.Powenot
Link:
https://www.hybrid-analysis.com/sample/fbdc74e4a2733561fa077873a008e9aba4cf1415af1c6aaea2d8cb3ab435ddad
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361831
Signature
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates processes via WMI
Deletes itself after installation
Encrypted powershell cmdline option found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell creates an autostart link
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1361831 Sample: Statement_of_undeclared_fun... Startdate: 14/12/2023 Architecture: WINDOWS Score: 100 53 ddsdata.net 2->53 55 aufildeseaux.com 2->55 61 Snort IDS alert for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 6 other signatures 2->67 8 cmd.exe 1 2->8         started        11 cmd.exe 5 2->11         started        14 cmd.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 dnsIp5 81 Windows shortcut file (LNK) starts blacklisted processes 8->81 83 Suspicious powershell command line found 8->83 85 Obfuscated command line found 8->85 89 2 other signatures 8->89 19 powershell.exe 3 16 8->19         started        22 conhost.exe 1 8->22         started        47 C:\Users\Public\Documents\down.txt, ASCII 11->47 dropped 49 C:\Users\Public\Documents\docu.txt, ASCII 11->49 dropped 87 Uses cmd line tools excessively to alter registry or file data 11->87 24 systeminfo.exe 2 1 11->24         started        26 reg.exe 1 1 11->26         started        28 powershell.exe 14 16 11->28         started        33 5 other processes 11->33 31 conhost.exe 14->31         started        35 6 other processes 14->35 51 127.0.0.1 unknown unknown 16->51 37 6 other processes 16->37 file6 signatures7 process8 dnsIp9 69 Deletes itself after installation 19->69 71 Powershell creates an autostart link 19->71 39 wscript.exe 19->39         started        42 expand.exe 11 19->42         started        73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->73 75 Creates autostart registry keys with suspicious values (likely registry only malware) 26->75 57 aufildeseaux.com 128.65.195.237, 443, 49706, 49712 INFOMANIAK-ASCH Switzerland 28->57 59 ddsdata.net 5.255.127.177, 49715, 49717, 49720 LITESERVERNL Netherlands 33->59 signatures10 process11 file12 77 Windows Scripting host queries suspicious COM object (likely to drop second stage) 39->77 79 Creates processes via WMI 39->79 45 C:\...\a00fb0cedd8c6a4db1c23f3a05b25b2e.tmp, PE32 42->45 dropped signatures13
Gathering data
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-12-13 11:03:57 UTC
File Type:
Binary
AV detection:
6 of 37 (16.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7pohjzfcom2wd6qhpbz2achjvosm6favv4ogvlvc3dftvnbv3wwq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/231214-a9s7faadgn/
Behaviour
Delays execution with timeout.exe
Gathers system information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Deletes itself
Executes dropped EXE
Blocklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://aufildeseaux.com/wp-admin/includes/main/read/get.php?pw=xlse&cm=ns0010
http://ddsdata.net/upload.php
http://ddsdata.net/list.php?f=URUOZWGF.txt
http://ddsdata.net/list.php?f=OEJHVKBK.txt
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/suyog41/status/1734863294241067454?t=54PWTgqo1bm6Izy_sBLq9w&s=19

Comments