MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd970a63d4174339b42914587af3956b2a0d1c6a5f2d442f9db4133b3b714761. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd970a63d4174339b42914587af3956b2a0d1c6a5f2d442f9db4133b3b714761
SHA3-384 hash: 06242e41d65067b5d15b8410131a62511d0e86370013b7102fe521b1999a4fa584e03331da3fac328950b971db4e5c17
SHA1 hash: 4b1c60ef81c6c2e6fbdf7f61300082ea862e0ae7
MD5 hash: 15bc0ffe4168f7ce98f40e66902aacd7
humanhash: robert-oranges-fix-july
File name:dcntel.dll
Download: download sample
File size:15'008'768 bytes
First seen:2023-02-25 16:24:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b3369ebde61e3a02bfb7812c3ba52cd
ssdeep 393216:ju7L/FxvJ/m3pn9aq+ZkFQJ4ux04V4a3cCbAf:jCLNhJKACk4uz5/bAf
Threatray 1'094 similar samples on MalwareBazaar
TLSH T134E63309636004DEE9E9D13ACE47D52AAAF57C2407A4C1CB83989B6B2E770D17D3BF44
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Chainskilabs
Tags:exe pyinstaller

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dcntel.dll
Verdict:
Malicious activity
Analysis date:
2023-02-25 16:25:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c11f95b-9ec5-4408-a5d4-617523ffdd57

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed python
Link:
https://www.filescan.io/uploads/63fa36600796d7d621e88ecd/reports/30471a42-efce-4e70-a4e8-b9841acf269c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fd970a63d4174339b42914587af3956b2a0d1c6a5f2d442f9db4133b3b714761
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a19b008b-4a6d-4ec5-b614-c18232ac3d25
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1182369
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to infect the boot sector
DLL side loading technique detected
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 815200 Sample: dcntel.dll.exe Startdate: 25/02/2023 Architecture: WINDOWS Score: 60 116 Multi AV Scanner detection for submitted file 2->116 118 Connects to a pastebin service (likely for C&C) 2->118 10 loaddll64.exe 1 2->10         started        process3 signatures4 122 DLL side loading technique detected 10->122 13 cmd.exe 1 10->13         started        15 rundll32.exe 10->15         started        17 rundll32.exe 10->17         started        19 5 other processes 10->19 process5 file6 22 rundll32.exe 13->22         started        24 winbin.exe 103 15->24         started        27 winbin.exe 103 17->27         started        68 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 19->68 dropped 70 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 19->70 dropped 72 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 19->72 dropped 74 73 other files (none is malicious) 19->74 dropped 29 winbin.exe 103 19->29         started        31 winbin.exe 19->31         started        34 conhost.exe 19->34         started        process7 dnsIp8 36 winbin.exe 103 22->36         started        84 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 24->84 dropped 86 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 24->86 dropped 88 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 24->88 dropped 96 73 other files (none is malicious) 24->96 dropped 40 winbin.exe 24->40         started        43 conhost.exe 24->43         started        90 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 27->90 dropped 92 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 27->92 dropped 94 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 27->94 dropped 98 73 other files (none is malicious) 27->98 dropped 45 winbin.exe 4 27->45         started        47 conhost.exe 27->47         started        100 76 other files (none is malicious) 29->100 dropped 49 winbin.exe 4 29->49         started        51 conhost.exe 29->51         started        114 pastebin.com 31->114 53 cmd.exe 31->53         started        file9 process10 dnsIp11 76 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 36->76 dropped 78 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 36->78 dropped 80 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 36->80 dropped 82 73 other files (none is malicious) 36->82 dropped 120 Contains functionality to infect the boot sector 36->120 55 winbin.exe 4 36->55         started        58 conhost.exe 36->58         started        106 pastebin.com 40->106 60 cmd.exe 40->60         started        108 172.67.34.170, 443, 49700 CLOUDFLARENETUS United States 45->108 110 pastebin.com 45->110 62 cmd.exe 45->62         started        112 pastebin.com 49->112 64 cmd.exe 49->64         started        file12 signatures13 process14 dnsIp15 102 pastebin.com 104.20.68.143, 443, 49696, 49698 CLOUDFLARENETUS United States 55->102 104 192.168.2.1 unknown unknown 55->104 66 cmd.exe 55->66         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd970a63d4174339b42914587af3956b2a0d1c6a5f2d442f9db4133b3b714761/
Threat name:
Win64.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-02-25 15:45:58 UTC
File Type:
PE+ (Dll)
Extracted files:
16
AV detection:
6 of 34 (17.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wlquy6uc5bttnbjcrmhv44vnmva2hdkl4wuil45wqjtwo3ri5qq._file
Verdict:
unknown
Similar samples:
092bcd3cf82639b3edc348e5c040fc6cb7c472928832aadf07b18dd61986675d
2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e
66faa0ab77f8471078f93a7d389f95ddffd4b5fc6abf7f79fee3f1dd9a70a5b7
6da5530eff5617af7c73aa5c1211971702a8ba5dffb67d76aad7c889185b2f46
bb95df37be69e6b1b662a1a5936a77da4e87ec1a16bfc108919ed7eb836f0f80
cbafa6b5a5a5141801e04ad135271a9e0169e120582ed96c4136c0b2b2ae4d98
e0b5142a0af8f9cf06f8e7cb073828711c38a9c47a906d820300d79a7dbce186
+ 1'084 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/230225-twx31sde41/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
fd970a63d4174339b42914587af3956b2a0d1c6a5f2d442f9db4133b3b714761
MD5 hash:
15bc0ffe4168f7ce98f40e66902aacd7
SHA1 hash:
4b1c60ef81c6c2e6fbdf7f61300082ea862e0ae7
Link:
https://www.unpac.me/results/d4689f7d-9620-40ca-8bf1-57af1f9bc6aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd970a63d4174339b42914587af3956b2a0d1c6a5f2d442f9db4133b3b714761

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fd970a63d4174339b42914587af3956b2a0d1c6a5f2d442f9db4133b3b714761

(this sample)

  
Delivery method
Distributed via web download

Comments