MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fea8616efde9154a348142869f52bfa2731c8f299973c131909879270350e6d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fea8616efde9154a348142869f52bfa2731c8f299973c131909879270350e6d7
SHA3-384 hash: 5ff7e8e55930b3907cc2c2d32f3ba4d93446aec91eccec544c2bf2207b0d787567320475c8b5108959ee4776350b14b5
SHA1 hash: 58f0702ebb4ca728dde3d0e5df8af6aa69d96915
MD5 hash: 01f4b93864f0f1a2bbe150c90112c2e3
humanhash: batman-october-stairway-don
File name:01f4b93864f0f1a2bbe150c90112c2e3.exe
Download: download sample
File size:795'648 bytes
First seen:2020-10-30 15:45:41 UTC
Last seen:2020-10-30 18:11:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c2f0d78f9ff9e6a710136fc65ee84de
ssdeep 12288:J8m18rlt3+itSQuSwZffLz6D6gIWMl5DcAJixIw36cyoGz5xNpa:J8myuKAZffLs6gZAo2GEtxba
Threatray 50 similar samples on MalwareBazaar
TLSH 3B051211FA52DA32D05608710054F2A557BA68F05370CA8F3FA2F66E1F352E1E7A636F
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81316/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.PUPXAB.bh.31820.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/517162
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Country aware sample found (crashes after keyboard check)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fea8616efde9154a348142869f52bfa2731c8f299973c131909879270350e6d7/
Threat name:
Win32.Trojan.Masson
Create hunting rule
Status:
Malicious
First seen:
2020-10-30 15:47:04 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1e2d9254c50c83736eaad6c2ec1bf8cb1c12c1940493e64c09c1826320d00ac4
2d1b0d1c9aa5f5f7ca2252020d11880936f7470efce9dc31a29f252b5cc883c4
4c9e3e872f367a494631f28a666ef5a355f20c684ed87b4eaaca8404000d51a6
5b4cbc85472de1347063a0fdacda8089e916ec37d4e079145a5d81bc3a57c0c5
5b5eab7a12fdfc6cc39e39193b7a9020ee46e72acac70033236ef9b6b2da32c7
8499aa17997bfbe03592e33e82df1c674f1b57ba3d372355e690b9468ea6fea2
9b1e5e617c18cebc3acd84a510ec072115959adbbcfb6754a1dee270d2bf20ad
b185c97cf356748005cda3b4ccb5a6df0e059c8869ba3b3f33595984bb60f380
b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04
ee9d9465f960e3d9dc344b9663653b9d6f2ed072586b183124f27d3f902c31f5
+ 40 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201030-gv492ybejs/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fea8616efde9154a348142869f52bfa2731c8f299973c131909879270350e6d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:AutoIT_Script
Create hunting rule
Author:@bartblaze
Description:Identifies AutoIT script.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fea8616efde9154a348142869f52bfa2731c8f299973c131909879270350e6d7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/81316/
  
URLhaus
https://urlhaus.abuse.ch/url/758221/
  
Delivery method
Distributed via web download

Comments