MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0
SHA3-384 hash: a7af9417ccd720bf739c1928bcf607f66efcb680c5e53cfbed3616941560d0bc1d4a601bbf12f70050b869529a28d914
SHA1 hash: f3c8a117fa361e2afad77fc90673ab3ca81152f4
MD5 hash: 375b713f2e3c2018da424666c6be9059
humanhash: skylark-summer-asparagus-stream
File name:7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0
Download: download sample
File size:86'016 bytes
First seen:2022-04-19 14:42:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 1536:tP+/8aqQdqLyEK5n1w8+XbNLYVYL3s+ATMm+lT3Lm:xs8afUK5n1T+hLY2L3s+ATMm+lTbm
Threatray 283 similar samples on MalwareBazaar
TLSH T1B9830F9D722072EFC85BD472DEA81D68EA6174BB431F4217A02715ADEE4D897CF240F2
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0
Verdict:
Malicious activity
Analysis date:
2022-04-19 14:47:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/53b91936-9d95-4c9a-8ceb-9af984e8d576

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264641/
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Launching a process
Sending a custom TCP request
Creating a file in the Windows subdirectories
DNS request
Blocking the Windows Defender launch
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/625eca77eab80a7a6c423f16/reports/c68b2df0-c00b-4b64-80cb-61b00b013565/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/502f92f7-63bb-4a76-93ac-09e4adc4c972
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.adwa.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/978925
Signature
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Install WinpCap (used to filter network traffic)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample is not signed and drops a device driver
Sigma detected: File Created with System Process Name
Sigma detected: Registry Defender Tampering
Sigma detected: Suspicious Outbound Kerberos Connection
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 611412 Sample: ywvz5i8kT9 Startdate: 19/04/2022 Architecture: WINDOWS Score: 66 77 201.75.14.0.in-addr.arpa 2->77 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Antivirus detection for URL or domain 2->95 97 9 other signatures 2->97 8 ywvz5i8kT9.exe 14 16 2->8         started        13 svchost.exe 2->13         started        15 RuntimeBroker.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 79 45.135.48.153, 49758, 49767, 80 PINGTAN-AS-APKirinNetworksCN Germany 8->79 81 201.75.14.0.in-addr.arpa 8->81 69 C:\Windows\SysWOW64\RuntimeBroker.exe, PE32+ 8->69 dropped 71 C:\Users\user\AppData\...\WinPcap_4_1_3.exe, PE32 8->71 dropped 73 C:\Users\user\...\vcredist_2013_x64.exe, PE32 8->73 dropped 75 8 other files (none is malicious) 8->75 dropped 105 Detected unpacking (changes PE section rights) 8->105 19 WinPcap_4_1_3.exe 10 45 8->19         started        23 cmd.exe 1 8->23         started        25 vcredist_2010_x64.exe 8->25         started        27 5 other processes 8->27 107 Changes security center settings (notifications, updates, antivirus, firewall) 13->107 83 113.212.88.126, 49768, 49769, 80 PINGTAN-AS-APKirinNetworksCN China 15->83 85 201.75.14.0.in-addr.arpa 15->85 87 192.168.2.1 unknown unknown 15->87 89 127.0.0.1 unknown unknown 17->89 file6 signatures7 process8 file9 47 C:\Windows\SysWOW64\wpcap.dll, PE32 19->47 dropped 49 C:\Windows\System32\wpcap.dll, PE32+ 19->49 dropped 51 C:\Windows\System32\drivers\npf.sys, PE32+ 19->51 dropped 61 10 other files (none is malicious) 19->61 dropped 99 Sample is not signed and drops a device driver 19->99 101 Install WinpCap (used to filter network traffic) 19->101 103 Uses cmd line tools excessively to alter registry or file data 23->103 29 reg.exe 1 1 23->29         started        32 conhost.exe 23->32         started        34 reg.exe 1 23->34         started        43 12 other processes 23->43 53 C:\4863269369430a9b27\sqmapi.dll, PE32 25->53 dropped 55 C:\4863269369430a9b27\SetupUi.dll, PE32 25->55 dropped 57 C:\4863269369430a9b27\SetupEngine.dll, PE32 25->57 dropped 63 11 other files (none is malicious) 25->63 dropped 59 C:\ProgramData\...\vcredist_x64.exe, PE32 27->59 dropped 36 vcredist_2013_x64.exe 27->36         started        39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        45 2 other processes 27->45 signatures10 process11 file12 109 Creates an undocumented autostart registry key 29->109 65 C:\Users\user\AppData\...\vcredist_x64.exe, PE32 36->65 dropped 67 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 36->67 dropped signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0/
Threat name:
Win32.Trojan.Mamson
Create hunting rule
Status:
Malicious
First seen:
2022-04-16 06:43:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81
101a5477169067b0d4df475dca5ed8ae2c99b3916664b6d32aeb5113541ee5be
36ed7e4e8dfce10773b1b1f1b7302e80d38bfd75d7c35bc5da2abf9a8a0b99e3
43874a9fbb28f47bc007e30c0c5494bb292e376398db3c446aa8567f8a4a49b1
46802842ff967e3810af08e372b0f969de57f2ed826498398c5367525fec0bc9
4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51
5189b2a9e69b48ef464f8f59ab722717ab162eb33ab7f493791f13e28d59473e
a617fdbff227afe8c89ba96d34724fb03c0c08857c508c8c80f3fedc916fe2b4
ad202f1b096cd6285e7d1c2891165737589889b74607159df0507a9f6b9eafef
+ 273 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence suricata
Link:
https://tria.ge/reports/220419-r3kedscfep/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Sets file execution options in registry
suricata: ET MALWARE Trojan-Dropper.MSIL CnC Traffic - GET
suricata: ET MALWARE Trojan-Dropper.MSIL CnC Traffic - POST
Unpacked files
SH256 hash:
6ae25d1c552f11a5a613bcd4dcc89e30427e7c120b272963a7bd2c2ba19d4ece
MD5 hash:
10f31b171f5731a48202e96826c2c9cb
SHA1 hash:
528335969ad50432fd7b8b7be2175c08a45ce257
Link:
https://www.unpac.me/results/5879529e-232c-4dab-a5d2-a07c55cd24a8/
SH256 hash:
7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0
MD5 hash:
375b713f2e3c2018da424666c6be9059
SHA1 hash:
f3c8a117fa361e2afad77fc90673ab3ca81152f4
Link:
https://www.unpac.me/results/5879529e-232c-4dab-a5d2-a07c55cd24a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264641/

Comments