MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f84130cc5240f4df5afc674fde40012dd9ff141a28dfd171fbd0db9747dbc39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f84130cc5240f4df5afc674fde40012dd9ff141a28dfd171fbd0db9747dbc39
SHA3-384 hash: 5811e4f2bc7f29b4b89ec1b8f3ac6929edc1660d2aa4da5d880ecc4d850cbde60e8baf2b862e3fa840ad5b54836f066a
SHA1 hash: f25a56e20b68eb59d951d57cd0bb1ce96f2244e3
MD5 hash: c81184751669277a6de15de36f33138d
humanhash: oregon-twenty-earth-nevada
File name:c81184751669277a6de15de36f33138d
Download: download sample
File size:6'420'480 bytes
First seen:2021-02-27 14:35:01 UTC
Last seen:2021-02-27 16:48:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93a138801d9601e4c36e6274c8b9d111 (11 x CobaltStrike, 9 x Snatch, 8 x LaplasClipper)
ssdeep 98304:qTk7sPkHDTjkEqE4K8wyeAg+AXEGgxSXenh2N3JGZK:UosPkHDTj/p4Twy5lHslws
Threatray 16 similar samples on MalwareBazaar
TLSH 34566C02FCA618F9C6BEE13086619222BA7178A943313BD35FD4957E5A66FD07B3D310
Reporter c3rb3ru5d3d53c2
Tags:golang GoShell injector Shellcode


Avatar
c3rb3ru5d3d53c
Shellcode is downloaded from

hxxp://117[.]50[.]62[.]88:9901/f7df9a29d2edc699b1d54aee18a10451

Shellcode contains C2 117[.]50[.]62[.]88

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c81184751669277a6de15de36f33138d
Verdict:
No threats detected
Analysis date:
2021-02-27 14:41:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/64147d46-02b9-4f46-902e-06b5ae0decdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119600/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.14902.27548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/620424
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f84130cc5240f4df5afc674fde40012dd9ff141a28dfd171fbd0db9747dbc39/
Threat name:
Win64.Trojan.Rozena
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 14:49:41 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
006c9ba4ca0218e7bd2c7c21653497d3215bbeefbc1f5c2781549b306bab8e5e
1a1d7e78c5ac2f804e01206111e915963cf51f680776ed02a15cb8353e5f7759
1e5a3233f546af91faf54bef4a30b5869f9a9b4f8fc45b5c85410f658378cac1
32b8ffac3250444904e6af3fca1f6408e684f11ad59e6c46887cf44f5de19e6b
7786483b897971c243102c6203d0f19608524cba52136ae5fa71803e74d55825
9093233af919545a06bb718dd45e2b033be1caaf0844eec11c1f4cb8c0df3527
9d701a6eab150c0140c0153c4b6c1f3dbc0a44845722b79bfa75a98c200113fa
a6c256fa6a1cc48decc1716d2aee531a5a79ab196a1687fbcbebb35dddd11081
e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f
fffd5fb4107407ecc42df03dec6cc20d164b651879ac0a77455e07d9fc001a6d
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210227-f8jqa4nlps/
Unpacked files
SH256 hash:
9f84130cc5240f4df5afc674fde40012dd9ff141a28dfd171fbd0db9747dbc39
MD5 hash:
c81184751669277a6de15de36f33138d
SHA1 hash:
f25a56e20b68eb59d951d57cd0bb1ce96f2244e3
Link:
https://www.unpac.me/results/276795e8-965d-463e-97da-fa67abdac17f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tnega
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f84130cc5240f4df5afc674fde40012dd9ff141a28dfd171fbd0db9747dbc39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/c3rb3ru5d3d53c/status/1365438427735457799
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/119600/

Comments