MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7784f0373b36e09b80ac72e18068821af9c10634fda6a7a1e82213dcd9a9fee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7784f0373b36e09b80ac72e18068821af9c10634fda6a7a1e82213dcd9a9fee
SHA3-384 hash: d1575432904bb5f4b3043e4ce0720cd7a81c6e5bac20d865e1b7075218647a562077a08343b2ac34b436b6fb8c95b17e
SHA1 hash: 00b2df9d1e1195332c205b15c8c48e17d779c25d
MD5 hash: 0261e1f82fe2bb20f7359dfd1287ae1a
humanhash: glucose-vermont-sierra-oranges
File name:c7784f0373b36e09b80ac72e18068821af9c10634fda6a7a1e82213dcd9a9fee
Download: download sample
File size:48'640 bytes
First seen:2022-04-19 12:16:51 UTC
Last seen:2022-04-19 12:37:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a50e815adb2cfe3e58d388c791946db8 (2 x njrat, 2 x DCRat, 1 x Lucifer)
ssdeep 768:Apm7BcEKNvBcvL6VeRNL1a6ZO4PTPz+o+CKr3zQ4NuVVWgP4+zeQ5xnbcuyD7Ube:ApfEKNCj6VoJl9Go5K7s4Nu3j5xnouy1
Threatray 133 similar samples on MalwareBazaar
TLSH T19923F14791CDADABE56050796CAF1CAAAF5CD329BAC08331F9C033774EA0E074B18356
TrID 41.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
25.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264611/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/625ea83eeab80a7a6c414ccf/reports/577ca1e7-ac47-40c7-888c-a1685cf16de4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ad62436-781d-4c9f-ac2b-0a4481f136c2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978826
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Encoded FromBase64String
Sigma detected: FromBase64String Command Line
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected Powershell dedcode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611313 Sample: Nk5W0er2DR Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus detection for dropped file 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 8 other signatures 2->31 7 Nk5W0er2DR.exe 8 2->7         started        process3 file4 19 C:\Users\user\AppData\Local\Temp\...\4748.bat, ASCII 7->19 dropped 10 cmd.exe 1 7->10         started        process5 signatures6 33 Suspicious powershell command line found 10->33 13 powershell.exe 15 15 10->13         started        17 conhost.exe 10->17         started        process7 dnsIp8 23 157.27.85.50, 8080 ASGARRConsortiumGARREU Italy 13->23 21 PowerShell_transcr....20220419141830.txt, UTF-8 13->21 dropped file9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7784f0373b36e09b80ac72e18068821af9c10634fda6a7a1e82213dcd9a9fee/
Threat name:
Win32.Trojan.Leivion
Create hunting rule
Status:
Malicious
First seen:
2022-04-15 14:58:34 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
31 of 41 (75.61%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
011bb4cfef72d6381568e872d8ab226bd4803ba0a898d6d59410884c8d140ed5
4710c5debc1ad17a85ef82676a4b6b7e15054966de57b0f4bab61c4ede209830
5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
6e34f951634493ec7a71e5c3418ed7d973ffc87351a5459722e04016c94b1471
8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d
cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf
df70e51b8184f55f8c2ead6b202814b71417b0986aa71a56b5d1dd07275f084e
e64de38787850a88d92cb250314fb7bd6483a2f473b02d3c70daddcbf22ddabd
ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9
f1e6657c4eb47b8e3fbd4c88a53913bf5ddcfa697096b54b3c6a097ae5d2099a
+ 123 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/220419-pf1rrabda3/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Unpacked files
SH256 hash:
03be83c0c86d812e181f809b5b288441de3e83ba7db01d16b768822b4da1cc63
MD5 hash:
d6f964bbbc137fb9a1c3c864e01ee387
SHA1 hash:
93dddfa91f9ff233705f5cca7a7e42d0edbb9a7a
Link:
https://www.unpac.me/results/0ed47e31-4734-4cce-b175-d2e024086baf/
SH256 hash:
c7784f0373b36e09b80ac72e18068821af9c10634fda6a7a1e82213dcd9a9fee
MD5 hash:
0261e1f82fe2bb20f7359dfd1287ae1a
SHA1 hash:
00b2df9d1e1195332c205b15c8c48e17d779c25d
Link:
https://www.unpac.me/results/0ed47e31-4734-4cce-b175-d2e024086baf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7784f0373b36e09b80ac72e18068821af9c10634fda6a7a1e82213dcd9a9fee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264611/

Comments