MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0813d847599cf8680482c173fc36310b4202f305c92167cf60b74498244eb169. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Renamer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0813d847599cf8680482c173fc36310b4202f305c92167cf60b74498244eb169
SHA3-384 hash: c99693b7af07237440848970b938acdf2bad419dd7c1313a6beb253b7180ef6acb7e7239dcf86e46dc8e9458e6ed0d71
SHA1 hash: 2d1978eafd521cb6dc2c5b4689da152aaa2d7b95
MD5 hash: 65b3023df8d575d6c8da868f8ed7ee90
humanhash: speaker-shade-winner-river
File name:SecuriteInfo.com.W32.AIDetect.malware2.12143.22828
Download: download sample
Signature Renamer
Create hunting rule
File size:905'767 bytes
First seen:2021-03-09 17:17:51 UTC
Last seen:2021-03-09 17:45:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 24576:mbQWt0Iw1SjCSPsxY4IL7R2B7v8h8dCylkf8EgdB8aNF:DRIwwOS05UCv8hQkkEEPNF
Threatray 3 similar samples on MalwareBazaar
TLSH 66153307D2151853DB9763F25FBDAB4FE298D2A475A510D32BF02D3E2C232DAB159093
Reporter SecuriteInfoCom
Tags:Renamer

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.12143.22828
Verdict:
Malicious activity
Analysis date:
2021-03-09 17:20:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa23b48c-1b59-47b4-a351-291e10d496b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123337/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.12143.22828.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Replacing executable files
Creating a file
Deleting a recently created file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Sending a UDP request
Enabling autorun by creating a file
Infecting executable files
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/633304
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 14:23:04 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
26731727d41900508417161ad19837020b51b2528c0b08ed4541d5c7ce1c6e65
Renamer
3f1d1e7c74f8b8e44a0c1cf334b339e2e6ccabc36982d0d2331af2ac121112c2
Renamer
97f2b9300d59e15e714210ace4500908122b8901a5d905e9d8d269819649f880
Renamer
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210309-6hxk9rdrp6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
0813d847599cf8680482c173fc36310b4202f305c92167cf60b74498244eb169
MD5 hash:
65b3023df8d575d6c8da868f8ed7ee90
SHA1 hash:
2d1978eafd521cb6dc2c5b4689da152aaa2d7b95
Link:
https://www.unpac.me/results/1445fe72-f5f8-4ae7-9b60-f78063524cae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0813d847599cf8680482c173fc36310b4202f305c92167cf60b74498244eb169

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Renamer
Create hunting rule
Author:ditekSHen
Description:Detects Renamer/Tainp variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Renamer

Executable exe 0813d847599cf8680482c173fc36310b4202f305c92167cf60b74498244eb169

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1056773/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1056777/
Cape
Cape
https://www.capesandbox.com/analysis/123337/

Comments