MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09e79ec83fba30ac5b424cd6c0fbee4f61d62a7438b1e1cf4461f34327cd65ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09e79ec83fba30ac5b424cd6c0fbee4f61d62a7438b1e1cf4461f34327cd65ae
SHA3-384 hash: 67c8f6d7a5b7f92787c53a2ae01a680d52f81bb2d49f940d5499b45d9d9b9e30e03fc5d0800192e6ecd460904e553938
SHA1 hash: fbf0bcf65ac29987a65234938be89d640cbae318
MD5 hash: 00c8b60cc6c51b7c4c93405ebf9237ad
humanhash: october-bluebird-foxtrot-purple
File name:cY-5134-kfF.exe
Download: download sample
File size:57'805'160 bytes
First seen:2024-08-28 22:45:27 UTC
Last seen:2024-08-29 11:16:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd700d3e41bc9b2f92b52513996a7bd3
ssdeep 6144:n5ybnatMCCb5Zf3qbzZmITfv9OR7MnuYDy:0zGnCb51qbz5L9OEW
Threatray 7 similar samples on MalwareBazaar
TLSH T17EC70890CE390C1BEC40117026F7126AB77A74CED3A1E347920DFABB7E67512AD89197
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter FXOLabs
Tags:exe signed

Code Signing Certificate

Organisation:TNH99 VIET NAM JOINT STOCK COMPANY
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2024-08-19T07:10:58Z
Valid to:2025-08-20T07:10:58Z
Serial number: 6a7b1e613f855e13416df15f
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: e49c5f80481f4ff71e51d7f45cebfb466b7e96cd74540c5e56c0ddf259f7de79
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
430
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cY-5134-kfF.exe
Verdict:
Malicious activity
Analysis date:
2024-08-28 22:47:56 UTC
Tags:
susp-powershell
Link:
https://app.any.run/tasks/e0fb3dff-ffb4-4ea3-a339-b35b62c39cf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cfa8b1fe69a9e56049cad7
Tags:
Execution Network Stealth
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Running batch commands
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd fingerprint lolbin overlay packed
Link:
https://www.filescan.io/uploads/66cfa8adb854095a010bd0b9/reports/306a02b2-b7cb-4154-8148-7f651b64cfe4/overview
Verdict:
Suspicious
Labled as:
GenCBL.FFW trojan
Link:
https://www.hybrid-analysis.com/sample/09e79ec83fba30ac5b424cd6c0fbee4f61d62a7438b1e1cf4461f34327cd65ae
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1500859
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500859 Sample: cY-5134-kfF.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 60 48 suporteconexao.com 2->48 54 Sigma detected: Powershell adding suspicious path to exclusion list 2->54 56 .NET source code contains potential unpacker 2->56 58 Adds a directory exclusion to Windows Defender 2->58 60 5 other signatures 2->60 10 cY-5134-kfF.exe 1 23 2->10         started        signatures3 process4 file5 40 C:\ProgramData\oCAVMLtbuaIVpFbQmqhuH .exe, PE32+ 10->40 dropped 42 C:\ProgramData\...\vcruntime140_1.dll, PE32+ 10->42 dropped 44 C:\ProgramData\...\vcruntime140.dll, PE32+ 10->44 dropped 46 16 other files (none is malicious) 10->46 dropped 13 cmd.exe 1 10->13         started        15 cmd.exe 1 10->15         started        process6 process7 17 EpFbQmqhuH .exe 1 1 13->17         started        20 conhost.exe 13->20         started        22 EstwMRbcLU .exe 16 5 15->22         started        25 conhost.exe 15->25         started        dnsIp8 52 Adds a directory exclusion to Windows Defender 17->52 27 powershell.exe 23 17->27         started        50 suporteconexao.com 104.21.67.246, 443, 49707, 49716 CLOUDFLARENETUS United States 22->50 30 explorer.exe 62 4 22->30 injected signatures9 process10 signatures11 62 Loading BitLocker PowerShell Module 27->62 32 WmiPrvSE.exe 27->32         started        34 conhost.exe 27->34         started        36 EpFbQmqhuH .exe 30->36         started        38 EstwMRbcLU .exe 30->38         started        process12
Score:
28%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/09e79ec83fba30ac5b424cd6c0fbee4f61d62a7438b1e1cf4461f34327cd65ae
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-28 22:46:10 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
2 of 38 (5.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhtz5sb7xiykyw2cjtlmb67oj5q5mktuhcy6dt2emhzugj6nmwxa._file
Verdict:
malicious
Similar samples:
09e79ec83fba30ac5b424cd6c0fbee4f61d62a7438b1e1cf4461f34327cd65ae
267fd0e9332f1e66a06470d4b90f5ec89d965b810728f412a616d7805e14c054
de2c499d846a3c47bc90af39f13f2fa3b6237115f2be64d69e54411bccc00556
f75c52684ec2fe9479f4ceb28c3cec36885e304003f02308b5be11cdd08187f3
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240828-2pyd7sscpm/
Behaviour
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66f3c8c4-3e61-4b2a-b613-539ada73b220
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments