MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c9eb52fe6e5af51ac94913ce307b2f8b45d22b882d4652cd9cb188d7b72369d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c9eb52fe6e5af51ac94913ce307b2f8b45d22b882d4652cd9cb188d7b72369d
SHA3-384 hash: 45128c9786855fe05f95d025fe73fa9a6457d931079fe4245a3e7daf0e75abe6642ad389cd9dc28297f8468198dbecf7
SHA1 hash: b2960b9618bc7adb61e2af4a020b8372c87c5ed3
MD5 hash: 3592ce9c767c5a549d1f7b153a274fd8
humanhash: william-eight-juliet-charlie
File name:Neoncx.exe
Download: download sample
File size:1'066'496 bytes
First seen:2023-01-04 05:14:46 UTC
Last seen:2023-01-04 06:28:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:mPM4PD6wMY6qnd26PNEiWLP4ic7RHcKuy1G:mzPWYm6P5iQiIce1G
Threatray 5'927 similar samples on MalwareBazaar
TLSH T1CB3502066A1E52C1D01A3B777C84769D2FEBA819B986EEB90E043CCDF0D54B35D211FA
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d0ccecececd0e0
Reporter r3dbU7z
Tags:exe spyware

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Neoncx.exe
Verdict:
Malicious activity
Analysis date:
2023-01-04 05:18:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e14b9dc-861c-49eb-b4bb-2f310aab4161

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349312/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.57844.7878.24866.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed tiny
Link:
https://www.filescan.io/uploads/63b50b58b9b1c17375205a2a/reports/04427d2f-fbff-41a1-a30d-b07c69d2b50c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6bc2f4da-1ae7-439b-8ef6-b5d32cc7b27f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1144914
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c9eb52fe6e5af51ac94913ce307b2f8b45d22b882d4652cd9cb188d7b72369d/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-01-04 05:15:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsplkl7g4wxvdleuse6ogb5s7c2f2ivyqlkgklgzzmmi263sg2oq._file
Verdict:
malicious
Similar samples:
03a522f4d308162517decacc543958539b54de3da45876f824d857221a95ccf6
0f4929da9001eab23942eab268ece5da252c8b654273cc6ddaad9f87dcfbb1fa
0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595
26a8b57607f6d28a0b3df01b474a8ff516077e40af6db5466965335eb06913e9
29b5468c799dbba5a156b67c04f3082f41c647c0cf9330e824f57d456d2e234e
963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5
a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e
bec2c4c72b0297624093232878a45e9f5e467a9f838268a4403bc9416bde8189
+ 5'917 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230104-fxkbnahc4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/967065ff-0582-465c-8014-cbfc0389388a
Unpacked files
SH256 hash:
0c9eb52fe6e5af51ac94913ce307b2f8b45d22b882d4652cd9cb188d7b72369d
MD5 hash:
3592ce9c767c5a549d1f7b153a274fd8
SHA1 hash:
b2960b9618bc7adb61e2af4a020b8372c87c5ed3
Link:
https://www.unpac.me/results/95bdc484-4594-42bb-a5e5-faa7223a0f81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/0c9eb52fe6e5af51ac94913ce307b2f8b45d22b882d4652cd9cb188d7b72369d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0c9eb52fe6e5af51ac94913ce307b2f8b45d22b882d4652cd9cb188d7b72369d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349312/

Comments