MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f27435dc99ba92e020aad22e345af6c0e838d585ec87064204c34e90d3b000b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Renamer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	0f27435dc99ba92e020aad22e345af6c0e838d585ec87064204c34e90d3b000b
SHA3-384 hash:	c8c263aff9101785c9390e6e0779a1d4cecdae350e04b5ef2bf5f59760027bd8954f92067d0dabdda92641edf73aa424
SHA1 hash:	5f55a92a9e3062d094450f24a3fd255abcd675f6
MD5 hash:	600dfc4fcecc6a99698b517b52d2c5d3
humanhash:	twenty-twelve-ten-mirror
File name:	600dfc4fcecc6a99698b517b52d2c5d3.exe
Download:	download sample
Signature	Renamer Create hunting rule
File size:	689'794 bytes
First seen:	2022-04-12 12:43:53 UTC
Last seen:	2022-04-12 14:00:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	12288:TUELPrk5KAqHXMH3b47AjPjBb/0Iw3vNLXO4TvIzQMnZJLI/AmB2DbVKZe8:TUQwz3b4Aj1r0N3lLSfdmB2DBKZp
Threatray	4'708 similar samples on MalwareBazaar
TLSH	T14FE423B225EED423C41ADB3456771124FF3BE35866824DA7374C2D2B95F0AFA1422E93
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe Renamer

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

600dfc4fcecc6a99698b517b52d2c5d3.exe

Verdict:

Malicious activity

Analysis date:

2022-04-13 03:13:12 UTC

Tags:

installer

Link:

https://app.any.run/tasks/505d0b36-8191-46ad-a862-71c1b1e1f276

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Renamer

Link:

https://www.capesandbox.com/analysis/263079/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.2403.7457.29945.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62557431482f2f41ca9fd1c3/reports/65eda62a-8797-4658-a94f-102d9558f45f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f4f62315-addb-4aeb-8c00-756d3a8530e1

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/975521

Signature

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0f27435dc99ba92e020aad22e345af6c0e838d585ec87064204c34e90d3b000b/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-04-12 08:40:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 42 (54.76%)

Threat level:

5/5

Verdict:

malicious

Renamer

7f8435d43386aa3aee57de7fe1889c8e7762271428c279827b3293e3af5af282

Renamer

92bb5012578914468bee4337e356ee6932c50ce7718a6ff7ce5ee89de97cc850

Renamer

aaefeb4e179daa06504580ee2a3c50545ced720e723942feb61999e26679540a

Renamer

c663442ba07c72d93cbf098eadfe1475b7bc470e361c1736ab2b457a57f2cf94

Renamer

c767db1d9bb5f369f3a2d395412c98f71de29cf829800a2494a2c0dec8e4a57f

Renamer

+ 4'698 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220412-pyhnwsbdfj/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops startup file

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

e8463467b02d48cc870d9ee5539a11cdd423f17ed9152ad2fa92c7cd1ea57854

MD5 hash:

f91871277c4aff504872eb87305b74b2

SHA1 hash:

b8fb5b090d5e0993f977337c5818c4217fb24eb7

Link:

https://www.unpac.me/results/0f3c38ca-4ac7-43d8-8abf-f74a52fc0513/

SH256 hash:

e80ab1edf069edd4275c1de4fa5c708c2d2c91fff521b7cb6d9a6078c1b976cb

MD5 hash:

cb87a804d93626ccf7949c507653dca4

SHA1 hash:

e76673b74c956c575d66c608a35b2d854be87ab6

Link:

https://www.unpac.me/results/0f3c38ca-4ac7-43d8-8abf-f74a52fc0513/

SH256 hash:

0f27435dc99ba92e020aad22e345af6c0e838d585ec87064204c34e90d3b000b

MD5 hash:

600dfc4fcecc6a99698b517b52d2c5d3

SHA1 hash:

5f55a92a9e3062d094450f24a3fd255abcd675f6

Link:

https://www.unpac.me/results/0f3c38ca-4ac7-43d8-8abf-f74a52fc0513/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0f27435dc99b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/0f27435dc99ba92e020aad22e345af6c0e838d585ec87064204c34e90d3b000b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.