MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f4d1a9ac1322f2bb0ae03ff90a2ef81237e626965c33098e49be650050caf8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f4d1a9ac1322f2bb0ae03ff90a2ef81237e626965c33098e49be650050caf8c
SHA3-384 hash: 9cb88d49bfe34d1f8ad4ff660c50ecf0d3109a109011a53f122aeb8e313826ebfd2b2e8ad9810d9f60c1a50289728f4c
SHA1 hash: 8aab1a932f7277166256e9d8743c6f15e7ced69f
MD5 hash: 933ed584192aeaa839ae142ac089c713
humanhash: double-sad-hamper-twenty
File name:0f4d1a9ac1322f2bb0ae03ff90a2ef81237e626965c33098e49be650050caf8c
Download: download sample
File size:32'722'944 bytes
First seen:2022-01-04 09:03:58 UTC
Last seen:2022-01-04 11:02:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dcf9cb466d6bc24e3ddaabdef1771b8
ssdeep 786432:rIFkNFkVQgSXSOPtzNkFmlccwIjsekWGP+Rsf+:EFY2VNOPtxkYlf9j38
Threatray 55 similar samples on MalwareBazaar
TLSH T14B7733EBFAD8612EC11B56310A73926055376E51B81A8C2E8FF8755D8F761032F37A23
dhash icon e09a676060678ee0 (14 x AsyncRAT, 5 x ValleyRAT, 4 x Formbook)
Reporter JAMESWT_WT
Tags:42 192 232 209 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0f4d1a9ac1322f2bb0ae03ff90a2ef81237e626965c33098e49be650050caf8c
Verdict:
No threats detected
Analysis date:
2022-01-04 09:07:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/68116eb1-d362-4276-b0a4-37ce9f411c92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Sending a custom TCP request
DNS request
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/61d40d8baeeec3fd2dfb741b/reports/4af62bcb-34e6-48e7-af48-c728dfea5e95/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/915157
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sigma detected: Execution from Suspicious Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547636 Sample: aa2W5GrLPA Startdate: 04/01/2022 Architecture: WINDOWS Score: 54 47 Antivirus / Scanner detection for submitted sample 2->47 49 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 3 other signatures 2->53 8 aa2W5GrLPA.exe 2 2->8         started        process3 file4 35 C:\Users\Public\dog2021-.com, PE32 8->35 dropped 37 C:\Users\Public\Telegram.exe, PE32 8->37 dropped 55 Drops PE files to the user root directory 8->55 57 Drops PE files with a suspicious file extension 8->57 12 dog2021-.com 1 8->12         started        16 Telegram.exe 2 8->16         started        signatures5 process6 dnsIp7 45 42.192.232.209, 8000 LILLY-ASUS China 12->45 59 Antivirus detection for dropped file 12->59 61 Multi AV Scanner detection for dropped file 12->61 63 Machine Learning detection for dropped file 12->63 25 C:\Users\user\AppData\Local\...\Telegram.tmp, PE32 16->25 dropped 65 Obfuscated command line found 16->65 19 Telegram.tmp 30 26 16->19         started        file8 signatures9 process10 file11 27 C:\Users\user\AppData\...\unins000.exe (copy), PE32 19->27 dropped 29 C:\Users\user\AppData\...\is-45P6P.tmp, PE32 19->29 dropped 31 C:\Users\user\...\d3dcompiler_47.dll (copy), PE32 19->31 dropped 33 6 other files (none is malicious) 19->33 dropped 22 Telegram.exe 10 158 19->22         started        process12 dnsIp13 39 149.154.175.100, 443, 49781, 49782 TELEGRAM_MESSENGERRU United Kingdom 22->39 41 149.154.175.50, 443, 49803, 49804 TELEGRAM_MESSENGERRU United Kingdom 22->41 43 11 other IPs or domains 22->43
Gathering data
Threat name:
Win32.Trojan.FlyAgent
Create hunting rule
Status:
Malicious
First seen:
2021-12-25 07:14:23 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1137baf67a25b1656ec0233661cc32469173634110eac14330f64111bb10500d
5fbcb0c1c673864e252c7aa3d92ba221af892684be1deec36c771e42561daf76
601ed58cee77d4c1b1471621e8fdc8cd7862c6831d9f373eb0b7f43f5e2ae7db
708de537afbd98b342a5e24cf14240ddbaea663bd288bc6fcf17dc2dee39b538
76b691202fbef6ff77ef70905b4795802839d92070c0c8a6b92a99b41ac7dd70
870d16eb412c190d404ea3239d9d21339918f55dd3bfa92fe072a92cdfd30144
94b85015bb3beb57e1810aec53712b8158fa10e3a970b0ee65484be34b3073cd
b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5
bd668ef292ae01d2ed9a32b1ea054e2acb484f61e86481f306669637ba31ce82
dcb26a84a06716365e2ae58e6d7fed5a2f55b1c2ba041edf0518a75bdbd9b8c7
+ 45 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220104-k1l2waafen/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MoonWind
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f4d1a9ac1322f2bb0ae03ff90a2ef81237e626965c33098e49be650050caf8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments