MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 135f703ece7e14ce5dfb7feab1782013a1f555fc9d84b786d673d37ad9bc4708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PoshC2


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 135f703ece7e14ce5dfb7feab1782013a1f555fc9d84b786d673d37ad9bc4708
SHA3-384 hash: 4ad1b34ce187aa721dc9a6ca27fd7aff7b97cbbe2ba71a7a25387f77b743874510f95bc2222469a26384b85176e24144
SHA1 hash: 48d41f648c6fc139c1d3a0264efa73f14e8212a4
MD5 hash: 5620a20711658b05206dc49bdec81e9c
humanhash: item-sixteen-stream-chicken
File name:5620a20711658b05206dc49bdec81e9c
Download: download sample
Signature PoshC2
Create hunting rule
File size:144'896 bytes
First seen:2023-12-04 19:52:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8af9e90ad27cc2cc9b6628752aa1559b (1 x PoshC2)
ssdeep 1536:Om7583WEeUVsUVzxFB8AN0jPlNL7F7SDeUNA4IHhrsjkusjsWId09dln5trkHnVH:fqr9nCN5F7uvAHh8kB0MNv0nVRHoFD6
TLSH T161E36C3BA27154BBD26A7134C9130D49AF71741357728A6F97240ABA2F33391DF29FA0
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe poshc2

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462445/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Win.Malware.Tedy-10002056-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
alien lolbin obfuscated rundll32
Link:
https://www.filescan.io/uploads/656e2e868b5ba47db2d119fa/reports/71f9fa0a-a85a-4809-ad5f-5df56e85e71c/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/135f703ece7e14ce5dfb7feab1782013a1f555fc9d84b786d673d37ad9bc4708
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0baac77f-42d8-4f27-a11b-08e09842f786
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1353486
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/135f703ece7e14ce5dfb7feab1782013a1f555fc9d84b786d673d37ad9bc4708/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 19:53:31 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnpxapwopykm4xp3p7vlc6bacoq7kvp4twclpbwwopjxvwn4i4ea._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231204-ylyn1seh6t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Blocklisted process makes network request
Unpacked files
SH256 hash:
cd4cbf92ea784cac5f66251c77869dfe19de753107bf4dd49e24c5ef9041f547
MD5 hash:
19413b155189b0166e8a82331929ceea
SHA1 hash:
e0b414cdb79bcf38374d6c2f192ff309eb5f623b
Link:
https://www.unpac.me/results/f930cd8a-2ee6-4909-b860-6e8cc07da401/
SH256 hash:
135f703ece7e14ce5dfb7feab1782013a1f555fc9d84b786d673d37ad9bc4708
MD5 hash:
5620a20711658b05206dc49bdec81e9c
SHA1 hash:
48d41f648c6fc139c1d3a0264efa73f14e8212a4
Detections:
Gen_Base64_EXE
Create hunting rule
Link:
https://www.unpac.me/results/f930cd8a-2ee6-4909-b860-6e8cc07da401/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/135f703ece7e14ce5dfb7feab1782013a1f555fc9d84b786d673d37ad9bc4708

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PoshC2

Executable exe 135f703ece7e14ce5dfb7feab1782013a1f555fc9d84b786d673d37ad9bc4708

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2737502/
Cape
Cape
https://www.capesandbox.com/analysis/462445/

Comments


Avatar
zbet commented on 2023-12-04 19:52:30 UTC

url : hxxp://139.59.72.48:8000/Posh_v2_x64.dll