MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16aca00a7788ed4eb578d6133048ed2490899accd8e30f083b64833e55799b93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	16aca00a7788ed4eb578d6133048ed2490899accd8e30f083b64833e55799b93
SHA3-384 hash:	06fcca9f9b3f5f745ebb54608a7cbd12096051b1da2c6cc3f359ebe63bb739677fa156c0326a7f22b14562cdb05c0333
SHA1 hash:	054d6c841902a80032ccc897f799ae56f486e5fa
MD5 hash:	73ac14c7e7501e4e78b8e036a097afd9
humanhash:	four-river-kitten-single
File name:	73ac14c7e7501e4e78b8e036a097afd9
Download:	download sample
File size:	32'581'632 bytes
First seen:	2022-07-15 02:45:31 UTC
Last seen:	2024-07-24 11:36:10 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	786432:XlRxG0PuX8NQ9ChjH6HMbiX2+UBk4uzfllasVS3:XlvPuMWDKk4uzPJS
Threatray	1'874 similar samples on MalwareBazaar
TLSH	T1DE67330F7121EA34F460CB713DE2BD2628129757E72511B1BDCE812E1C48B77F86A5AE
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	70c4cad696d6f871 (1 x zgRAT, 1 x XFilesStealer, 1 x CoinMiner)
Reporter	openctibr
Tags:	exe OpenCTI.BR Sandboxed

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

73ac14c7e7501e4e78b8e036a097afd9

Verdict:

No threats detected

Analysis date:

2022-07-15 03:00:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3635e7aa-0a8a-4d1b-8b5e-eac18e06c6a1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Creating a file

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62d0d52a8dab2096b99c3e17/reports/0272dcfb-662d-4498-a8a0-97a5b1034e25/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1032306

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Creates an undocumented autostart registry key

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Downloader.PsDownload

Status:

Malicious

First seen:

2022-07-14 21:50:14 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c2wkactxrdwu5nly2yjtashnesiitgwm3drq6cb3msbt4vlztojq._file

Verdict:

malicious

0d0be8ecc5e7c7d3fb48665b5860aa8eb97d367f58af0de01e8bcff3861f4c52

200b12beed25783d323519d7b50cbe21ca6b27936885e0d834a04221d550f651

5761fb497a1d9409420b7df9729dd6be44daa1f0823ea5dc613ffe8c69812980

88a7a3b6ae293441b77cd0d062a012c8fd81992bcf5dbc0352b86fe045f8c92d

8c6738d722312ae8605ec433f036b0a06c0455b62d1731e55831603efffd28aa

9a6f02f80c19a8672c61f7d38da24cada4d39dbcd850bd057eba28036c95e20d

b7e2d2bd3c82baadf1eb87f332377a23ce5c8b87ece4a7d58699157c5a470f59

c7c7d3174d778b6ba5c42bc03fec75cf6dbf8a594823bc583ce3739d1598d50a

cd99bf443858cc86ff01771eac6c76af45446b0082bfb9545006857ab04e3af5

+ 1'864 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220715-c9by9sfhb9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/16aca00a7788/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/16aca00a7788ed4eb578d6133048ed2490899accd8e30f083b64833e55799b93

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 16aca00a7788ed4eb578d6133048ed2490899accd8e30f083b64833e55799b93

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2237324/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample