MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16ec7c6f7fd6c0cb73a1ed7820df47abde176fa39433d097cb13b6358565e2ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16ec7c6f7fd6c0cb73a1ed7820df47abde176fa39433d097cb13b6358565e2ed
SHA3-384 hash: ebc2a89b9261db5ee96953806b028647404dbede4ede587109c7fe4fc37da9f657eb23698f955c93a23a471e861e2df4
SHA1 hash: 9c0af499e00190ad62a7fa6c7790eadab0818acd
MD5 hash: d888e5127c788faa6409059553ce0c02
humanhash: football-glucose-uncle-purple
File name:d888e5127c788faa6409059553ce0c02
Download: download sample
File size:21'040 bytes
First seen:2021-11-17 16:16:35 UTC
Last seen:2021-11-17 20:20:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d9015199fc550f4d12cfbd6fab74e595
ssdeep 384:fHxWXtZ06raDJHirvJhnpwKNsfDGJt6pM:fRP66BwhcL
Threatray 440 similar samples on MalwareBazaar
TLSH T170924B552EB81FA2DE638EF032ECAC3B7DB1FB5236A9C467613180844A52B506D5D03F
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://iosoftware.org/Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-11-09 19:57:02 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/616a7430-329f-48d3-b599-3cc461260807

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31421.8156.17384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
DNS request
Creating a process from a recently created file
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
clipbanker overlay packed
Link:
https://www.filescan.io/uploads/61952b004912a8c920a19532/reports/7dc879ba-d207-47e4-8df6-0c3c60abbc69/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83ef8f59-7886-4219-a48d-b8a2e00e9e5d
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891333
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via Fodhelper.exe
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 523807 Sample: zIrqr1ThI6 Startdate: 17/11/2021 Architecture: WINDOWS Score: 100 25 Found malware configuration 2->25 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 2 other signatures 2->31 7 zIrqr1ThI6.exe 3 2->7         started        11 fodhelper.exe 2->11         started        process3 file4 21 C:\Users\user\AppData\...\fodhelper.exe, PE32 7->21 dropped 23 C:\Users\...\fodhelper.exe:Zone.Identifier, ASCII 7->23 dropped 33 Uses schtasks.exe or at.exe to add and modify task schedules 7->33 35 Contains functionality to compare user and computer (likely to detect sandboxes) 7->35 13 schtasks.exe 1 7->13         started        37 Antivirus detection for dropped file 11->37 39 Multi AV Scanner detection for dropped file 11->39 15 schtasks.exe 1 11->15         started        signatures5 process6 process7 17 conhost.exe 13->17         started        19 conhost.exe 15->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16ec7c6f7fd6c0cb73a1ed7820df47abde176fa39433d097cb13b6358565e2ed/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 21:24:28 UTC
AV detection:
27 of 45 (60.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00c23828efd45ceba67fa28446d82b41f71acd12fdbdfe192bb39bea0fa498b0
331df11f37914f6198f16dd51527abfecd77ff93fd875970f16e92978047ec74
352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07
36d52200699e48e8e62638283b17c5eed4c1fa722274ebe1630db72e558945ca
383c048dffd121de5e20a8c4f70a76ed041c1bf3b43978de227c0e33da219c36
732c5357288217516cc3ab7d82ef7091076f313efa61596aaa88cd2ff43ee335
74adf1cf8e364c04ba4c5f3a953306130a675e1fc8a1c9b5df670a8c95e562d7
c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a
f3186b067fc1c31739f168a5a060baf5282b9d8a004b090596261ea9b8302e53
+ 430 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211117-trcxaaacap/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Executes dropped EXE
Unpacked files
SH256 hash:
16ec7c6f7fd6c0cb73a1ed7820df47abde176fa39433d097cb13b6358565e2ed
MD5 hash:
d888e5127c788faa6409059553ce0c02
SHA1 hash:
9c0af499e00190ad62a7fa6c7790eadab0818acd
Link:
https://www.unpac.me/results/5b0cf4b9-e662-4218-8a39-62642bcb3a02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16ec7c6f7fd6c0cb73a1ed7820df47abde176fa39433d097cb13b6358565e2ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 16ec7c6f7fd6c0cb73a1ed7820df47abde176fa39433d097cb13b6358565e2ed

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1797736/
Cape
Cape
https://www.capesandbox.com/analysis/206937/

Comments


Avatar
zbet commented on 2021-11-17 16:16:36 UTC

url : hxxp://iosoftware.org/clip.exe