MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17bd06d66015b2a9ad9e9617aad0a05b102c45116de4226684dd160584e45200. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17bd06d66015b2a9ad9e9617aad0a05b102c45116de4226684dd160584e45200
SHA3-384 hash: 6e2b1f5b442541efe5dae792e48355d601b32566d4538a86f9121ed11a899d4442240d0bb17e4e158e06ea5a50ebff1a
SHA1 hash: 8d1356338ad54ef4adb4e853ca6b83e7e0a1a744
MD5 hash: b90aabccc3b95ec1996cff02163fc158
humanhash: berlin-diet-orange-leopard
File name:svchost.exe
Download: download sample
File size:5'428'736 bytes
First seen:2023-05-14 18:41:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (247 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:p0q/qlbR431ONNKxXKL1XZOmqAGkwMVjP1F7IzSt91U1ZjZKzJmr:V/qz4lONExXmJWAGkwMVr1KzS/1U7Z9r
Threatray 322 similar samples on MalwareBazaar
TLSH T17C4633F8467B0AB7B1B582BD732B0A4597CFA720E5CE542AEF65654BC73B3201D8410B
TrID 86.3% (.EXE) UPX compressed Win64 Executable (70117/5/12)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
2.4% (.EXE) Generic Win/DOS Executable (2002/3)
2.4% (.EXE) DOS Executable Generic (2000/1)
Reporter JaffaCakes118

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
GB GB
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/389827/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64764545.12151.898.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64612b99f571536d03115a4e/reports/8aa6e9ee-d355-4ade-99d9-396d1f081ef7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/17bd06d66015b2a9ad9e9617aad0a05b102c45116de4226684dd160584e45200
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed7f8844-acfd-4500-aed1-bf32de892d32
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1232930
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865912 Sample: svchost.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 56 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 6 svchost.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17bd06d66015b2a9ad9e9617aad0a05b102c45116de4226684dd160584e45200/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-04 00:46:26 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c66qnvtacwzktlm6syl2vufalmicyrirnxscezue3ulalbhekiaa._file
Verdict:
malicious
Similar samples:
32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67
3a7e260aec294903b08eb34f2b9a985bd38bd66a409bbb7e58bd8f4e5c3a7806
3e6ecd9dc9ec4d42be5fdca7c55931fa9f835f3f634ee9f707ed7b1a102e9f7d
449adac1f0940043f26ab1a8b91748360b4d7d9759108d3db6669edd758129cb
5dd943c56508689ccf31338d5b04b91176f29005cf98258f3a161fa01c7cf3a3
6f51dfbe6eaa68e7a99472be63f61b34e8305102c132668ccbcd3bdb4db9dfd0
b367760b3de8efbaceb0c71acb3fe5763e164e89ec88390adb5b5a2cc85467a9
d60dc6965f6d68a3e7c82d42e90bfda7ad3c5874d2c59a66df6212aef027b455
f03010566a3afad9d1096a527205b908ef3e7afd4735857a0f2d6708b0f73b25
+ 312 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/230514-xcnxsafd51/
Behaviour
UPX packed file
Unpacked files
SH256 hash:
069c55d8eab056726ef4d155fdb82a040f18ea68ba2567a58941c88e0357fb92
MD5 hash:
29bcd075ad03eb6680445c49ec27c834
SHA1 hash:
6ab38bf3c9afe0f3b9da65d09e98ae8eba9038e7
Link:
https://www.unpac.me/results/ab7f6703-9037-4317-9e4b-2ff846560890/
SH256 hash:
17bd06d66015b2a9ad9e9617aad0a05b102c45116de4226684dd160584e45200
MD5 hash:
b90aabccc3b95ec1996cff02163fc158
SHA1 hash:
8d1356338ad54ef4adb4e853ca6b83e7e0a1a744
Link:
https://www.unpac.me/results/ab7f6703-9037-4317-9e4b-2ff846560890/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/17bd06d66015b2a9ad9e9617aad0a05b102c45116de4226684dd160584e45200

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389827/

Comments