MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67
SHA3-384 hash: 7caec98a16fa20037f98f26b8f60cb485a9b15e47d64500e802426303bff945ca89d7147d2cf7529c87d37fc30c1efef
SHA1 hash: 955149baa21b6ca3ba8a7716cd0d00db1f4d0cd0
MD5 hash: e4836d25516a1658d3cbad157acaccb2
humanhash: solar-muppet-tennis-missouri
File name:1234.exe
Download: download sample
File size:696'320 bytes
First seen:2024-11-25 07:53:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f3cb3c76db5b3259b273eadead48638
ssdeep 6144:BY1WzX3HJXcGn4pp3y91RxPpWZw9B8hyThVO7uhYmemotM5sJLk1yafRQ8ugg2fm:BCUHJsxpp3yft9+cT9hXeXlWfR8LWc
TLSH T1F4E4AF06B5D2C0F6C668253014AA773AEA7A9E160B56CFC39794EE1C1D33162BD37339
TrID 31.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
23.7% (.EXE) InstallShield setup (43053/19/16)
17.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
File icon (PE):PE icon
dhash icon a261bae8d2a896ca (39 x Blackmoon, 9 x Gh0stRAT, 3 x CobaltStrike)
Reporter Joker
Tags:exe malware

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1234.exe
Verdict:
No threats detected
Analysis date:
2024-11-25 07:54:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8b60b546-631d-4356-a152-59b2d8d64ead

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67442d20b31374f098343745
Tags:
flystudio dropper virus worm
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
hook keylogger microsoft_visual_cc
Link:
https://www.filescan.io/uploads/67442d24fcae1d619b4eacb4/reports/07a3c5e6-f21d-4d89-baf5-6e9498cb0982/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dc0994ed-7fbe-4532-a3e5-0e048351ae75
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1562139
Signature
AI detected suspicious sample
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-25 07:57:54 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcrb7f566p6uygy4fr4plew2pnolqik454khjsuym5uw5jq4vntq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241125-jrjdyssnej/
Behaviour
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/871a9e8e-ea1c-4533-9274-8159f2e07a99
Unpacked files
SH256 hash:
18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67
MD5 hash:
e4836d25516a1658d3cbad157acaccb2
SHA1 hash:
955149baa21b6ca3ba8a7716cd0d00db1f4d0cd0
Link:
https://www.unpac.me/results/cc1aea5d-40db-4a4d-8966-0fb636f449fc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hacktools_CN_Panda_andrew
Create hunting rule
Author:Florian Roth
Description:Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiOutPrepareHeader
WINMM.dll::midiOutReset
WINMM.dll::midiOutUnprepareHeader
WINMM.dll::midiStreamClose
WINMM.dll::midiStreamOpen
WINMM.dll::midiStreamOut
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments