MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1be7dbc6cf87a9dc2a28ecbcb928be5454bf94198c3e684ebc48407cd85c01db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	1be7dbc6cf87a9dc2a28ecbcb928be5454bf94198c3e684ebc48407cd85c01db
SHA3-384 hash:	3a0ae437d22722669d6b24c9ea9a2a7b919a5556e7a8daa0ae6d396d68909188e43a1cdfe59b607d9903ec4b4d0917de
SHA1 hash:	420525285a7b5bb92bc762fe4bec872fc64b4f61
MD5 hash:	10e0c53d15d2c80627b279e0e1ebb050
humanhash:	tennis-cold-west-music
File name:	KrabHacks.exe
Download:	download sample
File size:	16'498'688 bytes
First seen:	2024-04-30 00:25:11 UTC
Last seen:	2024-04-30 01:25:28 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	196608:PZXXg82nJ45/9iD54+V11bFv4z9ZXXg8i/vdJxDlWxYFATIObIT:Phw8S0hw8indnwxsUI
TLSH	T159F6E42CD901A727E2B7C274819E0A17F1A2851AF53D5F0E30CB5B693246A837E85FDD
TrID	41.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 32.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 9.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 5.9% (.EXE) Win64 Executable (generic) (10523/12/4) 2.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	0069cccce1696900
Reporter	bobross_malware2
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1be7dbc6cf87a9dc2a28ecbcb928be5454bf94198c3e684ebc48407cd85c01db.exe

Verdict:

Malicious activity

Analysis date:

2024-04-30 00:27:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/60be988b-ce49-4bf7-bfbe-566f45d963b7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/1be7dbc6cf87a9dc2a28ecbcb928be5454bf94198c3e684ebc48407cd85c01db

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5ecfb1dd-8ff5-491c-94f2-1c6129dff408

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1433778

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

32%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/1be7dbc6cf87a9dc2a28ecbcb928be5454bf94198c3e684ebc48407cd85c01db

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1be7dbc6cf87a9dc2a28ecbcb928be5454bf94198c3e684ebc48407cd85c01db/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2021-12-19 02:13:13 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 38 (34.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dpt5xrwpq6u5ykri5s6lskf6krkl7fazrq7gqtv4jbahzwc4ahnq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240430-aq69yseg78/

Behaviour

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

97b775659cf4e5fe2ed01c511a26f019aea7faa076e758db3c41262d4d304866

MD5 hash:

e741d9cc56920b03693446f78fe2f11a

SHA1 hash:

f7919cfe4629504b62f8c7c765362e40992723d9

Link:

https://www.unpac.me/results/4f9c8d36-7d3e-4b55-a88b-b629a0bb9c94/

SH256 hash:

ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

MD5 hash:

43141e85e7c36e31b52b22ab94d5e574

SHA1 hash:

cfd7079a9b268d84b856dc668edbb9ab9ef35312

Link:

https://www.unpac.me/results/4f9c8d36-7d3e-4b55-a88b-b629a0bb9c94/

SH256 hash:

45cc9f5e541a6f9797895f61e973ebd4b1fae7de65f0d6501d148d5fd4121e88

MD5 hash:

268dc8558774f705dd50d4dffb348c1c

SHA1 hash:

beca7869c0632b4bad7b0042c3b4420fd885e7ca

Link:

https://www.unpac.me/results/4f9c8d36-7d3e-4b55-a88b-b629a0bb9c94/

SH256 hash:

90023014c746609b5094b528e07e94656067248b4452a8debc1d4eec3637fde4

MD5 hash:

fe256e0bb1a4f67c9788e342d44572d5

SHA1 hash:

15fd8114fb8c7a99ff9d998011333705fa6da5ed

Link:

https://www.unpac.me/results/4f9c8d36-7d3e-4b55-a88b-b629a0bb9c94/

SH256 hash:

4fad3872ebd478edc92558ec1bb68356e360ab34152bd8edad2ce18a36ccf7d4

MD5 hash:

c9fb5e4f947a42a2d8438cb643c04d34

SHA1 hash:

8af3c7d39dbdde49b2b1754a15159f8735ccbb01

Link:

https://www.unpac.me/results/4f9c8d36-7d3e-4b55-a88b-b629a0bb9c94/

SH256 hash:

3835e10c4fd61402dd8b6e5e69146c42310db1c04cbb1bb7b8b627fc263071d0

MD5 hash:

0129857631af9333d3a01a55200e8933

SHA1 hash:

64f9c6cb0f4c591bad2c33ecede2321b6d48fef3

Link:

https://www.unpac.me/results/4f9c8d36-7d3e-4b55-a88b-b629a0bb9c94/

SH256 hash:

b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

MD5 hash:

081d9558bbb7adce142da153b2d5577a

SHA1 hash:

7d0ad03fbda1c24f883116b940717e596073ae96

Link:

https://www.unpac.me/results/4f9c8d36-7d3e-4b55-a88b-b629a0bb9c94/

SH256 hash:

1be7dbc6cf87a9dc2a28ecbcb928be5454bf94198c3e684ebc48407cd85c01db

MD5 hash:

10e0c53d15d2c80627b279e0e1ebb050

SHA1 hash:

420525285a7b5bb92bc762fe4bec872fc64b4f61

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/4f9c8d36-7d3e-4b55-a88b-b629a0bb9c94/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1be7dbc6cf87/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1be7dbc6cf87a9dc2a28ecbcb928be5454bf94198c3e684ebc48407cd85c01db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaXor Create hunting rule
Author:	kevoreilly
Description:	AgentTesla xor-based config decoding

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETDLLMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample