MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8
SHA3-384 hash: 0c76d6d8db39df056ce37dc1ef32f80a4d3e547f78862703e1c7abc530338531f249ccd65ce1dd97a70dbd297366985c
SHA1 hash: 7c237b720304f76362ea66f0d37ab502daf22b30
MD5 hash: f5ba22891326912d8f47c4fb5575d33b
humanhash: hotel-aspen-august-wyoming
File name:bilds.exe
Download: download sample
Signature BlackGuard
Create hunting rule
File size:643'072 bytes
First seen:2022-03-06 12:26:57 UTC
Last seen:2022-03-06 14:43:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:hA0LL6hD2x/HAWbR2zS4sisO1A83u2BSDoCqKcn:iq6uHAW92zt/sWu2BSMCqDn
Threatray 262 similar samples on MalwareBazaar
TLSH T167D47A0E25CD3504F379D67E53C6413D036372D2803B9E27E6BDAA578B832846F9279A
File icon (PE):PE icon
dhash icon 88aab2cccccc7170 (5 x BlackGuard)
Reporter 3xp0rtblog
Tags:BlackGuard exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
490
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247667/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.1643.15277.4526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Reading critical registry keys
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/496a6e6f-b6ae-403c-9409-30b7d5ca7153
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/951409
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 01:38:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 42 (47.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
18db274624914ee6388bda20233db28307be4873bc053e05ad8f6761b217136f
BlackGuard
26ebf8a0830652c9ea0de64dc0dca6d62caffc0aaa34abf43e7c410095c502ce
BlackGuard
3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44
BlackGuard
52bd68ea60e7171ed2413cd5292b74ac9872928a1a723405fb73ad57419c5bc6
BlackGuard
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
BlackGuard
5ce632f1f10c96a7524bf384015c25681ef4771f09a6b86883a4da309d85452a
BlackGuard
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
BlackGuard
76b90299713b5d4ffd3c92b2cd66b3de68148c3133f927dfa385b075fd00d5b1
BlackGuard
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
BlackGuard
f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d
BlackGuard
+ 252 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220306-pmr37accak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8
MD5 hash:
f5ba22891326912d8f47c4fb5575d33b
SHA1 hash:
7c237b720304f76362ea66f0d37ab502daf22b30
Link:
https://www.unpac.me/results/3c72bce5-e084-40ff-868c-920431aa2e12/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/3xp0rtblog/status/1500119223812730884
Cape
Cape
https://www.capesandbox.com/analysis/247667/

Comments