MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 237dfa3dc48e011134c0f69943c0e9e8f416f4fbe13ce4d9bd985bfca140a04b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 237dfa3dc48e011134c0f69943c0e9e8f416f4fbe13ce4d9bd985bfca140a04b
SHA3-384 hash: c6067b428ce901ee1c69b83936ba91d074b6b39172665ee35f5df54a0cf1636953d65e8da90ee8a5efb8ac5fe1935193
SHA1 hash: 2e208e134f404a064971a3ebd3422f06b3b3ff49
MD5 hash: 918aba6e295fce6d72c8f132b1aa5bc2
humanhash: seventeen-bluebird-august-mexico
File name:Cheese.exe
Download: download sample
File size:7'193'600 bytes
First seen:2022-12-05 15:21:01 UTC
Last seen:2022-12-05 16:35:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:OLKOqooBz1iwNGPWTwfgHJjYiZzMReSJExpRiK:OL6YwNGS5zMR7gpRT
Threatray 134 similar samples on MalwareBazaar
TLSH T12C7623DA20543388C859C838C532FC49B176560F4DE559EBB9CFBA847FBB590D98AF02
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cheese.exe
Verdict:
No threats detected
Analysis date:
2022-12-05 15:30:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c992e62-ca23-4b4a-a00f-311d34112a5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342984/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1202737.13458.1020.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638e0c6155eb3470cd4fd82b/reports/8e714f80-55c6-4ef8-994c-c68a9baa1944/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66f46f23-1c08-4ade-9389-d311159b1fc7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1128198
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses Windows timers to delay execution
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/237dfa3dc48e011134c0f69943c0e9e8f416f4fbe13ce4d9bd985bfca140a04b/
Threat name:
Win64.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-05 15:22:25 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
12
AV detection:
9 of 41 (21.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=en67upoeryarcnga62muhqhj5d2bn5h34e6ojwn5tbn7zikaubfq._file
Verdict:
unknown
Similar samples:
106f9f66c54be3c20be8f04ce63f5d6183d6eb9e79a6b243b5c820cc01ee24cb
27fc7bf4086ffad09feb291debd2bac6ca899d45dd3bc9816a3377e9324348b0
546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf
6378dda8047cccbf0228f9a7c92e6c1650255bbb4fbde0e20c05149f50518dc6
745a8ed362468f17a52c1b7f8b128250ce9c7d3949890166259e2e1ac3069e3e
7b858664b4283d8d0be155dc6bbe9f279e066b6cf2dd985eef95698e77333900
c1dad248279062c4c79245226d28fe8565bad5d652b0dae10ed81b310581e73d
c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40
db2aa0c18078e1b88151524bd9a42092d6ad226867b128bf6b261084bc99698f
+ 124 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221205-srbtjsca85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
237dfa3dc48e011134c0f69943c0e9e8f416f4fbe13ce4d9bd985bfca140a04b
MD5 hash:
918aba6e295fce6d72c8f132b1aa5bc2
SHA1 hash:
2e208e134f404a064971a3ebd3422f06b3b3ff49
Link:
https://www.unpac.me/results/f046e775-26d0-4e31-9690-5be1299b2f37/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/237dfa3dc48e011134c0f69943c0e9e8f416f4fbe13ce4d9bd985bfca140a04b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/342984/

Comments