MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26731727d41900508417161ad19837020b51b2528c0b08ed4541d5c7ce1c6e65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Renamer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26731727d41900508417161ad19837020b51b2528c0b08ed4541d5c7ce1c6e65
SHA3-384 hash: 28d9e1fb7036a5c600534bd7312ae6681fa29327eebbcb44fc050d0b7f1488d9902b34109042d7cf495f34c45abf5470
SHA1 hash: 70d28e95b20ef0e59122d13c26c77d0679780a70
MD5 hash: 489fcce88e8e9b6707f37a84d1e47b6d
humanhash: wisconsin-twenty-table-south
File name:489fcce88e8e9b6707f37a84d1e47b6d.exe
Download: download sample
Signature Renamer
Create hunting rule
File size:905'777 bytes
First seen:2021-03-09 15:22:08 UTC
Last seen:2021-03-09 17:45:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:msR9BcbFiDKpeYVmOpjwcN2IFgJ6CU9nMHppkoZEjGaMJBiQVo:fvBMiD1YHMOFkpWMBlVo
Threatray 2 similar samples on MalwareBazaar
TLSH 901523537FC7203FD5C234390F926937C2B2EB1CAA9899C7D7546E99BD284C2DD12822
Reporter abuse_ch
Tags:exe Renamer

Intelligence

File Origin
# of uploads :
3
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
489fcce88e8e9b6707f37a84d1e47b6d.exe
Verdict:
Malicious activity
Analysis date:
2021-03-09 15:30:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e50ce514-e913-489f-ac75-03f366d7d780

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Renamer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123284/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.15978.23830.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Replacing executable files
Creating a file
Deleting a recently created file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Sending a UDP request
Enabling autorun by creating a file
Infecting executable files
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/633058
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 14:37:42 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3f1d1e7c74f8b8e44a0c1cf334b339e2e6ccabc36982d0d2331af2ac121112c2
Renamer
97f2b9300d59e15e714210ace4500908122b8901a5d905e9d8d269819649f880
Renamer
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210309-995vbrrywj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
26731727d41900508417161ad19837020b51b2528c0b08ed4541d5c7ce1c6e65
MD5 hash:
489fcce88e8e9b6707f37a84d1e47b6d
SHA1 hash:
70d28e95b20ef0e59122d13c26c77d0679780a70
Link:
https://www.unpac.me/results/c6dfbe92-2d11-40ee-85e2-18e9d69d5e75/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26731727d41900508417161ad19837020b51b2528c0b08ed4541d5c7ce1c6e65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Renamer
Create hunting rule
Author:ditekSHen
Description:Detects Renamer/Tainp variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Renamer

Executable exe 26731727d41900508417161ad19837020b51b2528c0b08ed4541d5c7ce1c6e65

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1056772/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1056778/
Cape
Cape
https://www.capesandbox.com/analysis/123284/

Comments