MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 23 File information Comments

SHA256 hash:	27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3
SHA3-384 hash:	f2ee37dc2d487bb12c214c0d38a6b304dce280a85bbf79b1731062e097fc49d3abab5a729967f98cea011431637ff827
SHA1 hash:	770379ba563a9c8029cd800f95f65f302dd65953
MD5 hash:	5789e1dc3a51fe3457b26717c8f357e6
humanhash:	steak-chicken-india-charlie
File name:	5789e1dc3a51fe3457b26717c8f357e6.exe
Download:	download sample
File size:	15'473'500 bytes
First seen:	2024-09-25 07:05:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4b1892ce4fbcfcf064c6f69d693fc6a5 (10 x Rhadamanthys, 4 x AgentTesla, 3 x QuasarRAT)
ssdeep	196608:z66uJaZU4bQP8f4rsTGDjbuvLr4rhOkrrK3/gUJ+NajH4W8c1wB:2jaZgP8k7qrcOkrm3/gUJzH4tN
TLSH	T123F6BE02E3FD41A9E5BFC278C5674517EBB278451320EBDF11548A692F23BD0AE79322
TrID	72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 13.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.EXE) OS/2 Executable (generic) (2029/13) 2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

394

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5789e1dc3a51fe3457b26717c8f357e6.exe

Verdict:

No threats detected

Analysis date:

2024-09-25 07:32:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0355fd70-43ef-4c87-b27f-72ffb42c1c8a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.Malware-gen.12089.14541.UNOFFICIAL

Verdict:

Malicious

Score:

98.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66f3b6645346c7b922adf505

Tags:

Ransomware Shellcode Virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug dotnet fingerprint lolbin microsoft_visual_cc overlay remote

Link:

https://www.filescan.io/uploads/66f3b662dcb7aa64740f4566/reports/1fa91011-c2a9-45d6-804a-4b0175c681dc/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3

Result

Verdict:

UNKNOWN

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e553da76-67f5-4e08-9cc9-135f593add90

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1517952

Signature

Contains functionality to prevent local Windows debugging

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

73%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2024-09-25 01:01:18 UTC

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e4jd3g2ecnthmcs2ey6ntpq3ccon32aeuuwrmuht7end36iyhljq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240925-hw34gsvcqd/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9af19b9d-2bb3-4394-a41f-02de2ba11631

Unpacked files

SH256 hash:

1e539d0a1ef0b42bb9da91f6d556f065ae5be27dfa2ef5b59beaa13da80976a4

MD5 hash:

e33d7ce6fe9b299affe334a54ee2223a

SHA1 hash:

c5c920ebcfafb5c08dd65023180e4778945e5580

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

Parent samples :

27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3
78ae8557756c507246e95479083413f107ef872742ecc4811a51ebfd18d9d6ef
33c262d798f29d4c3c90ce86b614193646171093101582957d66d9c6a205133a

SH256 hash:

6a34507f17e9b212159152bac2847912e8dee24099ce6235a321f376de636ef7

MD5 hash:

0935c0bd8df98db3c4c18a333dc57352

SHA1 hash:

54d6545ee05adc34755a0df01e1d1d98cecd5848

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

f644c66563111eeded1af01791749518a99faf65a012e8073c2fbf6ffd533f3b

MD5 hash:

784de839a76711ef02b5ab2ff9b79346

SHA1 hash:

73162ae7f2db248c1de1abbc9283c7bd058ff376

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

3c7cdd5a187a1443668e97e2b2bde62d90d54579ec1cea1f3468b1bf397a7316

MD5 hash:

12241ff8b321c960feb2dacf00076d33

SHA1 hash:

e69dc1c76bf5bb60ea148ad9c91a0637932e0163

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

974309fbd7acc773a7c52fbeb4e364dfb080a6492a91cdb8dac9330a488db5da

MD5 hash:

344dba98276110198973406580cb1e7a

SHA1 hash:

fcf425c2bb26426091a15fdd488c02ab0bd1c199

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

Parent samples :

27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3
78ae8557756c507246e95479083413f107ef872742ecc4811a51ebfd18d9d6ef
33c262d798f29d4c3c90ce86b614193646171093101582957d66d9c6a205133a

SH256 hash:

8c621afc42176a983a2f289ac4a2e4665d78a92d9cc92759027f4f9a8f7de78e

MD5 hash:

e6bef20da837b4e95417ce8eec57a45c

SHA1 hash:

5c12eb7653f13c905505d4cd22c4e3ca4929edf7

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

f2a57171340a76403cf5d28ac0b60a67ae098e080e4d879ee71811fefb39420d

MD5 hash:

05c1510353e701d940daf92f95bd589e

SHA1 hash:

09ced31f0bb864f7d19952f90fdc4c385b273a0c

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

61350e7ee96e614900d641b4ecc3f35271aa2ba72c0455ae0d021e20c95f9a3e

MD5 hash:

05d4804e5ea5509e19a3388b46a363e2

SHA1 hash:

31ea1248542d2914fc76179e5731126dfccdbfa0

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

8b1eec4e32ab61e6fba30b6cf9cacb80e3df5d5976da279fd7fad43bde444077

MD5 hash:

288b5a6de9c1c43f3ceb1e5ed3b51556

SHA1 hash:

2144df57be757f3b22305cbce205ccc6ff60cc61

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

383de393ef2dfc1be6f6fd984f37512cd83a845adf86efd95f5cf4ea46777d12

MD5 hash:

da3798b59c9c779c623ad000ff46bfc6

SHA1 hash:

143d33d6d29b437f14442c6f1a52c67a81d72284

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

Parent samples :

27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3
78ae8557756c507246e95479083413f107ef872742ecc4811a51ebfd18d9d6ef
33c262d798f29d4c3c90ce86b614193646171093101582957d66d9c6a205133a

SH256 hash:

f9304bdf551371de451ec5509611138f2c9331f1b420258a1140aeab5bff371f

MD5 hash:

afd0f89d0ae827086e09b133e82cff78

SHA1 hash:

fd13b6adb3931ef551d53015e08042ae834f5899

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

b69b89e4e4a2c8485057cff5e299324a64845e533fb0b0d3aad8e2d99d3c95cf

MD5 hash:

c3f85fdf3db79b5cf4304d0173936744

SHA1 hash:

9fd0f729a1e9ce7e8b42a9be942303511d315af3

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

5ee0ddb388745c6d6cb4be41953696a5ff247c33d95516abecf374a88f09d54e

MD5 hash:

49334ddaefdbedfcfb94e17fb940bbd1

SHA1 hash:

24462ff4886bae560327e39430450d3a79d4ab3c

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

79ec8e92c2ceb8d7b8cebbaf85fba55abaaa2457de1374d6befaf4e3eaf130dc

MD5 hash:

884e238b20395657a7e044dfe53a94df

SHA1 hash:

8b045333174f8aa2a30557145c454c890eb393b4

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

9e62edc186460c56877e943e1d8ef64ff534320cae43a6a411df32565a4b6dc1

MD5 hash:

d9a31a286340c50eae527cbc5b73c64f

SHA1 hash:

24f6b51d4eb69abefa47c24b2811000c7b5e0ad5

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

Parent samples :

27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3
78ae8557756c507246e95479083413f107ef872742ecc4811a51ebfd18d9d6ef
33c262d798f29d4c3c90ce86b614193646171093101582957d66d9c6a205133a

SH256 hash:

576493991ef09acf03784796fa416e082569c01999e916c775e2b0a7e873953a

MD5 hash:

c4fa03f4a35302e7c4c0fb727b6942e8

SHA1 hash:

8fdf382312283f77058a6dc92de7e6fcba6bd72e

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

042799dc0298ccea0bf13c459f80e7758aab8394aa2c63ab519b4b7226b999fc

MD5 hash:

f09e3c2a099353aa924e8b80524a76f3

SHA1 hash:

7ccc27c192433881117c163f50e7c39994e76914

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

f58505b4a94913e511174710cd046c8d90fb8ba82ac0ee095b6aaea9daf4dadf

MD5 hash:

45a66987110957bd358b826ac11291b6

SHA1 hash:

5ad7573f424adc42644e50e0e7d32f46c76bc15e

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

621ab9f4e5f31a8723fdbde8d9079f8531682d31dab45eb99e7cebb8cba3dbe9

MD5 hash:

00f76589b8a860a4bebe2a594f0818f9

SHA1 hash:

badea99d5b3806996393f299086b348f7bf8d18c

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

Parent samples :

27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3
78ae8557756c507246e95479083413f107ef872742ecc4811a51ebfd18d9d6ef
33c262d798f29d4c3c90ce86b614193646171093101582957d66d9c6a205133a

SH256 hash:

b414e03f47102ac76be4b1e4c2feb4d0b1ef58cc58d25d2a2a5f5488e4d6e1cc

MD5 hash:

e94efe5898cf684e500795b1a04ba0fa

SHA1 hash:

feaa56ae634bda03c22518e72824969ee7bc8068

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

3648d3c9ca436ba81ed5cf6e2eeb3b08164925dd29529b864b87e07f12d81b0d

MD5 hash:

f45bb54b1467442fcf8ebdec7f290f37

SHA1 hash:

3fa403b1f469150c192bf51cf01f2a128abf3d32

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

efe64be1eb94f69530b27645d5b068e573cde3724f6999a7491ce228247bfa6b

MD5 hash:

89a8d55d0457be91fa1ff921b93c6ff8

SHA1 hash:

8dbac49680e174678ff04740c8fc006eb141b59b

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

fa2e4123a9a6a7e930c09e6355257ec6fe6e1e92407e66ddae94153834ca1985

MD5 hash:

b22d4aba097d92eb68b9c6c63a817750

SHA1 hash:

a31816d9a18b56c2ebeb27bb2dc4998e59bdc9dd

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

ada1c98468ee89c52ad36e4db7b8952ca8160722f6421c971b367e70deed7cf4

MD5 hash:

3c5d34817cf0d8a6f0e883a4713f8fe5

SHA1 hash:

d9a4a7386ba65687c68e2bc2e959a3987847b26a

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

8f36a184fa481a18692b7ffcc01d3fb593e7cd40c9244ac3a75f0f0fad4b0aad

MD5 hash:

1af7d15d8fd4aaaf161c3579d35965f6

SHA1 hash:

6d0878d4213ec5ec92b4a5a62dacf8947053cec6

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

c5eb6a094f3876454f32d4fa5e9ba07d16cd414e613b268e785a1ae21da0c385

MD5 hash:

9ac098314343e2dbd831f826b8585e2e

SHA1 hash:

ea7d4b56d8fc7691165b98bcae6926ccd279f7f9

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

0fb12f31f7f452badbaa96e8fe7c313a7aca7efc89810332058692730c646a18

MD5 hash:

c4601166f928760dc023cfd876cd006a

SHA1 hash:

0fbdd4cb3f3318ad14371e61c56cc746b25d9f68

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

SH256 hash:

27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3

MD5 hash:

5789e1dc3a51fe3457b26717c8f357e6

SHA1 hash:

770379ba563a9c8029cd800f95f65f302dd65953

Detections:

DOTNET_SingleFileHost_Bundled_App

Link:

https://www.unpac.me/results/5ef076ad-8ecb-4903-ad56-d64a033d0425/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_Malicious_VBScript_Base64 Create hunting rule
Author:	daniyyell
Description:	Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 27123d9b441366760a5a263cd9be1b109cdde804a52d1650f3f91a3df9183ad3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3158325/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetSidSubAuthorityCount ADVAPI32.dll::GetSidSubAuthority ADVAPI32.dll::RevertToSelf
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::SetKernelObjectSecurity
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken ADVAPI32.dll::SetThreadToken KERNEL32.dll::VirtualAllocExNuma KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::GetActiveProcessorGroupCount KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileMappingW KERNEL32.dll::GetWindowsDirectoryW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegGetValueW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample