MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f7c830708a1d20feeed99000dcad718e23183fb9e5a0ebd169d4e890ee19d65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f7c830708a1d20feeed99000dcad718e23183fb9e5a0ebd169d4e890ee19d65
SHA3-384 hash: 366f7264bf488cbd468e1679d2fb22390ce1b4f8a0adba8268703a2b20e3f24d1eab15efe980caabd4584a77859b9510
SHA1 hash: a35e711029e4385866a3c087c654a06fc6e43662
MD5 hash: d7558c648e32ca8af2b27680bb147e72
humanhash: oklahoma-montana-tennis-hawaii
File name:d7558c648e32ca8af2b27680bb147e72
Download: download sample
File size:65'536 bytes
First seen:2022-04-15 09:53:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:mj3/Eq6biGo2RrxHqznV5K2uwy8Tj/pGPz7m+2q/bN6aVafffffdY2LHZjWKKjW:g3/E/F1HanVk6Qz7m+2SbUaV/IHY
Threatray 3'238 similar samples on MalwareBazaar
TLSH T1E25350F48FF8B9A5E1142077B864B13C37D75D0EDC65583AEA9BF00A34629C260E5E1B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d7558c648e32ca8af2b27680bb147e72
Verdict:
Suspicious activity
Analysis date:
2022-04-15 09:56:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/61774b59-6f0d-4bbf-88f3-aec39ac4434a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263968/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39502471.23493.19193.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed vidar
Link:
https://www.filescan.io/uploads/625940baeab80a7a6c1b0e29/reports/38c2c455-d499-44f7-9f51-3989690a7b70/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f557bcf-1179-49fd-9a95-5a20226a4bed
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977365
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: File Created with System Process Name
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 609852 Sample: vKrtYWFxWA Startdate: 15/04/2022 Architecture: WINDOWS Score: 100 28 249.84.253.5.in-addr.arpa 2->28 30 220.240.8.0.in-addr.arpa 2->30 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 6 other signatures 2->48 8 vKrtYWFxWA.exe 15 7 2->8         started        signatures3 process4 dnsIp5 32 calina-crack.store 176.31.60.250, 443, 49724 OVHFR France 8->32 34 192.168.2.1 unknown unknown 8->34 22 C:\Users\user\AppData\...\services.exe, PE32 8->22 dropped 24 C:\Users\...\services.exe:Zone.Identifier, ASCII 8->24 dropped 26 C:\Users\user\AppData\...\vKrtYWFxWA.exe.log, ASCII 8->26 dropped 50 Creates an undocumented autostart registry key 8->50 52 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->54 56 3 other signatures 8->56 13 vKrtYWFxWA.exe 2 8->13         started        16 cmd.exe 1 8->16         started        file6 signatures7 process8 dnsIp9 36 5.253.84.249, 3336, 49813, 49814 SAIBSA Cyprus 13->36 38 249.84.253.5.in-addr.arpa 13->38 40 220.240.8.0.in-addr.arpa 13->40 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f7c830708a1d20feeed99000dcad718e23183fb9e5a0ebd169d4e890ee19d65/
Threat name:
ByteCode-MSIL.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2022-04-15 09:54:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05bd6e05fa5cba8cf94a0cfd567351cd15e2d873e9e6ae3a951175e21deddaf4
0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f
0ee1085fefee69e978fd79adf288a62b15c04e5f551fd6e7abde34daf1913ca1
1c4b300d1e06cc44916b721f7fb9ab566e463b1ccf318cdcf1ef8e28b33647b3
1c680ca848d97f43e8a73d323f694b0a6701f14af19ef0da1e99e7eac9af8a65
42287ac393c08dcdae7b2ee2c75dcce8cf0739dc5e8eff36e6da0eefc2388382
5f7f0576163208492f35624e57916b0a6ce9093d75ba32e57ac688435b5240ad
785771e54cd9bb3c949f9967c391d5bef6c09c3a25edabc396c188741ddd570c
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
c9aa37b14d02530c430923c6f758158f1116109efad42f3cbd2eb965aa1c3b1f
+ 3'228 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220415-lw7cpabdc5/
Unpacked files
SH256 hash:
2f7c830708a1d20feeed99000dcad718e23183fb9e5a0ebd169d4e890ee19d65
MD5 hash:
d7558c648e32ca8af2b27680bb147e72
SHA1 hash:
a35e711029e4385866a3c087c654a06fc6e43662
Link:
https://www.unpac.me/results/1b315f48-3c4a-42cc-8b88-dedab6e11f26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/2f7c830708a1d20feeed99000dcad718e23183fb9e5a0ebd169d4e890ee19d65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:t0_1
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2f7c830708a1d20feeed99000dcad718e23183fb9e5a0ebd169d4e890ee19d65

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2149119/
Cape
Cape
https://www.capesandbox.com/analysis/263968/

Comments


Avatar
zbet commented on 2022-04-15 09:53:59 UTC

url : hxxps://calina-crack.store/loader/uploads/services.exe?fileName=services.exe