MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff875c4fdfbf9f9644bc7ebc6c9532fc92e7bb9fa92aab2b1d3ecff09f9bb94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Renamer


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff875c4fdfbf9f9644bc7ebc6c9532fc92e7bb9fa92aab2b1d3ecff09f9bb94
SHA3-384 hash: 5167952a69dbe6fda949ffe4a4a7ef917e61797f431885a80363bb8e591a5da12026df43dd6ef8ceeda55b6aa8e2c6c9
SHA1 hash: 3f0328d87d039bd1deedbc5b38ecb3586d212870
MD5 hash: c83fc1e4fee93c56039756fc17cc6179
humanhash: hydrogen-kentucky-golf-pennsylvania
File name:SHNB83.exe
Download: download sample
Signature Renamer
Create hunting rule
File size:567'296 bytes
First seen:2021-05-03 05:46:40 UTC
Last seen:2021-05-03 06:01:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 12288:a4QuCyrHlIRxd5LI4pzvFljMvw0uhAosClFZJYE:a4Q4FM5U4pzNljMvwqoVyE
Threatray 139 similar samples on MalwareBazaar
TLSH 0EC4234726B4562CE06A2FF3E0FB8A2F4B679F11687DD606FA71F58055B22CC48113B9
Reporter abuse_ch
Tags:exe Renamer

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148194/
Detection(s):
SecuriteInfo.com.ArtemisC83FC1E4FEE9.28382.27475.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a file
Creating a window
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Replacing executable files
Deleting a recently created file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Moving a system file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Moving of the original file
Enabling autorun by creating a file
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/707081
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402460 Sample: SHNB83.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 72 42 Antivirus detection for dropped file 2->42 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->44 8 SHNB83.exe 4 9 2->8         started        12 google.exe 2 2->12         started        14 google.exe 2->14         started        16 Paint.exe 2->16         started        process3 file4 36 C:\Users\user\AppData\Roaming\google.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\Temp\SHNB83.exe, PE32 8->38 dropped 40 C:\Users\user\...\SHNB83.exe:Zone.Identifier, ASCII 8->40 dropped 52 Writes to foreign memory regions 8->52 54 Injects a PE file into a foreign processes 8->54 18 SHNB83.exe 43 8->18         started        22 wscript.exe 1 8->22         started        signatures5 process6 file7 28 C:\Windows\SysWOW64\7za.exe, PE32 18->28 dropped 30 C:\Users\user\Desktop\SHNB83.exe, PE32 18->30 dropped 32 C:\Users\user\Desktop\RCX4ADC.tmp, PE32 18->32 dropped 34 21 other files (17 malicious) 18->34 dropped 46 Infects executable files (exe, dll, sys, html) 18->46 48 Wscript starts Powershell (via cmd or directly) 22->48 50 Adds a directory exclusion to Windows Defender 22->50 24 powershell.exe 24 22->24         started        signatures8 process9 process10 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ff875c4fdfbf9f9644bc7ebc6c9532fc92e7bb9fa92aab2b1d3ecff09f9bb94/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 05:47:12 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f74hlrh57p47szcly7v4nsktf7es465z7kjkvmvr2pwp6cpzxoka._file
Verdict:
unknown
Similar samples:
197ed80f0364dd0571eddbde8fb859b36c91771a1ff0f12ca69aa8a4503781d6
Renamer
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
Renamer
3f0fa5c8ebb2640afc948bfd5c8bb0ba644222b3bc15c095085d718843d59915
Renamer
469d8739956f308d50bc7e5243e6a8539ac94a16784a2d613b925f9a11d9804b
Renamer
89000d578eb0764d4abce8dcc33a4096a588afd75943d5803f428d5a60d140d3
Renamer
97a573fd680ef24fba3d6d7247f05e3425696b8077f4afda2279801f6d4a57d4
Renamer
9c6abdf1e5ff719e261ea153555b981cd907ba5f79f50943d679d59967eba445
Renamer
ad1e33b11bfc9e62d3694096c14296d5576db318d976dd2226e8c43645e153e9
Renamer
e295db3f673745f6e7a9de653c3e7648eadb10702144b2542bf699c607efb8b1
Renamer
e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0
Renamer
+ 129 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/210503-qq83wc7tqs/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
52bf8d56c782e7c6ec8c1dad4a35ea6d882aae654459941b59d89f4e318c4565
MD5 hash:
c5062c977536e621bd21f17edc3005f2
SHA1 hash:
83f3aa70ef09a55af203bce134c2aacc8ed935a3
Link:
https://www.unpac.me/results/4b0b7e0e-9c48-4766-b125-98fe9aa6952a/
SH256 hash:
8599c6584374743bf1941e9caa5874f97cff80fb10c247786ec67f6506791e26
MD5 hash:
c082c5661d0b89d7b3401bb3a75027c9
SHA1 hash:
832494657de4cc2f83ad192a9bba10d9095f489c
Link:
https://www.unpac.me/results/4b0b7e0e-9c48-4766-b125-98fe9aa6952a/
SH256 hash:
f5962c4679f8d689d5152b45e2d60efc664e59536959cca409881e5a3155d2d3
MD5 hash:
799af0066d34abae74c9b5ec46dd780e
SHA1 hash:
28c90488724fe0bd9b87389189a6a0a3b4a582fb
Link:
https://www.unpac.me/results/4b0b7e0e-9c48-4766-b125-98fe9aa6952a/
SH256 hash:
67be14d93573e1ff59e54b9f708e75a225b03802920a44e17a92a15b77a5d063
MD5 hash:
0b53dba1ab22464b29b3f7e23b0130f4
SHA1 hash:
2838ba67616816ababd7912f78152e30202071df
Link:
https://www.unpac.me/results/4b0b7e0e-9c48-4766-b125-98fe9aa6952a/
SH256 hash:
2ff875c4fdfbf9f9644bc7ebc6c9532fc92e7bb9fa92aab2b1d3ecff09f9bb94
MD5 hash:
c83fc1e4fee93c56039756fc17cc6179
SHA1 hash:
3f0328d87d039bd1deedbc5b38ecb3586d212870
Link:
https://www.unpac.me/results/4b0b7e0e-9c48-4766-b125-98fe9aa6952a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ff875c4fdfbf9f9644bc7ebc6c9532fc92e7bb9fa92aab2b1d3ecff09f9bb94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Renamer
Create hunting rule
Author:ditekSHen
Description:Detects Renamer/Tainp variants
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148194/

Comments