MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a84d6c38aa517a0d9de7061f11ebffb73f6580eabae4d7e3d6d888d3ac7a611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CustomerLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a84d6c38aa517a0d9de7061f11ebffb73f6580eabae4d7e3d6d888d3ac7a611
SHA3-384 hash: be3a4d4eb60db84cad13e088e27ce36aa19f84ae62b8a034f729cd80eafe2b2b44dd869bb71a90d63b1909cd2a1e136a
SHA1 hash: 09855f01b837fe3bffc0d38ddc713da070072f5f
MD5 hash: f7d1117ace1e63a2a3cf9d45cb94b9b5
humanhash: fifteen-rugby-uncle-carbon
File name:f7d1117ace1e63a2a3cf9d45cb94b9b5
Download: download sample
Signature CustomerLoader
Create hunting rule
File size:19'968 bytes
First seen:2023-07-18 06:16:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:Hm6GfkbfZO01twZeTSlxTSSifV/1Sczw/FZqcqTDV08KCTL6sy0iHog23t:HNq701+Ze2l0d/zzwv5qvVvlL1ynHo39
Threatray 59 similar samples on MalwareBazaar
TLSH T1BE924B447BA45123E77A16BFD9D32280077593173423EFABEFD8804949D2349AA92BF1
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 CustomerLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
94c41af04c919dfce0f09f0a5862f720.zip
Verdict:
Malicious activity
Analysis date:
2023-07-17 23:20:23 UTC
Tags:
loader
Link:
https://app.any.run/tasks/f8440b5c-86e6-406f-94fe-68ea9a44f977

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/423208/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68222557.29710.18835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Creating a service
Launching a service
Loading a system driver
Creating a file in the Windows subdirectories
Creating a file in the Windows directory
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun for a service
Blocking the User Account Control
Forced shutdown of a system process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64b62e5ff52c3e1a0149e7e6/reports/6d6837f6-96c2-42ae-8b84-7fd29b9e6913/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4a84d6c38aa517a0d9de7061f11ebffb73f6580eabae4d7e3d6d888d3ac7a611
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d187a4ba-53b7-408a-89be-06e314e6ae6a
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
99 / 100
Link:
https://www.joesandbox.com/analysis/1274865
Signature
Antivirus detection for URL or domain
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274865 Sample: B8hdyZnnm4.exe Startdate: 18/07/2023 Architecture: WINDOWS Score: 99 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 6 other signatures 2->75 8 B8hdyZnnm4.exe 15 8 2->8         started        13 svchost.exe 3 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 65 kyliansuperm92139124.shop 104.21.18.206, 443, 49719, 49720 CLOUDFLARENETUS United States 8->65 55 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 8->55 dropped 57 C:\Users\user\AppData\...\B8hdyZnnm4.exe.log, CSV 8->57 dropped 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->81 83 Drops PE files with benign system names 8->83 19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        24 conhost.exe 8->24         started        85 System process connects to network (likely due to code injection or exploit) 13->85 87 Multi AV Scanner detection for dropped file 13->87 26 conhost.exe 13->26         started        67 172.67.183.88, 443, 49723 CLOUDFLARENETUS United States 15->67 59 C:\Windows\Temp\3divkidw.inf, Windows 15->59 dropped 28 conhost.exe 15->28         started        30 cmstp.exe 15->30         started        61 C:\Windows\Temp\o0qglxcf.inf, Windows 17->61 dropped 32 conhost.exe 17->32         started        34 cmstp.exe 17->34         started        36 conhost.exe 17->36         started        file5 signatures6 process7 signatures8 38 svchost.exe 4 19->38         started        43 conhost.exe 19->43         started        45 timeout.exe 1 19->45         started        77 Uses schtasks.exe or at.exe to add and modify task schedules 21->77 47 conhost.exe 21->47         started        49 schtasks.exe 1 21->49         started        process9 dnsIp10 63 kyliansuperm92139124.shop 38->63 53 C:\Zemana.sys, PE32+ 38->53 dropped 79 Sample is not signed and drops a device driver 38->79 51 conhost.exe 38->51         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a84d6c38aa517a0d9de7061f11ebffb73f6580eabae4d7e3d6d888d3ac7a611/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-17 06:54:17 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkcnnq4kuul2bwo6obq7chv77nz7mwaovoxe27r5nwei2owhuyiq._file
Verdict:
malicious
Similar samples:
06dc6394565b70ac8efd2cc98225cf3ec9b5f7711e036189b186340c591e4f67
CustomerLoader
0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290
CustomerLoader
37efec4c9df42e2a53f73a9923a8e9a1154a790dc5316ec875b5b7640f27d294
CustomerLoader
3956c21824bc18caca2523381ce3fa113e40d5e7f47bf2a05d65f2a1a27a3f1d
CustomerLoader
3e24e97aba6e7432395abc346ee3484b9dbadbe803a046a84ea41529d6ed8c89
CustomerLoader
4a4f33afe3086aa1962d92412fc2166c5e6b565087bbe20cc411dfc0e9ded6a0
CustomerLoader
4d9e0a28423515a1574837873cc75c3c495daebf2247e5353f9028d97ccf3fb6
CustomerLoader
a566a538d325ee3da4c86712b3cf4b305d35b2612e2112cfa8f76b511e036e06
CustomerLoader
be3324f0d5a2da5608acf864ed8eb35df95081915d10d8f8a81c302747dc7710
CustomerLoader
c12de4a53b633a610834e274d0d1abb8304f8e184694c6a777ab461fcd89c9ff
CustomerLoader
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/230718-g1191shd4s/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
4a84d6c38aa517a0d9de7061f11ebffb73f6580eabae4d7e3d6d888d3ac7a611
MD5 hash:
f7d1117ace1e63a2a3cf9d45cb94b9b5
SHA1 hash:
09855f01b837fe3bffc0d38ddc713da070072f5f
Link:
https://www.unpac.me/results/2c29c7fc-6efa-4f91-bbaf-a434c1030386/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a84d6c38aa5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a84d6c38aa517a0d9de7061f11ebffb73f6580eabae4d7e3d6d888d3ac7a611

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CustomerLoader

Executable exe 4a84d6c38aa517a0d9de7061f11ebffb73f6580eabae4d7e3d6d888d3ac7a611

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2684912/
Cape
Cape
https://www.capesandbox.com/analysis/423208/

Comments


Avatar
zbet commented on 2023-07-18 06:16:56 UTC

url : hxxp://87.121.221.212/ohoyeczx.exe