MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c1a3f856770b5790c9ef4bcd307dcd694df9e8535f182077e77e7252207428e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c1a3f856770b5790c9ef4bcd307dcd694df9e8535f182077e77e7252207428e
SHA3-384 hash: 8774dbed1c616d2e19a19a61e6954bb35dc7b9e36fbf00dd52fe7f9a6ab87e465fe73dcdd9f9831a94804f6c2af15fee
SHA1 hash: eef614ee6ea76f2492fe990a356330c35254477e
MD5 hash: c71d38ddc0d2413b7a43f4d019515742
humanhash: earth-alpha-bakerloo-carpet
File name:c71d38ddc0d2413b7a43f4d019515742.exe
Download: download sample
File size:134'144 bytes
First seen:2022-10-06 11:22:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 86c2fa951a5bad1bfe79953b4dade53a
ssdeep 3072:be63D72iz7dn8AKUGgV2R1LGVvmAg0Fu12z5ZmfHQ+Sw:CtiWA8L1AOIz7mfHH
Threatray 4 similar samples on MalwareBazaar
TLSH T1CDD37B11B5E3C872D4B609711C64EBA59A3DF9314E609D7B37E40B3E0EB0281897B9B7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317260/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm clipper flystudio greyware packed
Link:
https://www.filescan.io/uploads/633eba96d5955f6f49d5fc4c/reports/05fe8f92-6fdf-4406-94fc-98b60f1f3ff9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/157d1c85-b3ff-4dc3-94ac-8f7f881dcaa4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1085195
Signature
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c1a3f856770b5790c9ef4bcd307dcd694df9e8535f182077e77e7252207428e/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 21:51:36 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqnd7blhoc2xsde66s6ngb6422kn7hufgxyyeb36o7tskiqhikha._file
Verdict:
malicious
Similar samples:
14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f
4651c0d6a9e99dc06b67f48c65ed29df256b5729e5fe05823ee5f1d3049897ad
8880c50c5b835f082ffc1b49fd4f53cfd795103b17b60587d7765556df418f8f
Result
Malware family:
n/a
Score:
  6/10
Tags:
brand:microsoft persistence phishing
Link:
https://tria.ge/reports/221006-ng5awshddp/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Adds Run key to start application
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d669d051-94a0-480d-9a36-b90c4dd5f445
Unpacked files
SH256 hash:
4c1a3f856770b5790c9ef4bcd307dcd694df9e8535f182077e77e7252207428e
MD5 hash:
c71d38ddc0d2413b7a43f4d019515742
SHA1 hash:
eef614ee6ea76f2492fe990a356330c35254477e
Link:
https://www.unpac.me/results/ee8cbb0b-fa12-41ee-9230-05ec820ceb23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c1a3f856770b5790c9ef4bcd307dcd694df9e8535f182077e77e7252207428e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4c1a3f856770b5790c9ef4bcd307dcd694df9e8535f182077e77e7252207428e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2350814/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/317260/

Comments