MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c9a1d531b4668ca41448d88ed0b3b0450814394bf347fceda48fee849960d79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c9a1d531b4668ca41448d88ed0b3b0450814394bf347fceda48fee849960d79
SHA3-384 hash: 4308dc2c840c9781a54bb4c62f179afca272423fc8fe742c27c9526cd7657a3b5bf8b4c625e55c01630f6b7f7de87eba
SHA1 hash: cf8405451adafddd03e0b25201212f2dda039943
MD5 hash: 9e3faf50d7f333bd6deca03c66c8c713
humanhash: island-tango-eighteen-dakota
File name:SecuriteInfo.com.W32.AIDetectNet.01.4744.2752
Download: download sample
File size:74'752 bytes
First seen:2022-05-15 17:37:36 UTC
Last seen:2022-05-15 18:36:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:S3bwTI5OVvvdY7b31lZgEem93R5LSrGh+ct:S3bBOVvVGb31f31R5Y6
Threatray 1'071 similar samples on MalwareBazaar
TLSH T1F773D3A6F2774005C4EAC97FFBF18180ED11B97C481DCA92D5486F9E1AAE16205F1EB3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 30b0eccaccece4e0 (3 x AgentTesla, 3 x RedLineStealer, 2 x BlackNET)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270793/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62813a860076642c594f3d9e/reports/8b2972af-61e3-4a92-8a79-ba9058573bf4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50a103f6-221e-4534-a747-554647a68cbe
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994364
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626860 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 15/05/2022 Architecture: WINDOWS Score: 100 58 cargo.anondns.net 2->58 62 Snort IDS alert for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 5 other signatures 2->68 9 SecuriteInfo.com.W32.AIDetectNet.01.4744.exe 15 7 2->9         started        signatures3 process4 dnsIp5 60 cargo.anondns.net 37.0.11.25, 49751, 49837, 80 WKD-ASIE Netherlands 9->60 52 C:\Users\user\AppData\...\rundll32.exe, PE32 9->52 dropped 54 C:\Users\...\rundll32.exe:Zone.Identifier, ASCII 9->54 dropped 56 SecuriteInfo.com.W...Net.01.4744.exe.log, ASCII 9->56 dropped 70 Creates an undocumented autostart registry key 9->70 72 Writes to foreign memory regions 9->72 74 Injects a PE file into a foreign processes 9->74 14 cmd.exe 1 9->14         started        16 cmd.exe 9->16         started        18 cmd.exe 9->18         started        20 19 other processes 9->20 file6 signatures7 process8 process9 22 timeout.exe 1 14->22         started        24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        28 timeout.exe 16->28         started        30 timeout.exe 18->30         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 28 other processes 20->38 process10 40 conhost.exe 22->40         started        42 timeout.exe 22->42         started        44 conhost.exe 26->44         started        46 timeout.exe 26->46         started        48 conhost.exe 30->48         started        50 timeout.exe 30->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c9a1d531b4668ca41448d88ed0b3b0450814394bf347fceda48fee849960d79/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-05-15 16:47:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
6797c9eb17e1ad3b41121bc80db0a97ae642bfca0874c8b7bd391507d2ca5540
6f0508408689f77795e27f5320115355744c6b7d02cf59197dae8646bc73f267
78ef012bfc38086561885872a68ec92227efa9c233265e68cdd13960a1a46e1d
848ce511daf9046ab1ab3bed080d5c20bdeb3fd0bebc016fc3af70b892ebb5c9
8b38234bb9f08443a05ab626ef0a38ccee43b302a81b8127cba39a39972b5eca
8cb67ee37e7ccd89e8263b6245a842004de8ca49dd5989a017deb110b00569e4
8f5d108dd7c8d13e63443215be9a8734b4ff548be201e28f4a990bf120eec2a6
a8f0d33be029935f8757107027728b6ca4a37c74beeb6c33c54d598d07f8490b
fa5eef3f5debfe02d170331e382f379de7ee1b144b0bf80763e5db59bf78fd50
+ 1'061 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion suricata
Link:
https://tria.ge/reports/220515-v7pfpafbf7/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Modifies Windows Firewall
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Unpacked files
SH256 hash:
4c9a1d531b4668ca41448d88ed0b3b0450814394bf347fceda48fee849960d79
MD5 hash:
9e3faf50d7f333bd6deca03c66c8c713
SHA1 hash:
cf8405451adafddd03e0b25201212f2dda039943
Link:
https://www.unpac.me/results/ed91c1f5-216b-4703-8022-b8157f088c53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/4c9a1d531b4668ca41448d88ed0b3b0450814394bf347fceda48fee849960d79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4c9a1d531b4668ca41448d88ed0b3b0450814394bf347fceda48fee849960d79

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2196049/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/270793/

Comments