MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 537c39897b958509621a74ab5054dad32c098a3eb3b781bf3d6bd3ff7b79f2c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackShades


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 537c39897b958509621a74ab5054dad32c098a3eb3b781bf3d6bd3ff7b79f2c1
SHA3-384 hash: 956c5480a2e25c746d546f57d5f486cf6b07a8851d256892106ced13ef8445694e8a832bb3baaead01c332bf33e5eddb
SHA1 hash: f2f3bab5c5a91762533e42ea1540d95276533612
MD5 hash: 82ae20b6fa54bc351188387a16603df0
humanhash: yellow-oxygen-papa-football
File name:KDFHERBX.exe
Download: download sample
Signature BlackShades
Create hunting rule
File size:448'008 bytes
First seen:2023-12-20 06:26:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22cb62e7fd0bc3bd42f99f6676b40340 (1 x BlackShades)
ssdeep 6144:vA9x5O5TLn9BHng5HaH/bNlNvdR1NvVejs9wmQ8XUvubg5:Sx5O5TTfgajhNxVejs9wmQ8XK2c
TLSH T159945D13BBE60A05E56D62712DD7CBF25773B8084F07868E22606B7E3D72E214D26B17
TrID 42.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
15.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
13.8% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.6% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
5.3% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter adm1n_usa32
Tags:BlackShades exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KDFHERBX.exe
Verdict:
Malicious activity
Analysis date:
2023-12-20 06:15:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/825c41f9-fbb9-4d51-b5bf-4f6eb6f31875

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BlackshadesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468595/
Detection(s):
Win.Keylogger.Windef-7136116-0
Create hunting rule

Win.Malware.Vobfus-7647990-0
Create hunting rule

Win.Packed.Shakblades-9811684-0
Create hunting rule

Win.Worm.Vobfus-9982088-0
Create hunting rule

Win.Trojan.VBGeneric-6735884-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Moving of the original file
Firewall traversal
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm blackshades explorer fingerprint hook lolbin overlay packed regsvr32 remote scar shell32
Link:
https://www.filescan.io/uploads/65828938439457868c05dfc9/reports/07a5828f-68f1-4fef-b985-9de4a1c38ce8/overview
Verdict:
Malicious
Labled as:
Trojan.Scar
Link:
https://www.hybrid-analysis.com/sample/537c39897b958509621a74ab5054dad32c098a3eb3b781bf3d6bd3ff7b79f2c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/638db7c8-3c31-4058-9857-79dc85ace4cf
Result
Threat name:
Blackshades, Poisonivy
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364925
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Yara detected Blackshades RAT
Yara detected Generic Dropper
Yara detected Poisonivy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364925 Sample: KDFHERBX.exe Startdate: 20/12/2023 Architecture: WINDOWS Score: 100 40 apache.servebeer.com 2->40 42 0apache.servebeer.com 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 6 other signatures 2->50 8 KDFHERBX.exe 2 2 2->8         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\bot-noip.exe, PE32 8->38 dropped 54 Moves itself to temp directory 8->54 56 Installs a global keyboard hook 8->56 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 cmd.exe 8->19         started        signatures6 process7 signatures8 58 Uses cmd line tools excessively to alter registry or file data 12->58 21 reg.exe 1 1 12->21         started        24 conhost.exe 12->24         started        26 conhost.exe 15->26         started        28 reg.exe 1 15->28         started        30 conhost.exe 17->30         started        32 reg.exe 1 1 17->32         started        34 conhost.exe 19->34         started        36 reg.exe 1 19->36         started        process9 signatures10 52 Modifies the windows firewall 21->52
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/537c39897b958509621a74ab5054dad32c098a3eb3b781bf3d6bd3ff7b79f2c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/537c39897b958509621a74ab5054dad32c098a3eb3b781bf3d6bd3ff7b79f2c1/
Threat name:
Win32.Worm.Shadesrat
Create hunting rule
Status:
Malicious
First seen:
2023-12-19 19:06:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 23 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kn6dtcl3swcqsyq2osvvavg22mwatcr6wo3ydpz5npj7663z6laq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion upx
Link:
https://tria.ge/reports/231220-g7rddsffcn/
Behaviour
Modifies registry key
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
UPX packed file
Modifies firewall policy service
Unpacked files
SH256 hash:
537c39897b958509621a74ab5054dad32c098a3eb3b781bf3d6bd3ff7b79f2c1
MD5 hash:
82ae20b6fa54bc351188387a16603df0
SHA1 hash:
f2f3bab5c5a91762533e42ea1540d95276533612
Detections:
win_blackshades_w0
Create hunting rule
win_blackshades_auto
Create hunting rule
MALWARE_Win_BlackshadesRAT
Create hunting rule
Link:
https://www.unpac.me/results/38e9057d-0f5a-472b-88b6-f81dc4bfd19e/
Malware family:
BlackShades
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/537c39897b95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/537c39897b958509621a74ab5054dad32c098a3eb3b781bf3d6bd3ff7b79f2c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Joe
Joe Sandbox
https://www.hybrid-analysis.com/sample/537c39897b958509621a74ab5054dad32c098a3eb3b781bf3d6bd3ff7b79f2c1
Cape
Cape
https://www.capesandbox.com/analysis/468595/

Comments