MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6356a834e1bcd90c400db0d5672e52dc531dcae7a79bc2bc8a77da0f61139a3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6356a834e1bcd90c400db0d5672e52dc531dcae7a79bc2bc8a77da0f61139a3b
SHA3-384 hash: 32695c06ef4b28cca5d8f9b5ba0510c3ee5290f5325a1f7dcf7152f93a2eecf83b3cb417c345b8935537e41351ca8b32
SHA1 hash: 29fc85da3f0563e3e9e69ccfd8f64d26e775b89c
MD5 hash: c7d39b6c6e771ec9d3cdd77948f24a20
humanhash: carolina-violet-carolina-xray
File name:c7d39b6c6e771ec9d3cdd77948f24a20.exe
Download: download sample
File size:78'336 bytes
First seen:2022-09-29 10:41:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:i1Ea4GZjzQwK5WW7VCn6Ky3FAmu3wtBUniymYq07sZzSTskOzBqMj:i1Ne5BV0uUniyED8a
TLSH T130738D007B9479C9EC14DBF49C6AAB9A0365CF9855A283A839F0FE7F7B81854C804FD1
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f0c4824ccecef4f8 (7 x AsyncRAT, 5 x XWorm, 3 x Formbook)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314724/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6335767b49c58ce767c412d5/reports/52b5a58d-fc68-42cb-83e2-d68957cf0171/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf58467a-9c25-47a5-a5a4-8dffee8f0896
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1079950
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 712507 Sample: FFcK16xh4A.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 92 17 Snort IDS alert for network traffic 2->17 19 Multi AV Scanner detection for domain / URL 2->19 21 Antivirus detection for URL or domain 2->21 23 5 other signatures 2->23 7 FFcK16xh4A.exe 14 3 2->7         started        process3 dnsIp4 15 79.110.62.23, 49699, 80 LASOTELFR Germany 7->15 25 Encrypted powershell cmdline option found 7->25 11 powershell.exe 16 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6356a834e1bcd90c400db0d5672e52dc531dcae7a79bc2bc8a77da0f61139a3b/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 03:56:19 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
16
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnlkqnhbxtmqyqanwdkwolss3rjr3sxhu6n4fpeko7na6yitti5q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220929-mrn6zsaec8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cfce68a6-f127-4b73-a8cc-ce619f128d85
Unpacked files
SH256 hash:
6356a834e1bcd90c400db0d5672e52dc531dcae7a79bc2bc8a77da0f61139a3b
MD5 hash:
c7d39b6c6e771ec9d3cdd77948f24a20
SHA1 hash:
29fc85da3f0563e3e9e69ccfd8f64d26e775b89c
Link:
https://www.unpac.me/results/a1d16a87-7ae0-4edd-ad13-11ae42015fb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/6356a834e1bcd90c400db0d5672e52dc531dcae7a79bc2bc8a77da0f61139a3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6356a834e1bcd90c400db0d5672e52dc531dcae7a79bc2bc8a77da0f61139a3b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2307201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/314724/

Comments