MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 643f398c1bac4d0c045e0c0a91eddb345a29e7830d87e573f4b975a0c7045f76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 8
| SHA256 hash: | 643f398c1bac4d0c045e0c0a91eddb345a29e7830d87e573f4b975a0c7045f76 |
|---|---|
| SHA3-384 hash: | 5239e6e74d852f6e5c6d0d12dd57f25f9d19acfce481c147391d84e0f8f27bca926b4525b9628426bb3d890b3cc5b9c4 |
| SHA1 hash: | 5a21454c8d28acd22b3896c62e06d6f96d0f4740 |
| MD5 hash: | b9a1f5890e6751e91fe23d135b9d34f8 |
| humanhash: | blue-south-asparagus-king |
| File name: | b9a1f5890e6751e91fe23d135b9d34f8 |
| Download: | download sample |
| File size: | 26'223'104 bytes |
| First seen: | 2022-07-31 01:10:21 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| ssdeep | 393216:e45ESt0nxwJ8j5QDGmzmJGjRKjJvcQj1c6/TKE01iD/XppSahBHJEQVwG:vEAswOj5cGm6GEJvcereESUX/Ql |
| TLSH | T157473313DDA8BA5DCDE2097C084878862F70ED5FFC77610FB8181AB869397790BC56A4 |
| TrID | 63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1) |
| File icon (PE): |  |
| dhash icon | aa73ccd4b4e071b6 (3 x XFilesStealer, 2 x CoinMiner, 2 x AsyncRAT) |
| Reporter |  zbetcheckin |
| Tags: | exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
421
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
10/10
Confidence:
80%
Tags:
packed
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Injuke
Status:
Malicious
First seen:
2022-07-31 01:11:50 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
11 of 26 (42.31%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
n/a
Score:
7/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
exe 643f398c1bac4d0c045e0c0a91eddb345a29e7830d87e573f4b975a0c7045f76
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://update.runespectral.com/mobsync.exe