MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 651d7c6201d1ae3bd43152d499f0fda0a99ab919fdea6c4291863cf9edc3f5c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 651d7c6201d1ae3bd43152d499f0fda0a99ab919fdea6c4291863cf9edc3f5c5
SHA3-384 hash: 8444959f0b7f85f5e83849a6d404864838d01514c8c1fd2adb24392cd3b847f46d916200d4f724daedefa13e538d9446
SHA1 hash: fa7f78ca4441054c9388c91763a4b93db948c9cf
MD5 hash: 84d5469bcfa4fa684c1e9ee94e0d3584
humanhash: cat-grey-oxygen-social
File name:84d5469bcfa4fa684c1e9ee94e0d3584
Download: download sample
File size:6'422'016 bytes
First seen:2021-12-29 03:29:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 98304:XHm3Z1YiV3dVkOD7E3NwBXa5EXhoF8Htyo/F4Slykc0Rl85:eQikOUw7RZyod4Slykc0P8
Threatray 23 similar samples on MalwareBazaar
TLSH T1D0567C43F85561ADE5EAD230CA7582927A317888173033D32F61F6BA2B63FD46E78351
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://62.182.159.91/GJsooa.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-29 00:16:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa95d57d-a050-4eb6-8dae-06552418452c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216761/
Detection(s):
Win.Trojan.Shelma-9895456-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3461/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shelma wacatac
Link:
https://www.filescan.io/uploads/61cbd66c4ab5c44cbf5594f2/reports/731d1b07-a2ac-407a-b9de-a696f5a90db1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6d9960b-bdd7-4409-86e7-9e242f56b611
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/913662
Signature
Drops script or batch files to the startup folder
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Uses the Telegram API (likely for C&C communication)
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/651d7c6201d1ae3bd43152d499f0fda0a99ab919fdea6c4291863cf9edc3f5c5/
Threat name:
Win64.Trojan.WinGoClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-12-28 22:54:01 UTC
File Type:
PE+ (Exe)
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
4d3cf423de6f720602c72cf570b0746e2cafd32083ed77b73dd1efa36eb055a5
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3
5cbea0c2d3f18aafe1c3ab60b3d670bcc47e4001f26c8923c3e4735e6964708c
664543a2800a9d4d0ebae4f742350251bb0df2a447a302032c1fe22c7c1e7398
6cc8e13f66166e615a847f9444a0258b0e7a01fb8e607c49c482b2b4d50cd829
d708ff93f30255df025e9335dd05fc2f9bd818cb0925d8889d95cb477cfc81f2
e0fb2a5d5d690e565b3430badf82d97a84b6c3e89dc1a56c53794831f5aa87fe
eb4ed5f6140aa6e26adf5408f9924e5263b9c0fa3b66cec699f7e50eb893537c
f56aae59105111fcd9421dcfcbea05f0415cc85b68223331cc4e9cfd2b0035dc
fd34a4448804a7805889f781c059be0320c9cfc62ee15350efdae10b6dda669a
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/211229-d2g1zsdafl/
Behaviour
Drops startup file
Unpacked files
SH256 hash:
651d7c6201d1ae3bd43152d499f0fda0a99ab919fdea6c4291863cf9edc3f5c5
MD5 hash:
84d5469bcfa4fa684c1e9ee94e0d3584
SHA1 hash:
fa7f78ca4441054c9388c91763a4b93db948c9cf
Link:
https://www.unpac.me/results/0eb16f1e-3fa9-41b3-94dc-70613421ca52/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/651d7c6201d1ae3bd43152d499f0fda0a99ab919fdea6c4291863cf9edc3f5c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 651d7c6201d1ae3bd43152d499f0fda0a99ab919fdea6c4291863cf9edc3f5c5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216761/
  
URLhaus
https://urlhaus.abuse.ch/url/1930317/

Comments


Avatar
zbet commented on 2021-12-29 03:29:59 UTC

url : hxxp://62.182.159.91/GJsooa.exe