MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65209a1c9e0c0c1d5cfa80df4ff1ba6d1742e1b5ac8a4e32b38e49749c312cdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65209a1c9e0c0c1d5cfa80df4ff1ba6d1742e1b5ac8a4e32b38e49749c312cdd
SHA3-384 hash: 47522a95b147886970baf35dc4f1c727b50f3c9f97207d9f266536c7d60176c1203f592313aace8e487e2d40b107dc9f
SHA1 hash: 8203cfc6a8dc0ffae22167e0735a6e9169fe279d
MD5 hash: 145186629cf226ca987625b55ed9e9c7
humanhash: equal-mockingbird-hawaii-helium
File name:145186629cf226ca987625b55ed9e9c7
Download: download sample
File size:646'144 bytes
First seen:2022-07-21 06:47:53 UTC
Last seen:2022-07-22 10:17:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:6Lo/Jm2IhImMeg+gk4GEcMRwAciycSHKW3:6LwmZMz3GuRwAcK
Threatray 1'952 similar samples on MalwareBazaar
TLSH T100D439262F16D749C2C0F6F8AD226B84C5A1FC583DEACD31A2F1B62D49797C4506D82F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 6cc8c8f8f0f0e8cc (2 x XFilesStealer, 2 x AsyncRAT)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293099/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50667837.3003.13945.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file
Creating a window
Enabling autorun
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62d8f721ef2b0e63a82c815e/reports/4604c0e3-835a-4986-9c4f-90c53e1daf51/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18421a2a-b8f0-4b85-882c-0a520b56849e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1038403
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65209a1c9e0c0c1d5cfa80df4ff1ba6d1742e1b5ac8a4e32b38e49749c312cdd/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 20:51:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=muqjuhe6bqgb2xh2qdpu74n2nulufynvvsfe4mvtrzexjhbrftoq._file
Verdict:
malicious
Similar samples:
206d7752554b21b549a155ec769043ffa29b6a9f5741b8c42ef9cf02f5238ec9
78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa
82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466
83a8442f2117669d14593780f08d70dce9ad99cfdf26b827cba2feacc856c49b
97261fee3b80f8396ae8c4c2522d7613b69b41644e5c8e03948aedf6778c3e42
9c069b3043b757ab5e67889b9f2820758ddb92823bf91678182d6386a16fd5ea
a3dab5e89517feaba18c29575d32c353518c326dc3acb4bebc7e43081cfeccc0
ce442fab80f616645429e47bededf88f2104476899a35952f70e1e31a21e734a
e16bcff77a3468fa10bf4d67fb5e6c7d8d19564320895acdff5e1aaef74b5cfc
ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77
+ 1'942 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220721-hkrw3sdhdr/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/073c982b-fbc8-436c-a5c4-ee7aa0c21b60/
SH256 hash:
d423e3b9656ac104e8364289d978655a5df284db97db86fa70306cb15c82e261
MD5 hash:
f4dc1cd057d2e8e86195f03b8b522472
SHA1 hash:
595677d825b502b26d729bdd96f7bfca83364e3a
Link:
https://www.unpac.me/results/073c982b-fbc8-436c-a5c4-ee7aa0c21b60/
SH256 hash:
3cfffe63977c32644d4c76731c0963f4410ec7b78c6a18023e6e467cee7a9c92
MD5 hash:
7fa69ec8b4248ca74899597e9ae62f9a
SHA1 hash:
1c8a294e297e924faf3e9cdd5f304914a8826738
Link:
https://www.unpac.me/results/073c982b-fbc8-436c-a5c4-ee7aa0c21b60/
SH256 hash:
65209a1c9e0c0c1d5cfa80df4ff1ba6d1742e1b5ac8a4e32b38e49749c312cdd
MD5 hash:
145186629cf226ca987625b55ed9e9c7
SHA1 hash:
8203cfc6a8dc0ffae22167e0735a6e9169fe279d
Link:
https://www.unpac.me/results/073c982b-fbc8-436c-a5c4-ee7aa0c21b60/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65209a1c9e0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/65209a1c9e0c0c1d5cfa80df4ff1ba6d1742e1b5ac8a4e32b38e49749c312cdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 65209a1c9e0c0c1d5cfa80df4ff1ba6d1742e1b5ac8a4e32b38e49749c312cdd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2259600/
Cape
Cape
https://www.capesandbox.com/analysis/293099/

Comments


Avatar
zbet commented on 2022-07-21 06:47:55 UTC

url : hxxp://141.98.6.236/FreeApps/Dzodhr-FREE-3.exe