MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 669c73d43ee10805a49260331dc5c2f278a84191b96c32ffe0ffc46365722b70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 669c73d43ee10805a49260331dc5c2f278a84191b96c32ffe0ffc46365722b70
SHA3-384 hash: be257509292633d7a112d947892f75b1dbac819685c9aa8010e548c3c194f31da787c43a6f297e8d549a9d1a83a14809
SHA1 hash: 9351faa1c8f801d2968ebbaeae05e359fcdffee1
MD5 hash: e6a85931fb96b1e3d8323f00eefeaca0
humanhash: mobile-mississippi-blue-white
File name:6.18出入资金.exe
Download: download sample
File size:2'309'883 bytes
First seen:2022-06-20 07:22:08 UTC
Last seen:2022-06-26 10:36:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:Y4nXubIQGyxbPV0db26TUlLJqvmuHqdnYaCXRXufwHL2ULl2dt8Syt92stT7Ykti:Yqe3f6i8g+XENaL3tT7YSi9Bl4NYwm
Threatray 58 similar samples on MalwareBazaar
TLSH T104B5E03FF268A53EC49A073249B39750587BBE64682A8C1F07F4350DDF765A01F3AA46
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 74e0d4d4d4d4c4d4 (1 x Gh0stRAT)
Reporter obfusor
Tags:exe Farfli RAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281441/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Searching for many windows
Launching a process
Launching a tool to kill processes
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22027/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62b02058dbe9c7c94971edd3/reports/30b91ebe-2dde-4898-8450-7bb694238951/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6c9d89b-01af-4a51-8f52-e697828dd267
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1016106
Signature
Multi AV Scanner detection for submitted file
Obfuscated command line found
Uses known network protocols on non-standard ports
Uses runas.exe to run programs with evaluated privileges
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648602 Sample: 6.18#U51fa#U5165#U8d44#U91d1.exe Startdate: 20/06/2022 Architecture: WINDOWS Score: 60 71 Multi AV Scanner detection for submitted file 2->71 73 Uses known network protocols on non-standard ports 2->73 75 Uses runas.exe to run programs with evaluated privileges 2->75 8 6.18#U51fa#U5165#U8d44#U91d1.exe 2 2->8         started        12 runas.exe 1 2->12         started        14 runas.exe 1 2->14         started        16 svchostr.exe 2->16         started        process3 file4 59 C:\Users\...\6.18#U51fa#U5165#U8d44#U91d1.tmp, PE32 8->59 dropped 77 Obfuscated command line found 8->77 18 6.18#U51fa#U5165#U8d44#U91d1.tmp 7 17 8->18         started        21 cmd.exe 2 12->21         started        23 conhost.exe 12->23         started        25 cmd.exe 1 14->25         started        27 conhost.exe 14->27         started        signatures5 process6 file7 51 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->51 dropped 53 C:\Users\Public\Documents\...\is-F4JHI.tmp, PE32 18->53 dropped 55 C:\Users\Public\Documents\...\com.exe (copy), PE32 18->55 dropped 29 cmd.exe 1 18->29         started        31 AA_chrome.exe 1 18->31         started        34 taskkill.exe 1 18->34         started        36 cc_chrome.exe 4 1 18->36         started        57 C:\Users\Public\Documents\...\svchostr.exe, PE32 21->57 dropped 38 conhost.exe 21->38         started        40 conhost.exe 25->40         started        42 reg.exe 1 1 25->42         started        process8 dnsIp9 44 com.exe 9 29->44         started        47 conhost.exe 29->47         started        69 27.124.3.138, 49769, 5002 BCPL-SGBGPNETGlobalASNSG Singapore 31->69 49 conhost.exe 34->49         started        process10 file11 61 C:\Users\Public\Documents\...\cc_chrome.exe, PE32 44->61 dropped 63 C:\Users\Public\Documents\...\Sysinv.dll, PE32 44->63 dropped 65 C:\Users\Public\Documents\...behaviorgraphetinfo.dll, PE32 44->65 dropped 67 C:\Users\Public\Documents\...\AA_chrome.exe, PE32 44->67 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/669c73d43ee10805a49260331dc5c2f278a84191b96c32ffe0ffc46365722b70/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-06-16 23:08:40 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2ohhvb64eealjesmazr3roc6j4kqqmrxfwdf77a77cggzlsfnya._file
Verdict:
malicious
Similar samples:
0cffbd0a9a71d6dc4ccb63dbbfeef735b2c8bf9acdf1409f1cbdeed36ce0faf8
1116037d457d9126f16fc9529a4be482d374047f0e834614ae8292a631ed8aaa
936016b0cd8e890dc141d51d82a8b9d1a21a4bd974687eff64307a2c96ab2b5a
9a60ef135297d1863e76696b603f9de38d77b8efa1387b7ab7e89eec5c8f4f43
9f27dace8e848c5957adb0686992fe7ce392cbc7f957116b13935d20e668f91b
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
caa8ea5f119085a9bc0f33b8f1a0ad80b6d4a9b52050f03f11bc539ebdc88534
d2205532e27cf8ae9dbc0a62fdf3fca598f5fa8f9cc948bec49df54b0b8a8cd6
e4a932eaaec97ff04b018060f31b800dbd9a56ca0ba2bbb300037be3c55ee507
e972045da5186bd0d1b384aeb756fee789855c246080dcef9bd0c0b0f2e228e1
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220620-h7srwscfb7/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
c6ceab050f63d83b1a8fa69442552b0bd9aa1b397ca4331eb2b344112b0db7bb
MD5 hash:
3793708751f49777fc75a9329c5b33a0
SHA1 hash:
bcb8707e8ff20830a587a4c76d9bbbef4b356d64
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
SH256 hash:
1ab9282cc29acdd29380f518a4a2faf494650293370907b00ed620afb103c0f3
MD5 hash:
75a578b1c211d90ef9397d7cbc999a93
SHA1 hash:
4ca85e3ed3b8b6214a59edf827303630fb48158d
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
SH256 hash:
7aa9fcc62463e3f6cd01b0e0e511fefb76aa0824c39210b48db848fc9c8b200e
MD5 hash:
b6845b2d9e315fbd3f7c3620d092a445
SHA1 hash:
c6b3981aa4dcac93d175b5884524e8ee09f1f2c4
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
SH256 hash:
fb17825493e45272ab0cc7d56875c14bc3e40dd171933b0aeb0b5ca5e0a6c986
MD5 hash:
d8b04406778242948e3a78ec07d2b481
SHA1 hash:
4a1d0f5c171dec0429a02ed3af820e22b1b0a6f0
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
SH256 hash:
4ab66f741bc31d36ad3e6c19c113ba60bc9460f63e455ddf7354caf5cac381fa
MD5 hash:
4b7b3e2303896650749fbde4b3e33911
SHA1 hash:
166c882e4c7616ecfa055ada1d461e6e13c15393
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
SH256 hash:
76dc01c3d74360b4db9354117e2af031d58ee7c280628c6475d17291278f8397
MD5 hash:
12b48691385165839b1990e2c6a0bdea
SHA1 hash:
ae9d35fcaaf32b8a2512c0e8236b5f19cf4cd724
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
SH256 hash:
6102e4e860b2355ecb0200a6456a1c183cf8be4ba9684d733715939588bab6b5
MD5 hash:
8120dd99af69bf57b2b37e3ecc3236d2
SHA1 hash:
03409e5722be475831517a58a2f88f888ad37217
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
SH256 hash:
ff5e7fc037e872b082bf3f6e67464aac1db57e7f763f58d20f8e3048016defe0
MD5 hash:
f4c40724bf65bbf36e907dc183a600b9
SHA1 hash:
219efbb90b90be427c68af0c31ccdc52ed18504b
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
SH256 hash:
669c73d43ee10805a49260331dc5c2f278a84191b96c32ffe0ffc46365722b70
MD5 hash:
e6a85931fb96b1e3d8323f00eefeaca0
SHA1 hash:
9351faa1c8f801d2968ebbaeae05e359fcdffee1
Link:
https://www.unpac.me/results/6c0c01ac-92bd-4fb8-90c4-fc0eb7e78604/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/669c73d43ee10805a49260331dc5c2f278a84191b96c32ffe0ffc46365722b70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_Mal1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_Mal1_RID2F59
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281441/

Comments