MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c5c35c34b7808d48cd428051263c39f70c7beb10a4e426d6e348d52c2cfe53a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c5c35c34b7808d48cd428051263c39f70c7beb10a4e426d6e348d52c2cfe53a
SHA3-384 hash: ab65b85650e64dd6fb9164d67ee6815a8ed88ae5c636d8f9d4e68a60bda67792e4a3cfa61c538d4209166d28907916d7
SHA1 hash: 11d5fec55996ae7c00193878e8267d53eafe8687
MD5 hash: 599b647ca2aad42a306d1ac389177c94
humanhash: cold-hamper-stairway-grey
File name:1.exe
Download: download sample
File size:52'224 bytes
First seen:2022-04-16 05:11:07 UTC
Last seen:2022-04-16 05:11:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:/cht0ChbvrNdOfTBt+J4+ChbvcWy1ryyAShyCQEyEg9pZ/HDwaFZqjcMY:52DJdte+8bvEWc1Qpp9pBlFZqjcMY
Threatray 7'301 similar samples on MalwareBazaar
TLSH T1EB33B624BEFA0029F0B26A3DCEE665A7C7ADA3932B03F716655123470E135C5CD821F9
TrID 32.1% (.SCR) Windows screen saver (13101/52/3)
25.8% (.EXE) Win64 Executable (generic) (10523/12/4)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
4.9% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter adm1n_usa32
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
chat.zip
Verdict:
Malicious activity
Analysis date:
2022-04-16 05:03:33 UTC
Tags:
trojan loader
Link:
https://app.any.run/tasks/24434309-4758-4a60-9508-4fdcc898d53e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264059/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop19.65496.8899.22079.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Searching for the window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/625a5023482f2f41caba09da/reports/48355d6d-a3bd-4177-9148-a2778ed35934/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36082438-aaad-452a-ac1e-0634e0fb9288
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/977602
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Sigma detected: Koadic Execution
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610089 Sample: 1.exe Startdate: 16/04/2022 Architecture: WINDOWS Score: 80 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 42 Sigma detected: Koadic Execution 2->42 7 1.exe 5 2->7         started        11 1.exe 2->11         started        process3 file4 26 C:\Users\user\AppData\Local\...\1.exe, PE32 7->26 dropped 28 C:\Users\user\...\1.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Local\...\1.exe.log, ASCII 7->30 dropped 44 Self deletion via cmd delete 7->44 13 cmd.exe 1 7->13         started        signatures5 process6 signatures7 46 Uses schtasks.exe or at.exe to add and modify task schedules 13->46 48 Uses ping.exe to check the status of other devices and networks 13->48 16 1.exe 2 13->16         started        19 PING.EXE 1 13->19         started        22 conhost.exe 13->22         started        24 2 other processes 13->24 process8 dnsIp9 34 Multi AV Scanner detection for dropped file 16->34 36 Machine Learning detection for dropped file 16->36 32 127.0.0.1 unknown unknown 19->32 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c5c35c34b7808d48cd428051263c39f70c7beb10a4e426d6e348d52c2cfe53a/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2022-04-03 19:28:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04fff548a2cd1d270da29dce776527f4a110fe9f8cbd80a49a39c40c55a47202
1b520e4dea36830a94a0c4ff92568ff8a9f2fbe70a7cedc79e01cea5ba0145b0
3e5f6d4c95535ba760f122c2dee3374850bd5c0587ebdd3adde2f52ce11c856c
4403f7b906a99f50c9d42c8d24b03e9daf0afdc52814e067c931411e41f1c7eb
7010e15402dd81b0e1501490be034e92dc706ba28c38b6925dbd33e9ff45a5ad
ac4f54c754e6522cc5d4348a6c138718700ec82097225cae5b46a1eeffdfd094
e7767ba8bcff3242dd32f880cb59894c3ce5615a2557504db976803cd246354e
effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1
+ 7'291 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220416-fvt33sbgej/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f1ed956acafa64eb8d7c19180a0447e8f1202d0145b3380af3e48ce5f6fb6be5
MD5 hash:
71e9a453f5922b046854b516138069e5
SHA1 hash:
37d49dae6a5925a1ee599b1defa6ccb0d2e917c1
Link:
https://www.unpac.me/results/6a8e62ce-4c3c-498f-b5f7-df2608128d2b/
SH256 hash:
6c5c35c34b7808d48cd428051263c39f70c7beb10a4e426d6e348d52c2cfe53a
MD5 hash:
599b647ca2aad42a306d1ac389177c94
SHA1 hash:
11d5fec55996ae7c00193878e8267d53eafe8687
Link:
https://www.unpac.me/results/6a8e62ce-4c3c-498f-b5f7-df2608128d2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c5c35c34b7808d48cd428051263c39f70c7beb10a4e426d6e348d52c2cfe53a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

zip d26f2e7bff9dc20de5089820c6412a4dcce98fafc38043d285498097786d8624

Executable exe 6c5c35c34b7808d48cd428051263c39f70c7beb10a4e426d6e348d52c2cfe53a

(this sample)

  
Dropped by
SHA256 d26f2e7bff9dc20de5089820c6412a4dcce98fafc38043d285498097786d8624
Cape
Cape
https://www.capesandbox.com/analysis/264059/

Comments