MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d585ca9b0e2a491b53da4f83319544b95c858f07f906b108e2147e9ac55ed48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d585ca9b0e2a491b53da4f83319544b95c858f07f906b108e2147e9ac55ed48
SHA3-384 hash: a250cbe2a25b9e082db0adc42e0272ee0fefdde2842e94cfe03d0864a0b78866f0139856c8012dc3ad80ef079370aea3
SHA1 hash: 5978475edbbe43d3b97821ecb866adbba071d17c
MD5 hash: 4eb5eb52061cc8cf06e28e7eb20cd055
humanhash: oregon-triple-idaho-high
File name:spool.exe
Download: download sample
Signature Hive
Create hunting rule
File size:11'073'536 bytes
First seen:2022-08-13 08:58:59 UTC
Last seen:2022-08-13 09:34:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ff9f3a86709796c17211f9df12aae74d (4 x LummaStealer, 4 x Vidar, 2 x CobaltStrike)
ssdeep 98304:yTQK17uisWQXoE9h673L5c6wFTEXFFuYWCBuO/11N2:yTQGNd24ZX3o4tH2
Threatray 142 similar samples on MalwareBazaar
TLSH T1B6B64B43F85154E4C1AEE270C6669253BA307C884F3533D77B60FAB92B32BD46A7A354
gimphash 75c65961a29897121a00dd6973f185525cbb87d0e67515536001556f07165190
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Anonymous
Tags:exe Hive


Avatar
Anonymous
1

Intelligence

File Origin
# of uploads :
2
# of downloads :
646
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
spool.exe
Verdict:
No threats detected
Analysis date:
2022-08-13 09:01:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74528374-b351-4f7f-868b-399baf4aa300

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298413/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Tnega.MSR.7026.3200.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28873/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang virus
Link:
https://www.filescan.io/uploads/62f76850493dc2f89c969974/reports/91badd7b-f54d-46a8-974a-9e911308f00e/overview
Result
Verdict:
MALICIOUS
Malware family:
Charming Kitten
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7add3ed-bb73-4d18-bbd4-a37d5c5e196d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1050985
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 683495 Sample: spool.exe Startdate: 13/08/2022 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 spool.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d585ca9b0e2a491b53da4f83319544b95c858f07f906b108e2147e9ac55ed48/
Threat name:
Win64.Trojan.FastReverseProxy
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 21:11:45 UTC
File Type:
PE+ (Exe)
AV detection:
13 of 25 (52.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvmfzknq4ksjdnj5ut4dggkujok4qwhqp6igweeoefd6tlcv5vea._file
Verdict:
unknown
Similar samples:
08faab44c35e864b94c2170611741c22f5cf6f6f21ff88c7abb8baeb97496818
Hive
41b141e122bd86a5c4279094916564759cc342ae3b95fffd80af4b9676aa61b7
Hive
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
Hive
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
Hive
a945fd22e8f7272ce950721138fedb657dcfdd8447620a840c17688e3f9e0561
Hive
c97845d313a5b095a7a27706b14a105d3d6fc947f7ff24919a26c1b897fa8082
Hive
d7e79c2a5bc37f841e507770e28242740f3b2e076e45a4b5246ae0d1885692b8
Hive
f03010566a3afad9d1096a527205b908ef3e7afd4735857a0f2d6708b0f73b25
Hive
+ 132 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220813-kxp95aaec5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
6d585ca9b0e2a491b53da4f83319544b95c858f07f906b108e2147e9ac55ed48
MD5 hash:
4eb5eb52061cc8cf06e28e7eb20cd055
SHA1 hash:
5978475edbbe43d3b97821ecb866adbba071d17c
Link:
https://www.unpac.me/results/7b963d31-2c4c-4642-b9c1-5bc2b7405cf6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d585ca9b0e2a491b53da4f83319544b95c858f07f906b108e2147e9ac55ed48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298413/

Comments