MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f7d9ca4731544fea8d56ad9b367f0b3018198376ab73c492f5345a83ee07106. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f7d9ca4731544fea8d56ad9b367f0b3018198376ab73c492f5345a83ee07106
SHA3-384 hash: 567791ec28be08e35a8f90e79b5e518542c761df643633de976bfbfac2244f3b163d16abfa957d2afaf64073261d2150
SHA1 hash: d59690981e34d2dd8cf506e9af0bc2b2cc29d1e9
MD5 hash: 35f84086a28cab573b90a5bfadc5a324
humanhash: winner-happy-may-east
File name:a8a79de8407a5c24d1d7d2df0bc32012
Download: download sample
File size:405'806 bytes
First seen:2020-11-17 15:23:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep 12288:46Wq4aaE6KwyF5L0Y2D1PqLaVtQcrhPHoM:OthEVaPqLIT
Threatray 203 similar samples on MalwareBazaar
TLSH D88401C1F38CAD84E62026F200CE29B2C3696F766320933B601565E7A9AD1E3557F71F
Reporter seifreed

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.PSW.Banker6.BTQY.1690.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Deleting a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Changing the Windows explorer settings to hide files extension
Launching the process to create tasks for the scheduler
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f7d9ca4731544fea8d56ad9b367f0b3018198376ab73c492f5345a83ee07106/
Threat name:
Win32.Trojan.Svhoder
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 15:29:48 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c958322a92b7ba746b44613adccedc2b0a246095f15a71f50fc8f5423909350
38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844
63e969ed05409bdcf1992ef0ad0fb143d76e808379a2070a372f77b490c83770
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c
8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc
9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08
b24cb4cd3db305d5451cb3c0d0e60fe578b1fd38aca4be6032fb0ce2f0b786b4
cfeca443205d577304ec09ae494c96556eb60d80bd9be772ffaeac389043bd92
f49e7d90e44091331a7858ff19947ab40d062a2e32bbff120b863c67118e0d83
+ 193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/201117-3mdcmkzbrx/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
UPX packed file
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
6f7d9ca4731544fea8d56ad9b367f0b3018198376ab73c492f5345a83ee07106
MD5 hash:
35f84086a28cab573b90a5bfadc5a324
SHA1 hash:
d59690981e34d2dd8cf506e9af0bc2b2cc29d1e9
Link:
https://www.unpac.me/results/522c7c2e-4ec1-4314-a032-9a161fa36667/
SH256 hash:
2e7eba478f5ebcc252fc087ed6acd0adc53e561836ddb279a6eca6aa4ae2a5bd
MD5 hash:
52b511f0c75f6b83f490a1c7813db6f5
SHA1 hash:
a01e63c697e85f2ce7ab8ccfe91d69cbe09b4b53
Link:
https://www.unpac.me/results/522c7c2e-4ec1-4314-a032-9a161fa36667/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments