MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Supershell


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0
SHA3-384 hash: f7b01b4dfc4472f78530476012fbeeadd8cc8f6cb60b085314650d10f262a898eec04e9254e7b59d0589209c1cf34e54
SHA1 hash: d0215843c2f33624a45c9bd359903adfdb74b9a1
MD5 hash: 848de6895fc2b6a1415564d88ec10917
humanhash: sink-missouri-sweet-fix
File name:848de6895fc2b6a1415564d88ec10917.exe
Download: download sample
Signature Supershell
Create hunting rule
File size:5'939'200 bytes
First seen:2024-10-06 18:26:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (244 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:uDCZPZUmgjGXKXl5t9Fk6TXibjXOBswc6d81/IGOj1oUUL43BSx4iwnH6ZCpt+Zx:uDQOjG6XtjS+BvL8Ojul0HiLCpI
TLSH T15956332B91493D73D06A1678A3392C4DB952540DE3DCA734EBA2D9E673BC3A20DBD071
TrID 76.4% (.EXE) UPX compressed Win64 Executable (70117/5/12)
11.4% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.2% (.EXE) OS/2 Executable (generic) (2029/13)
2.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe Supershell

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
No threats detected
Analysis date:
2024-10-06 12:18:36 UTC
Tags:
upx
Link:
https://app.any.run/tasks/f9f6f796-50cd-4fd3-ad9c-d1b8a143297f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6702801bebeac9e68050f1a6
Tags:
powershell spawn virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
monero obfuscated packed packed packed upx
Link:
https://www.filescan.io/uploads/6702d676df01d257b681e58e/reports/ce530d0a-084e-4208-bc71-f19f538e0bef/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f340c68f-1eb0-488a-bae4-6426e9486b73
Result
Threat name:
Supershell
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1527159
Signature
AI detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses whoami command line tool to query computer and username
Yara detected Supershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527159 Sample: wSIWW3vyrB.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 68 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected Supershell 2->21 23 Machine Learning detection for sample 2->23 25 AI detected suspicious sample 2->25 7 wSIWW3vyrB.exe 1 2->7         started        process3 dnsIp4 17 121.41.18.122, 3232, 49710 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 7->17 27 Uses whoami command line tool to query computer and username 7->27 11 whoami.exe 1 7->11         started        13 conhost.exe 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0/
Threat name:
Win64.Trojan.ShellcodeRunner
Create hunting rule
Status:
Malicious
First seen:
2024-10-06 12:18:38 UTC
File Type:
PE+ (Exe)
Extracted files:
9
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omaberb2hx4rzc7qm6rrlgppkkizfyylfa3saa65u5rxwklg2wya._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
upx
Link:
https://tria.ge/reports/241006-w3qzdsshja/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
UPX packed file
Verdict:
Suspicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/1fc6bde6-3214-47ee-b49b-a6df50356f91
Unpacked files
SH256 hash:
936f611c2129600d35ab7aad45546a837f4f3a9ca7f673e5d66b48c313b9cd75
MD5 hash:
1cd271fbb5b1da3e6569aba939c99b10
SHA1 hash:
40863bf78e386da10020e519aeff65af70fb335a
Link:
https://www.unpac.me/results/3ff3bece-24d1-4913-a095-b8635f32e118/
SH256 hash:
05f00e6e3bb0dcb06f175c5f797c36ae0f029e6b87beaaf40643ac1956e67029
MD5 hash:
11ebd86c5886e3f17e5b325757eeae26
SHA1 hash:
922f64e14958c1e3cea2313332534033ff894431
Link:
https://www.unpac.me/results/3ff3bece-24d1-4913-a095-b8635f32e118/
SH256 hash:
730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0
MD5 hash:
848de6895fc2b6a1415564d88ec10917
SHA1 hash:
d0215843c2f33624a45c9bd359903adfdb74b9a1
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/3ff3bece-24d1-4913-a095-b8635f32e118/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Supershell

Executable exe 730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3216022/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments