MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7460a16d8f3783a8c7c33474b0ec0cb972ed677b9c398f2822aaed253321adf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	7460a16d8f3783a8c7c33474b0ec0cb972ed677b9c398f2822aaed253321adf1
SHA3-384 hash:	792e749a433e9f7ff0eebd0a51b0bdeeedeeb68f2329eba368fe2e4aadffcd6f80cef4d45e0ab2cb0380f63fa4f8d2e2
SHA1 hash:	cca19e163b5c748a5c7a618dd7928a380c3158ee
MD5 hash:	72de5d3c0bc94b64089887c086bf4e42
humanhash:	football-pasta-maine-autumn
File name:	system.bin
Download:	download sample
File size:	2'694'066 bytes
First seen:	2022-09-27 13:19:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	49152:JbbRQcztU4OEAD94jK+m6x1W00k6ab2ehHfTAV:lRlztU4OEAx4jKRco
Threatray	94 similar samples on MalwareBazaar
TLSH	T1C0C55B043BF84F23E56AC7B2C1F1514657F0F82AF3A7DB6B6181677A0C12B516C522AB
TrID	53.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 12.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.6% (.SCR) Windows screen saver (13101/52/3) 7.7% (.EXE) Win64 Executable (generic) (10523/12/4) 4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	Anonymous
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

72de5d3c0bc94b64089887c086bf4e42.exe.vir

Verdict:

Suspicious activity

Analysis date:

2022-09-28 01:51:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e409a11d-53c2-45e1-b3b7-ad2cda9972b1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/313984/

Detection(s):

SecuriteInfo.com.BackDoor.QuasarNET.3.16143.16112.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a service

Searching for the window

Creating a window

Changing a file

DNS request

Creating a file

Searching for synchronization primitives

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm overlay packed

Link:

https://www.filescan.io/uploads/6332f88242e014ddbf5b922d/reports/6412353e-438f-4b81-a5a6-dff301ff6506/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e0a0f7d1-55ad-46f2-8ca4-251a32d84337

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1078694

Signature

Antivirus / Scanner detection for submitted sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7460a16d8f3783a8c7c33474b0ec0cb972ed677b9c398f2822aaed253321adf1/

Threat name:

ByteCode-MSIL.Backdoor.Crysan

Status:

Malicious

First seen:

2022-09-27 13:20:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 39 (43.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=orqkc3mpg6b2rr6dgr2lb3amxfzo2z33tq4y6kbcvlwskmzbvxyq._file

Verdict:

malicious

15718441b4ccf5eca76c2663a694d7387137eca50ac8ed9f3df909117ed3f922

287dcabb3e75f1731c4c0079b0791b94bab23a4801e82090fe7f74b1b151e19e

28d0ac2b1be7545097b6594c9fa467345214473dc91ea83b245735894e47cb61

58ed54c59f857cd80bcf4e49b164b812663ae6dce30c39dfde96e5fb69bd7e39

b9a1c2a5ed66d7d8acf7c41a44fd0534cecf86a8e673e389a4e5b01c79d29c36

cfba9dab9282455d194d30dad7eac6cfc5c8e5d6caf94d631ed2b01a86e3a97f

fd463d6ccf33883236cae97f301cfb62e9844a73c885d58f22ebcd3ecc18dcfe

+ 84 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220927-qk3ycadef2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Enumerates physical storage devices

Unpacked files

SH256 hash:

7460a16d8f3783a8c7c33474b0ec0cb972ed677b9c398f2822aaed253321adf1

MD5 hash:

72de5d3c0bc94b64089887c086bf4e42

SHA1 hash:

cca19e163b5c748a5c7a618dd7928a380c3158ee

Link:

https://www.unpac.me/results/c7778de7-e73d-47e3-9c0a-1b7193ca8a56/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7460a16d8f37/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7460a16d8f3783a8c7c33474b0ec0cb972ed677b9c398f2822aaed253321adf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomwareTest2 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest3 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/313984/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample