MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 746f678c60f4673efadda92d819466cc102cbeafe3b39dbddd165bb552779541. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 746f678c60f4673efadda92d819466cc102cbeafe3b39dbddd165bb552779541
SHA3-384 hash: 9e8a31efb3a32502b7204f0ad62f377d77e4e9fab540881f65f24f3566810025a54078a721776e88f2034483759da2f8
SHA1 hash: d1eba956562611dca3e3d91170afd682893ac30e
MD5 hash: 183764fe45b8035c133753dd7ee6f57d
humanhash: eleven-burger-high-steak
File name:746f678c60f4673efadda92d819466cc102cbeafe3b39dbddd165bb552779541
Download: download sample
Signature Blackmoon
Create hunting rule
File size:1'204'448 bytes
First seen:2022-03-15 12:20:48 UTC
Last seen:2022-03-15 13:51:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c7afa7e20fb91e016b2dc109aa3e9938 (1 x Blackmoon)
ssdeep 12288:pUc8O8Q/DaTTTfCqCTf4i26ev9RXRCNHfahKofB6o1KDUg5xdLErlCQmb7xSaw1f:ppl/GTfCvTfDO9yUg7ClN7oYhe2G5X2
Threatray 148 similar samples on MalwareBazaar
TLSH T1C0456C07759240B0C23FB639496BAB39FA7956270604CA477B3CDCD85F3245093B6FAA
File icon (PE):PE icon
dhash icon a261bae8d2a896ca (39 x Blackmoon, 9 x Gh0stRAT, 3 x CobaltStrike)
Reporter JAMESWT_WT
Tags:Blackmoon dll OWLNET LIMITED signed

Code Signing Certificate

Organisation:OWLNET LIMITED
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-06-02T00:00:00Z
Valid to:2022-06-02T23:59:59Z
Serial number: e99611f9b84df5cad385eba4b0c3b582
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5b8a4af386e30391f0113bb5a116e70885c54b2524ea41a685fe279d09051dd7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250752/
Detection(s):
SecuriteInfo.com.Trojan.Win32.PSE.1THOGOA.10197.16846.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger overlay packed replace.exe
Link:
https://www.filescan.io/uploads/623084b70cd58dbd929e7268/reports/f403e754-cca8-4fe9-9d93-f513981628f5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KRBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3a0d2d7-0c33-4275-916b-5749f5edae51
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/956975
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589455 Sample: Om7JOlYFin Startdate: 15/03/2022 Architecture: WINDOWS Score: 56 37 Multi AV Scanner detection for submitted file 2->37 39 Machine Learning detection for sample 2->39 41 Sigma detected: Suspicious Call by Ordinal 2->41 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 5 other processes 8->16 process5 18 WerFault.exe 10->18         started        21 rundll32.exe 12->21         started        23 WerFault.exe 23 9 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 16->27         started        29 WerFault.exe 16->29         started        31 2 other processes 16->31 dnsIp6 35 192.168.2.1 unknown unknown 18->35 33 WerFault.exe 2 9 21->33         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/746f678c60f4673efadda92d819466cc102cbeafe3b39dbddd165bb552779541/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-01 16:11:40 UTC
File Type:
PE (Dll)
Extracted files:
50
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10835966177c277d70fae42109ddacccea06ab0c576709e9a68ec768840882ae
Blackmoon
2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37
Blackmoon
37877d87fff1b903df41bdb21fb500b0371f72de500c6f6768aec4d76966de67
Blackmoon
435858766d123afb7afef259fca8564e883fffce4bdebe7da7b047f8030dfe4f
Blackmoon
678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79
Blackmoon
7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7
Blackmoon
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
Blackmoon
795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
Blackmoon
f4158e798cb1c425cd5c50250f7016e9acd26bae7373e46585907682f120c546
Blackmoon
+ 138 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220315-pjbl2abcg3/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
746f678c60f4673efadda92d819466cc102cbeafe3b39dbddd165bb552779541
MD5 hash:
183764fe45b8035c133753dd7ee6f57d
SHA1 hash:
d1eba956562611dca3e3d91170afd682893ac30e
Link:
https://www.unpac.me/results/db81e296-2cd7-4097-a4fa-b640e7f2bc57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/746f678c60f4673efadda92d819466cc102cbeafe3b39dbddd165bb552779541

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250752/

Comments