MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78a2f84f683c6764f5efe5e083b538e944cdb645b2a0ed9ec968644f59aa460b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lucifer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78a2f84f683c6764f5efe5e083b538e944cdb645b2a0ed9ec968644f59aa460b
SHA3-384 hash: c1c4d39b9deda677b5d4a32f81f5b030f3389cf2bc6c50d30f5e0ce3484ef372b9dad18262c8a11c47a761f6635a9d08
SHA1 hash: 3e97fefef460224557d2ef8671a66b82dd63d021
MD5 hash: e2ca6f8e77cbaa4a7adf56242880a30c
humanhash: edward-wisconsin-bulldog-don
File name:file
Download: download sample
Signature Lucifer
Create hunting rule
File size:173'056 bytes
First seen:2023-05-22 14:08:41 UTC
Last seen:2023-07-11 15:10:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:/6TizBVEjB1904v70xbWlMjUUdIDfY+pn72VmUl4tIk6o9NbWNEqp01Zhi6Tiz:/6mzBjGKbS0cfPp25wNF71Zhi6mz
Threatray 5 similar samples on MalwareBazaar
TLSH T16D04AE20C281D2A5D5216A3AA517CA103A67ED7BAC61276F35CCBB1F3F73311D12397A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2b89692b696e2e0 (1 x Lucifer, 1 x BlackGuard)
Reporter jstrosch
Tags:.NET exe Lucifer MSIL

Intelligence

File Origin
# of uploads :
3
# of downloads :
349
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-22 14:11:45 UTC
Tags:
opendir loader evasion blackguard stealer
Link:
https://app.any.run/tasks/d7022c2d-cf2e-498a-950f-31875ae9dda6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.TR.Downloader.Gen9.2490.20974.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Stealing user critical data
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint hacktool lolbin overlay packed packed
Link:
https://www.filescan.io/uploads/646b77811b5076dcd91d467f/reports/c3fc21a0-43ca-45ec-9e43-468c2116ba5b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/78a2f84f683c6764f5efe5e083b538e944cdb645b2a0ed9ec968644f59aa460b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0c38299-ffbc-4afc-957d-d1c1c4ac544b
Result
Threat name:
BlackGuard
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1239708
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to hide user accounts
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected BlackGuard
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 872708 Sample: file.exe Startdate: 22/05/2023 Architecture: WINDOWS Score: 100 36 ipwhois.app 2->36 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 7 other signatures 2->58 10 file.exe 14 5 2->10         started        14 iexplorer.exe 2 2->14         started        16 iexplorer.exe 2->16         started        signatures3 process4 dnsIp5 42 94.142.138.111, 49684, 49685, 49689 IHOR-ASRU Russian Federation 10->42 32 C:\Users\user\AppData\Local\...\iexplorer.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\file.exe.log, CSV 10->34 dropped 18 iexplorer.exe 17 57 10->18         started        44 ipwhois.app 14->44 46 ip-api.com 14->46 48 ipwhois.app 16->48 50 ip-api.com 16->50 file6 process7 dnsIp8 38 ip-api.com 208.95.112.1, 49687, 49692, 49694 TUT-ASUS United States 18->38 40 ipwhois.app 195.201.57.90, 49686, 49691, 49693 HETZNER-ASDE Germany 18->40 30 C:\Users\user\AppData\Local\...\Cookies, SQLite 18->30 dropped 60 Multi AV Scanner detection for dropped file 18->60 62 May check the online IP address of the machine 18->62 64 Machine Learning detection for dropped file 18->64 66 3 other signatures 18->66 23 fodhelper.exe 12 18->23         started        file9 signatures10 process11 signatures12 68 Adds a directory exclusion to Windows Defender 23->68 26 powershell.exe 23 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78a2f84f683c6764f5efe5e083b538e944cdb645b2a0ed9ec968644f59aa460b/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-22 14:09:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcrpqt3ihrtwj5pp4xqihnjy5fcm3nsfwkqo3hwjnbse6wnkiyfq._file
Verdict:
malicious
Similar samples:
04fb545df05912be1228df1958e6e60ffbc745ce3377162117b0ee59bb18a6b2
Lucifer
05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7
Lucifer
1e87d783cb17eab0293003d2ce44e350871dc86b19fdfea21a4457d0c01b2dcf
Lucifer
c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa
Lucifer
eb405e175ae16fd8877aa87ffdb39f0d4f41cf7c77351708d84f44dd790c35d2
Lucifer
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection evasion persistence spyware stealer upx
Link:
https://tria.ge/reports/230522-rf5f2sgh75/
Behaviour
GoLang User-Agent
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops autorun.inf file
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Modifies WinLogon
Allows Network login with blank passwords
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets file to hidden
Grants admin privileges
Unpacked files
SH256 hash:
78a2f84f683c6764f5efe5e083b538e944cdb645b2a0ed9ec968644f59aa460b
MD5 hash:
e2ca6f8e77cbaa4a7adf56242880a30c
SHA1 hash:
3e97fefef460224557d2ef8671a66b82dd63d021
Link:
https://www.unpac.me/results/62072bce-a5e1-4e33-8d9d-7a55e3870ad8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78a2f84f683c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78a2f84f683c6764f5efe5e083b538e944cdb645b2a0ed9ec968644f59aa460b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Lucifer

Executable exe 78a2f84f683c6764f5efe5e083b538e944cdb645b2a0ed9ec968644f59aa460b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2639138/

Comments