MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78d69d13a0b072d4f89ad34f4ef07d84917585a5b1d921fb011d8f650ffb88d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78d69d13a0b072d4f89ad34f4ef07d84917585a5b1d921fb011d8f650ffb88d4
SHA3-384 hash: 61de12b8d660f757afb11a6bd46f6504155accf06d309b78130d0903d02c876f913074ac5d814c6c8ddd4cce0033690a
SHA1 hash: 0f3b3f0f0a877d9f1ee410ab0a52bcbe0b64356d
MD5 hash: 3a662807345100a9670e710c8616d1b5
humanhash: music-river-lamp-hot
File name:clvb.pif
Download: download sample
File size:1'033'456 bytes
First seen:2021-06-25 15:03:19 UTC
Last seen:2021-07-02 15:47:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep 24576:1cneJVBvXAvwRJdwvZ5aXSSR0o6y2wr5DGR2:KenBvXA4DAZ5aXSSR0o6y2wF1
Threatray 255 similar samples on MalwareBazaar
TLSH 77252BD1BDC48CD0C5B3B2F0E96AE76247682C25954942CE1AF83D7A49744A3EE1B13F
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IM_EX0003561772_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 14:06:23 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/e9325e09-5d12-430f-a2a7-67dfc7845dc3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168345/
Detection(s):
SecuriteInfo.com.W32.Trojan2.QBKL.16209.27489.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f9a6d41-da9f-4056-95ff-8ee4b53849cd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/808190
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78d69d13a0b072d4f89ad34f4ef07d84917585a5b1d921fb011d8f650ffb88d4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-22 22:59:46 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
022a59ed972a0a93af024278929ae49d28e59382e620c283dd3b701f24a218d4
1c9ac73de149a9df1d58572db60bfa8824470f11c109ea55b91aada0d6c8a2a6
63df29d3fa84705de35251b66c3cf555ba225d9a2b064edbd566ccd1b3c59e07
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
c0722d0e58ef57301d0883dcddf27c8eed901c9a01b186e6b400c48f7ff6a832
c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d
c8a4462c6b8f5d8728d5374adc98def5a5c38dd97d70a1c3859c876bfbe3fbd0
cbc2cd6401ee2dffa529cfac703476c24833eda31b951c8ab178b878f0247b38
ee9581098eb9fed674854c0f2579b5bfb17ae7788cdbb15abaa3c5af3af50ecc
f2597b91433ba86188dd0e53cf04d2c43d97f5231bc3077df18e75447f15c77c
+ 245 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210625-16cjf162an/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Unpacked files
SH256 hash:
78d69d13a0b072d4f89ad34f4ef07d84917585a5b1d921fb011d8f650ffb88d4
MD5 hash:
3a662807345100a9670e710c8616d1b5
SHA1 hash:
0f3b3f0f0a877d9f1ee410ab0a52bcbe0b64356d
Link:
https://www.unpac.me/results/2ab15b6d-a815-44f9-8c0c-bdc67f607361/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78d69d13a0b072d4f89ad34f4ef07d84917585a5b1d921fb011d8f650ffb88d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RemcosRAT

Executable exe c0503b9a911b674579a25005f552760d37b15e9246a8ccdae53d1e6001413611

Executable exe 78d69d13a0b072d4f89ad34f4ef07d84917585a5b1d921fb011d8f650ffb88d4

(this sample)

  
Dropped by
SHA256 c0503b9a911b674579a25005f552760d37b15e9246a8ccdae53d1e6001413611
Cape
Cape
https://www.capesandbox.com/analysis/168345/

Comments