MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bf634e0d7a0b311e08ad0d0d453628f4fd559bcdd4bf9f05744571bc0e0f885. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bf634e0d7a0b311e08ad0d0d453628f4fd559bcdd4bf9f05744571bc0e0f885
SHA3-384 hash: db35dadd005f98c0227e78bf9c9d49922cc190b49317617e2e4a0961afdae921142dbe231f3360410ec4d3fb30bcc7bf
SHA1 hash: 60fb9a9d10f80b7de491df753eb96c97d7f0cff3
MD5 hash: 9f26f723df0ce1ad3e928f983dffc61e
humanhash: mirror-ack-timing-alanine
File name:PsExec.exe
Download: download sample
File size:4'188'160 bytes
First seen:2024-01-13 05:46:37 UTC
Last seen:2024-01-13 05:46:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 49152:ynsHyjtk2MYC5GDyQBh/VoRYskNIXyjgYLriNw5mPPAy0ezYu6KD63AvHZ8ko:ynsmtk2aUhXMy81/PAyTznI3Av5s
Threatray 91 similar samples on MalwareBazaar
TLSH T14C16DF3132E50B34D5BB8B3958FAA024493ABE475E50E64E25FE394C8DB5343BE12673
TrID 81.9% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
7.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
5.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
1.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.EXE) Win64 Executable (generic) (10523/12/4)
dhash icon f0f096b2b2cce4f0
Reporter adm1n_usa32
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
kelihos
Create hunting rule
ID:
1
File name:
New Text Document mod.exe
Verdict:
Malicious activity
Analysis date:
2023-12-26 02:39:02 UTC
Tags:
loader hausbomber opendir metasploit evasion kelihos trojan lumma stealer agenttesla risepro purplefox backdoor amadey botnet vodkagats dupzom servstart ransomware stop lokibot redline remote rat gh0st nanocore vidar systembc proxy arechclient2 gcleaner neoreklami formbook xloader spyware adware gh0stcringe
Link:
https://app.any.run/tasks/81e56de9-c38a-4905-aeae-eb15978a27be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470659/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd control darkkomet dropper emotet evasive fingerprint greyware hacktool hook keylogger lolbin lolbin macros macros-on-close macros-on-open optix packed packed phishing remote shell32 unsafe virus
Link:
https://www.filescan.io/uploads/65a223d759502c0e7b348f64/reports/450013fc-604e-49a5-a954-f103b2d182ea/overview
Verdict:
Malicious
Labled as:
Delf.NBX virus
Link:
https://www.hybrid-analysis.com/sample/7bf634e0d7a0b311e08ad0d0d453628f4fd559bcdd4bf9f05744571bc0e0f885
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69d168af-7584-4ee1-9f75-95e7be1ba263
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374177
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374177 Sample: PsExec.exe Startdate: 13/01/2024 Architecture: WINDOWS Score: 100 41 freedns.afraid.org 2->41 43 xred.mooo.com 2->43 45 4 other IPs or domains 2->45 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 65 11 other signatures 2->65 8 PsExec.exe 1 6 2->8         started        11 EXCEL.EXE 187 61 2->11         started        14 Synaptics.exe 2->14         started        signatures3 63 Uses dynamic DNS services 41->63 process4 dnsIp5 29 C:\Users\user\Desktop\._cache_PsExec.exe, PE32 8->29 dropped 31 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->31 dropped 33 C:\ProgramData\Synaptics\RCX1FE0.tmp, PE32 8->33 dropped 16 Synaptics.exe 508 8->16         started        21 ._cache_PsExec.exe 8->21         started        47 part-0012.t-0009.fbs1-t-msedge.net 13.107.219.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->47 23 splwow64.exe 1 11->23         started        file6 process7 dnsIp8 35 freedns.afraid.org 174.128.246.100 ST-BGPUS United States 16->35 37 docs.google.com 172.253.115.102 GOOGLEUS United States 16->37 39 drive.usercontent.google.com 172.253.62.132 GOOGLEUS United States 16->39 27 C:\Users\user\Documents\~$cache1, PE32 16->27 dropped 49 Antivirus detection for dropped file 16->49 51 Multi AV Scanner detection for dropped file 16->51 53 Drops PE files to the document folder of the user 16->53 55 Machine Learning detection for dropped file 16->55 25 WerFault.exe 19 16 21->25         started        file9 signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7bf634e0d7a0b311e08ad0d0d453628f4fd559bcdd4bf9f05744571bc0e0f885
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bf634e0d7a0b311e08ad0d0d453628f4fd559bcdd4bf9f05744571bc0e0f885/
Threat name:
Win32.Worm.Zorex
Create hunting rule
Status:
Malicious
First seen:
2023-11-26 18:29:19 UTC
File Type:
PE (Exe)
Extracted files:
229
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pp3djygxuczrdyek2diniu3cr5h5kwn43vf7t4cxirlrxqha7ccq._file
Verdict:
malicious
Similar samples:
1c0810c9351e73650066ce431603eb2b586f28ef39cedbe53103e2b3e727840b
1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180
23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
23bfcda4b9ecb16e315c10b4281bc1a815b74fb45fea48f29a92fd31ea9a6315
8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
9360554f2e28415c1060e32aed40757998e0b16db0905f4ae5e1d21676b00ec5
a5fb447c2992f48abd863452bcd6934032cf29bef1f0907bd9344a31a41e0edb
d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
+ 81 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240113-ggvywsdga2/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
6537ddf98dbca0c2c4af8bee6d88718a5c0f356c216fcf51161b0f8d4aaa8f37
MD5 hash:
926d339e662086d266a67130e6e2c67f
SHA1 hash:
174feb037b0976a9ae27799ff15408dfe06133a1
Link:
https://www.unpac.me/results/3833a160-a217-43c5-97b2-328452d0cb88/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/3833a160-a217-43c5-97b2-328452d0cb88/
SH256 hash:
7bf634e0d7a0b311e08ad0d0d453628f4fd559bcdd4bf9f05744571bc0e0f885
MD5 hash:
9f26f723df0ce1ad3e928f983dffc61e
SHA1 hash:
60fb9a9d10f80b7de491df753eb96c97d7f0cff3
Link:
https://www.unpac.me/results/3833a160-a217-43c5-97b2-328452d0cb88/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7bf634e0d7a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7bf634e0d7a0b311e08ad0d0d453628f4fd559bcdd4bf9f05744571bc0e0f885

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7bf634e0d7a0b311e08ad0d0d453628f4fd559bcdd4bf9f05744571bc0e0f885

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2735334/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/470659/
  
URLhaus
https://urlhaus.abuse.ch/url/2748570/
  
URLhaus
https://urlhaus.abuse.ch/url/2748571/
  
URLhaus
https://urlhaus.abuse.ch/url/2748572/
  
URLhaus
https://urlhaus.abuse.ch/url/2748573/
  
URLhaus
https://urlhaus.abuse.ch/url/2748575/
  
URLhaus
https://urlhaus.abuse.ch/url/2748576/
  
URLhaus
https://urlhaus.abuse.ch/url/2748577/
  
URLhaus
https://urlhaus.abuse.ch/url/2748578/
  
URLhaus
https://urlhaus.abuse.ch/url/2748579/
  
URLhaus
https://urlhaus.abuse.ch/url/2748580/
  
URLhaus
https://urlhaus.abuse.ch/url/2748581/
  
URLhaus
https://urlhaus.abuse.ch/url/2748583/
  
URLhaus
https://urlhaus.abuse.ch/url/2748574/

Comments