MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bf8c9d0aecc3f364134783278f951da9017e5c7be35073f744ded5035bef142. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	7bf8c9d0aecc3f364134783278f951da9017e5c7be35073f744ded5035bef142
SHA3-384 hash:	1b16c061995a3c69c390799409ffee2514755bd2a5fa027a6c1c4f9e79c0046311d8dc32c1092840a01a702fde09b258
SHA1 hash:	28b0e5ac3f2677ff08b9e99eee2b8386070c56d9
MD5 hash:	667616c2ba4189c17c935708b0de5a6d
humanhash:	washington-double-black-romeo
File name:	667616c2ba4189c17c935708b0de5a6d.exe
Download:	download sample
File size:	541'184 bytes
First seen:	2022-06-05 08:08:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	220faf072f675cf5123d17f993daa33f (1 x Smoke Loader)
ssdeep	12288:sCwAFVxdu4htJr5RgP7IO+OSIy3Zqt8mnIeiCf2l6:V/Xu8tJdRgzISGqrIeiCfd
Threatray	65 similar samples on MalwareBazaar
TLSH	T133B4120173A1C077E27336301C7DC1F2BE2EB52253799C57636863BD2F6428166BA79A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	5c599a3c60c3c850 (20 x RedLineStealer, 14 x Stop, 13 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

667616c2ba4189c17c935708b0de5a6d.exe

Verdict:

Malicious activity

Analysis date:

2022-06-05 08:45:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ac8e2c11-f339-49a0-ac11-0e2d59807249

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276745/

Detection(s):

Win.Packed.Jaik-9951397-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending a custom TCP request

Rewriting of the hard drive's master boot record

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/629c64b8e6995f35700ec1a6/reports/e8447590-dc7a-4ddd-abc6-c5d48ff4729c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Pitou

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ba044ad2-4325-4406-915e-53581b68a3a2

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1006881

Signature

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7bf8c9d0aecc3f364134783278f951da9017e5c7be35073f744ded5035bef142/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-06-02 01:08:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pp4mtufozq7tmqjupazhr6kr3kibpzohxy2qop3ujxwvann66fba._file

Verdict:

malicious

2d1ce8037528ca32f3155729c0096ee9508a2df376f465a027a6c6dfba29bbd3

5ab2bd50c3c25890d4764206082ce96132b56cf2a84a576a102d52c364979cad

7488777dd491486b1aea7ec37b6131334f94bc3f90261d91f06a5156f0530232

770f8cd0cae0a7525234dfc5b25f21b90090513d3f80fa06e8c22107ca8bbe01

7e95736b12f455cd096c0eff4a9dfa5b4e3c8108c55464447868ba4351e91fbb

b1a3602f2628080fa758575fba82bf62fd7de058055a9491f9eac87fda31a2e5

cab31c58eec5fac87df0c7cf52df12ab43280e4e8b9ee50fcde4017689c976b3

f40a47af762b5f2270be9a10058551c5a134a2f22210422ab53481569e08ac00

fae0a0d40cb12f14a4eeaee7171c948688bed15ec8718de8c65834023ecac97f

+ 55 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

bootkit persistence

Link:

https://tria.ge/reports/220605-j15csaddcr/

Behaviour

Writes to the Master Boot Record (MBR)

Unpacked files

SH256 hash:

84e72630846de776f4fca099faca59500751e877ef1e9e0f4c9ff73292f44b43

MD5 hash:

ce5b0d18a6bba7f3c206ae567723968a

SHA1 hash:

71691165b0e385fa616e59fb1af3021d511b4db5

Link:

https://www.unpac.me/results/604e6a7d-8287-4782-8eee-85dc472155c9/

SH256 hash:

7bf8c9d0aecc3f364134783278f951da9017e5c7be35073f744ded5035bef142

MD5 hash:

667616c2ba4189c17c935708b0de5a6d

SHA1 hash:

28b0e5ac3f2677ff08b9e99eee2b8386070c56d9

Link:

https://www.unpac.me/results/604e6a7d-8287-4782-8eee-85dc472155c9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7bf8c9d0aecc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7bf8c9d0aecc3f364134783278f951da9017e5c7be35073f744ded5035bef142

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276745/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample