MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CustomerLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a
SHA3-384 hash: b82d8a7745dd192d635899cce1c2ed36a0eea01d31d64cb405d23a8d5e08c2a7c8835b6c1fb78e9c0ec59a18c3483fe0
SHA1 hash: 9fbe855f5a322c4848ed6f0d02a0b7e7be3d52dd
MD5 hash: cbda8cb8fd16a2172972e8fa81cc11a8
humanhash: oscar-zebra-william-floor
File name:QUOTATION_JUL7FIBA00541·PDF.scr
Download: download sample
Signature CustomerLoader
Create hunting rule
File size:78'848 bytes
First seen:2023-07-17 13:03:17 UTC
Last seen:2023-07-18 07:03:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:N5wInQOcC+rhr+KoYlU88VGzm2v9cbpAQlTlBcUu1Vm1fR4:PwRrA88VGl9YpAQlTlBAC1fR4
Threatray 5 similar samples on MalwareBazaar
TLSH T184739E1077245FDFC66F023790AA20926372D36BE015DBC0EEE4BAEE25D3795B217690
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JAMESWT_WT
Tags:CustomerLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION_JUL7FIBA00541·PDF.scr
Verdict:
Malicious activity
Analysis date:
2023-07-17 13:03:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c10cfd2-1d84-4ea7-9930-5563f5d185e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/422329/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.3446.9151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Creating a process from a recently created file
Creating a service
Launching a service
Loading a system driver
Creating a file in the Windows subdirectories
Creating a file in the Windows directory
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun for a service
Blocking the User Account Control
Forced shutdown of a system process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
MSIL/Kryptik_AGeneric.BBP trojan
Link:
https://www.hybrid-analysis.com/sample/7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/20a000dc-d4b1-4c89-82a5-0c5d68ed4ee8
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274438
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274438 Sample: 7uW4azgfFV.scr Startdate: 17/07/2023 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 6 other signatures 2->73 8 7uW4azgfFV.scr 15 8 2->8         started        13 svchost.exe 3 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 63 kyliansuperm92139124.shop 172.67.183.88, 443, 49690, 49692 CLOUDFLARENETUS United States 8->63 65 192.168.2.1 unknown unknown 8->65 53 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 8->53 dropped 55 C:\Users\user\AppData\...\7uW4azgfFV.scr.log, CSV 8->55 dropped 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->79 81 Drops PE files with benign system names 8->81 19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        24 conhost.exe 8->24         started        83 System process connects to network (likely due to code injection or exploit) 13->83 26 conhost.exe 13->26         started        57 C:\Windows\Temp\kdvvvalt.inf, Windows 15->57 dropped 28 conhost.exe 15->28         started        30 cmstp.exe 15->30         started        32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        file5 signatures6 process7 signatures8 36 svchost.exe 4 19->36         started        41 conhost.exe 19->41         started        43 timeout.exe 1 19->43         started        75 Uses schtasks.exe or at.exe to add and modify task schedules 21->75 45 conhost.exe 21->45         started        47 schtasks.exe 1 21->47         started        process9 dnsIp10 59 104.21.18.206, 443, 49691, 49698 CLOUDFLARENETUS United States 36->59 61 kyliansuperm92139124.shop 36->61 51 C:\Zemana.sys, PE32+ 36->51 dropped 77 Sample is not signed and drops a device driver 36->77 49 conhost.exe 36->49         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a/
Threat name:
ByteCode-MSIL.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 09:54:51 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psw5u2cqybebgbdk7xnouj4p6wftrxcjxshbb4jbkycybspk4j5a._file
Verdict:
malicious
Similar samples:
648278b0c127bfe2aa6668ad937735e2bbf55ab56fb0b4ef10ebbf9a824f60d9
CustomerLoader
66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216
CustomerLoader
b82291de6b50625fbe64293024d4b7d3f1bc874e14d8a6c613b56cf4c5854d30
CustomerLoader
fafa6b45c6684020d513319282c54e48547a56555c31ac7340a5c68dd1e56167
CustomerLoader
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/230717-qaxzcacf91/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a
MD5 hash:
cbda8cb8fd16a2172972e8fa81cc11a8
SHA1 hash:
9fbe855f5a322c4848ed6f0d02a0b7e7be3d52dd
Link:
https://www.unpac.me/results/234ae5d0-8ade-4e12-b302-78b8d1102569/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7cadda6850c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/422329/

Comments