MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d6aee416fbfdfd3dd7cd2661c7f232f00dc6200ea3ca6cb67193bbe2979eac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	7d6aee416fbfdfd3dd7cd2661c7f232f00dc6200ea3ca6cb67193bbe2979eac0
SHA3-384 hash:	4398d8b16a4dfaaf0cdbd1464a17b8ea4e4cddbd7839d6aa7ba9d19042c534175c01306dbfc33ade2c561a6db6a45438
SHA1 hash:	c224f7da8b2e4715a7ff87497729f82896c343d4
MD5 hash:	f75d8ee24a8082eb6576b3ef942ecfdb
humanhash:	indigo-lion-angel-maine
File name:	f75d8ee24a8082eb6576b3ef942ecfdb.exe
Download:	download sample
File size:	576'000 bytes
First seen:	2021-11-22 16:31:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:YI1cAy+t4wKzVAEC1uXsfwWTq7A5aJPA+thPAyPH6Lvs7+Ag+t:Y6uurbuXx7fJ/tlAyyvs7pgo
Threatray	651 similar samples on MalwareBazaar
TLSH	T10AC4020117E44A27E57D977894E30601AA34F2A39B43D75E4AC1B0AE1C9B7CD1F2C7AB
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f75d8ee24a8082eb6576b3ef942ecfdb.exe

Verdict:

Malicious activity

Analysis date:

2021-11-22 16:38:09 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e9999e43-8710-4295-9273-b98e65fda21d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Launching a service

Creating a file

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Adding exclusions to Windows Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/619bc607dd04e7d00e027341/reports/e4b2d124-fced-4354-a2c6-1540a0afe5f0/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8082c0bb-59e1-45c7-beb0-be3d96a23ca7

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/894055

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Defender Exclusion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d6aee416fbfdfd3dd7cd2661c7f232f00dc6200ea3ca6cb67193bbe2979eac0/

Threat name:

ByteCode-MSIL.Trojan.Tiggre

Status:

Malicious

First seen:

2021-11-22 16:14:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

malicious

31f252898ace9fc5e4bccf183ef98c71a3f583dbfd637a64642c74e0490f5446

6c0a4f788136a3d56f31efaa5c0cf49b5769dced978a8ed0e45dc64ba766cadf

6f9c881d55ee853803be5f29c249ea49c498e65312c9eb95739727084d19644e

8466ebd35658644d4c289191e1341b8900bb021196fae0b82fbba7d8a74a3073

98c7b1a7626c14161e352f06407631aea8221bc95ca5fa4c08e0ebc8d8b9c9f2

de84340eef0ca9f002d25e7a0ffdc5be906a2b0852c728008b9ac6928c3e7259

f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00

+ 641 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/211122-t1y6wabae7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Loads dropped DLL

Windows security modification

Executes dropped EXE

Nirsoft

Windows security bypass

Unpacked files

SH256 hash:

a13f62587c83eaef5bb421567cae5f91de0bef9082ee05b0341a2eeda24e6643

MD5 hash:

c253e1ae926c8d5cd4ec1f42d82dbba7

SHA1 hash:

b31a25ce6a17bd13ba754e7a834313811ba90599

Link:

https://www.unpac.me/results/5a970029-db9d-4961-b0ad-9ff0082f9718/

SH256 hash:

3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220

MD5 hash:

5dbed7594d4c8d71c1882692e6776bf0

SHA1 hash:

8552a2f2afca501945fe57c1875970b6f777f709

Link:

https://www.unpac.me/results/5a970029-db9d-4961-b0ad-9ff0082f9718/

SH256 hash:

8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be

MD5 hash:

4abff34e351e4e95514aecb515e8aea3

SHA1 hash:

742702e8c78e7cf19f19e56a6cdb2d1811759710

Link:

https://www.unpac.me/results/5a970029-db9d-4961-b0ad-9ff0082f9718/

SH256 hash:

458901f57b018b2ced894a2ab8d8e1c881e7e4f68e5f35a0968dc0ae6f7d88ad

MD5 hash:

2d7138a17022f1be975714f2f7f17353

SHA1 hash:

272875c5543debb9417ccf8edcc20b311c437494

Link:

https://www.unpac.me/results/5a970029-db9d-4961-b0ad-9ff0082f9718/

SH256 hash:

0f95aafda63f5da77224dd0131cd5da6e970c15eb55f6b3add9a299e3a819f9d

MD5 hash:

abc9fb8b041c1fae68ec3922c5c9f369

SHA1 hash:

0d0ad6f2c48a921cf5c94766b24216f9473d99dc

Link:

https://www.unpac.me/results/5a970029-db9d-4961-b0ad-9ff0082f9718/

SH256 hash:

7d6aee416fbfdfd3dd7cd2661c7f232f00dc6200ea3ca6cb67193bbe2979eac0

MD5 hash:

f75d8ee24a8082eb6576b3ef942ecfdb

SHA1 hash:

c224f7da8b2e4715a7ff87497729f82896c343d4

Link:

https://www.unpac.me/results/5a970029-db9d-4961-b0ad-9ff0082f9718/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7d6aee416fbf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7d6aee416fbfdfd3dd7cd2661c7f232f00dc6200ea3ca6cb67193bbe2979eac0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 7d6aee416fbfdfd3dd7cd2661c7f232f00dc6200ea3ca6cb67193bbe2979eac0

(this sample)

Cape

https://www.capesandbox.com/analysis/208279/

URLhaus

https://urlhaus.abuse.ch/url/1805897/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample