MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f6a22cc0e0b5ee908e631cfd8b4d0a4613109b97c5df7cf91f755099330fc5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	7f6a22cc0e0b5ee908e631cfd8b4d0a4613109b97c5df7cf91f755099330fc5c
SHA3-384 hash:	c70125cf9dda95efd3310f491fadc0074393296c0bfb57da85251399bf7e9086579ff85c768fd5b7fddb46253e64b7f3
SHA1 hash:	f04086877332b358213ae0f657d5b0abe613c566
MD5 hash:	ef7e03e9497349350e35e4067296b496
humanhash:	floor-arizona-wolfram-echo
File name:	SecuriteInfo.com.PowerShell.DownLoader.1445.18323.889
Download:	download sample
File size:	937'472 bytes
First seen:	2023-08-25 03:29:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ac35c5d1a782e9d9206f3d7dce4e8cd9
ssdeep	24576:iyyzQyz5io+HExGWUAyiqZmYVBqnGIQ5M6DLrVVdWHA+:irz5io+HGGWxyzmYzlrXVVdWHA
Threatray	11 similar samples on MalwareBazaar
TLSH	T1BF159D117BC6C432D4BB05702E29D76A456EBD304BB188EF63D80E2E1E726C25636F67
TrID	85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 4.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.PowerShell.DownLoader.1445.18323.889

Verdict:

No threats detected

Analysis date:

2023-08-25 03:43:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c1895cb1-c983-4465-9742-7c1fb1a9014a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/444624/

Detection(s):

SecuriteInfo.com.PowerShell.DownLoader.1445.18323.889.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Launching the default Windows debugger (dwwin.exe)

Changing a file

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin masquerade overlay remote shell32

Link:

https://www.filescan.io/uploads/64e82047d7ae0984750ebcbd/reports/3669bd22-f3d4-4a13-b146-34ac5616860c/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/7f6a22cc0e0b5ee908e631cfd8b4d0a4613109b97c5df7cf91f755099330fc5c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/59f504fc-ce82-495b-bac7-32a7b702bf2b

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1297135

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f6a22cc0e0b5ee908e631cfd8b4d0a4613109b97c5df7cf91f755099330fc5c/

Threat name:

Win32.Browser.Generic

Status:

Suspicious

First seen:

2023-08-25 03:30:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

5 of 24 (20.83%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p5vcftaobnposchgghh5rngqurqtccnzpro7pt4r65kqtezq7roa._file

Verdict:

unknown

28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4

3529493db869e38f4cc8d85f0b5e3964abb6b9aa9e053b6884b47ff610551239

368a995009f0a3324ed392ed8411bd64c41d091fb22ef20170f9c9fd50ee8c8a

39067a6a8ac06d60189b34afbb9acd73e8e33aba91653c39a037c2f78f972f29

3a8a863262c6ec275713adb6a29131487d7986b375fafe4c797ef58b5c8f6d69

a00f40db9ba7257068bb17d72e399d6a6651c2d459dbe026537131ff9baef6eb

c5d5bd4d5b66de5559e4ebb98251b74b49baa08a50cfc8f69b2c9005fcc861a4

df2853a1bc08e8f9ee97a33a001e84597e85d5834c540d846dce4d4f8183bddd

e6c39cc0b7a7ad889fd345475f0b7d5ea740caba70bc4f57564e760e8a52f6ad

+ 1 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230825-d2hyaagg68/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

7f6a22cc0e0b5ee908e631cfd8b4d0a4613109b97c5df7cf91f755099330fc5c

MD5 hash:

ef7e03e9497349350e35e4067296b496

SHA1 hash:

f04086877332b358213ae0f657d5b0abe613c566

Detections:

win_blacksoul_auto

Link:

https://www.unpac.me/results/1e9f729f-ec0f-4f6e-b4c0-a747e1928dcc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.27

Link:

https://yomi.yoroi.company/submissions/7f6a22cc0e0b5ee908e631cfd8b4d0a4613109b97c5df7cf91f755099330fc5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	win_blacksoul_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.blacksoul.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/444624/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample