MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f9030af40b04e18dd1e9dc5329b56fd82ab05c6eaa67c70ab94cbc2c52df0df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f9030af40b04e18dd1e9dc5329b56fd82ab05c6eaa67c70ab94cbc2c52df0df
SHA3-384 hash: f0d348aae1b5df2156bec8d11c35a1b77be87c7fff8c2f1c0565c20e1a98a6665631f11631a198891610d9d05c146cfb
SHA1 hash: dd657b66e63877baff351079f519b25f36a8410a
MD5 hash: 0d37c7081bbfe26a38f0f274b0f255cf
humanhash: summer-network-oxygen-washington
File name:file.exe
Download: download sample
File size:3'125'000 bytes
First seen:2023-05-02 09:39:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'640 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 49152:Fo6iI7SmZLovFBrp1kSl4gXkGBlcup+ZiyPRo9oX7gXpRq+f:i1mZQ2vqkilQZ0K
Threatray 356 similar samples on MalwareBazaar
TLSH T182E5021357658071D99AA8394E37BE9A32FE6752CB03D8F7E289D9C618313D3E532243
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe signed

Code Signing Certificate

Organisation:O PLUS K LTD
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2023-04-20T00:00:00Z
Valid to:2024-04-19T23:59:59Z
Serial number: 6615b213598e4374aa52de4e5debd105
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: c606af5c9753112311097876d6960cc9bd99ad6756fe85c39125c0a6a5c04f96
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-02 09:42:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3dea8485-dcf3-4207-b365-53ac57ca6291

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386045/
Detection(s):
SecuriteInfo.com.Variant.Jatif.7334.1418.13038.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Launching a process
Changing a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed packed
Link:
https://www.filescan.io/uploads/6450da725642c9c405e23f2b/reports/7baaf743-d5b9-41e0-86ab-d8772154f706/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7f9030af40b04e18dd1e9dc5329b56fd82ab05c6eaa67c70ab94cbc2c52df0df
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8da7f03b-5746-4a42-bde3-484e3b16e5f8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
57 / 100
Link:
https://www.joesandbox.com/analysis/1224505
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 857469 Sample: file.exe Startdate: 02/05/2023 Architecture: WINDOWS Score: 57 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Machine Learning detection for sample 2->79 8 file.exe 1 4 2->8         started        12 file.exe 1 2->12         started        14 file.exe 1 2->14         started        process3 file4 67 C:\Users\user\AppData\...\WhitehatDataHM.dll, PE32 8->67 dropped 81 Tries to detect virtualization through RDTSC time measurements 8->81 16 cmd.exe 1 8->16         started        19 cmd.exe 1 8->19         started        21 cmd.exe 8->21         started        23 cmd.exe 8->23         started        25 cmd.exe 12->25         started        27 cmd.exe 1 14->27         started        signatures5 process6 signatures7 71 Very long command line found 16->71 29 cmd.exe 2 16->29         started        33 conhost.exe 16->33         started        43 2 other processes 19->43 35 cmd.exe 1 21->35         started        37 conhost.exe 21->37         started        45 2 other processes 23->45 47 2 other processes 25->47 39 cmd.exe 27->39         started        41 conhost.exe 27->41         started        process8 file9 69 C:\Users\user\AppData\...\unsdk.bat.exe, PE32 29->69 dropped 83 Very long command line found 29->83 49 unsdk.bat.exe 3 29->49         started        51 conhost.exe 29->51         started        53 unsdk.bat.exe 3 35->53         started        55 conhost.exe 35->55         started        57 conhost.exe 39->57         started        59 unsdk.bat.exe 39->59         started        61 2 other processes 43->61 63 2 other processes 45->63 65 2 other processes 47->65 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f9030af40b04e18dd1e9dc5329b56fd82ab05c6eaa67c70ab94cbc2c52df0df/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 09:40:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
13 of 22 (59.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6idbl2awbhbrxi6txctfg2w7wbkwbog5kthy4flstf4frjn6dpq._file
Verdict:
malicious
Similar samples:
0da5ba0bc2bc6e77fb7c69598730e88c63e4a9e9b2ae3e726541448bec596dc3
414e3a7b25f16b78c015a7fd44667a0fd809b399e713f12f48b331693c4bb41f
6b446c595c43f7865d622bbb1fba8a5f9eb29417ad5804eaba868789df87a183
9616a9ed1fb31b9f760267564a37ec8175e5f8adee180823042f50ab191189b9
9e66488d7666de3a0a23a83f9564e817763d03e26129e9c298de265501d5d913
a1e645b31ee112fee86474a6620ba9ad4ba5ab301d1af7599a2281af23460b5b
a24ac3a139c0635c9731a068cdd537985a690923e5626229cd47fbc675b904f1
b232bec4aabb5a5914ec2601812534758598f8b745dabd15acabfb2cb176e246
c9f66b18443cd4fd5343d53905a7b96506e19543fc0521727e58d80c604baee2
fe80bfb679c9884cd19c2052a41dff9548673a7ef71f691f4621e0adee488ecc
+ 346 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230502-lm61kaae33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
ff8ba368e1fb3395cd41ad27ef4d0da5d8db888fa37819cca5fc4e2c7c214264
MD5 hash:
5b34272f9ff57704a3cd7cc109e653ab
SHA1 hash:
916b26a07d2f8916b4f176f53268bf3f6e49b967
Link:
https://www.unpac.me/results/3871f1dc-87b0-43e7-bd5f-d3f076d5a991/
SH256 hash:
83de2bc6a0a9d25f714625ba5de3115079801a5cf3faa22698852c1ceabdafaa
MD5 hash:
60f0f6c1f8b5c2697734154577e515ed
SHA1 hash:
8542083d81c61b2780f3c49f5a103937b36c41b9
Link:
https://www.unpac.me/results/3871f1dc-87b0-43e7-bd5f-d3f076d5a991/
SH256 hash:
7f9030af40b04e18dd1e9dc5329b56fd82ab05c6eaa67c70ab94cbc2c52df0df
MD5 hash:
0d37c7081bbfe26a38f0f274b0f255cf
SHA1 hash:
dd657b66e63877baff351079f519b25f36a8410a
Link:
https://www.unpac.me/results/3871f1dc-87b0-43e7-bd5f-d3f076d5a991/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DNGuard
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with DNGuard
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386045/

Comments