MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f907663cf0408b52168de1a1182e0185bebffe4554d2e1c713869a9a63d08d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f907663cf0408b52168de1a1182e0185bebffe4554d2e1c713869a9a63d08d9
SHA3-384 hash: 51a159bc67f4b1693977dc34bf1068c3438acc22f4512054c9a85492586ab23cd3ec48c62891e24599080cb4d1a42169
SHA1 hash: 7ba9d2d27df773e7d1dbbe4f6f8ee67e334b88a7
MD5 hash: 9da75f1dc93532c1fb6f09285be085aa
humanhash: mirror-undress-maine-seventeen
File name:9da75f1dc93532c1fb6f09285be085aa
Download: download sample
File size:505'856 bytes
First seen:2022-11-01 04:01:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dSsd5zHRRT47h1ilafb2usMouWbToHC7yofFw/swULAOYFD5:dRz47XiEfb2usgWEeySS/XUZO
Threatray 2'633 similar samples on MalwareBazaar
TLSH T198B423482E5A31F1F7787BF42A64A6428BB1E033F610A6D70BB5CD5255C2E34B060F9A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9da75f1dc93532c1fb6f09285be085aa
Verdict:
Suspicious activity
Analysis date:
2022-11-01 04:03:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/18946481-f440-4b89-b928-d0a8126dffcc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326656/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63256269.11838.6537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63609a40a5db8d309cbc223f/reports/c4abf911-4f6d-45af-9a58-c6859907d1a6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58d4d6c6-595a-4aec-acd2-fdeb0e4eaf4c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1102223
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f907663cf0408b52168de1a1182e0185bebffe4554d2e1c713869a9a63d08d9/
Threat name:
ByteCode-MSIL.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-10-28 13:43:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 41 (68.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6ihmy6paqelkili3ynbdaxadbn6x77ekvgs4hdrhbu2tjr5bdmq._file
Verdict:
malicious
Similar samples:
287833f2222f3e460990b859f8b198280d04561d3930df5946f9dd3a044218b9
a010dbebffc12636e3f3269758969ca314b2a893f62a304aa77ed7683d6acabb
b2e31ed9833299ec3c166877db92ff5d477858f5867ca5494b26a82558e4616e
d57321805b57d9a004d652b7d8b00d9045d6940800653374e2a47c7dad2e9196
d5d8501413231217f31c6b614fbc4e5cba5ba8cabb6da772e5ed82e484238088
e6d52698d201c0e3dc8a52d6694ecf314a08a5bbc61170dce932a4d9762118e4
e786277086340b57fe809a77cf9ccf0637c59d049abd8b54588fc6193dd2bdf8
fa8d8657315c0ff3057652f4b34194de08fa9d2ff3028ad2043b53c551851358
+ 2'623 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221101-elsyzsfgg7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
1814f43225357e1108f40023abb24fe64b3e31b584a6dd755379dcb312b4dc9a
MD5 hash:
e1ac452c7ce42473a0a576369204ce29
SHA1 hash:
f1c72ca861accc00a938d22d96474147ad314011
Link:
https://www.unpac.me/results/93ed160a-48e0-4f8a-b11c-8b5a3e1929f3/
SH256 hash:
6b77e2bfff019609c509c3e559c6870dbb7e8d8b9979affb98440e079c99e354
MD5 hash:
958e4d62824c29a594256646c3d6bbf9
SHA1 hash:
e2f2004a3932381c8e70ecde39a129f0f6add9b0
Link:
https://www.unpac.me/results/93ed160a-48e0-4f8a-b11c-8b5a3e1929f3/
SH256 hash:
a72835c6786591efd7b03590129b16d3cf5c1376981ed00b1e1c46196dde33fc
MD5 hash:
ac2ab794c6ffe33da2999a3e5fe457a7
SHA1 hash:
63532dcf541012d32ebd2d71e979047834879332
Link:
https://www.unpac.me/results/93ed160a-48e0-4f8a-b11c-8b5a3e1929f3/
SH256 hash:
7f907663cf0408b52168de1a1182e0185bebffe4554d2e1c713869a9a63d08d9
MD5 hash:
9da75f1dc93532c1fb6f09285be085aa
SHA1 hash:
7ba9d2d27df773e7d1dbbe4f6f8ee67e334b88a7
Link:
https://www.unpac.me/results/93ed160a-48e0-4f8a-b11c-8b5a3e1929f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f907663cf0408b52168de1a1182e0185bebffe4554d2e1c713869a9a63d08d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7f907663cf0408b52168de1a1182e0185bebffe4554d2e1c713869a9a63d08d9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2393245/
Cape
Cape
https://www.capesandbox.com/analysis/326656/

Comments


Avatar
zbet commented on 2022-11-01 04:01:37 UTC

url : hxxp://79.110.62.23/nopersis_loader.exe