MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa5971fde4364c32e47c5a8e6b189fc214ffd019077f30c14fbfb4e240909e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fa5971fde4364c32e47c5a8e6b189fc214ffd019077f30c14fbfb4e240909e1
SHA3-384 hash: 987785da4b34d00c1b6e261bcdffc839e77f1e1d7635e5f248e01922273308a5b8fba7084e019b498becd53c4b6b1b06
SHA1 hash: ab99fc26cbd7dc17997900ac3ddca54d186f5a86
MD5 hash: 405a81ce9f59b55a5a841588947971aa
humanhash: item-chicken-mike-november
File name:file
Download: download sample
File size:5'325'824 bytes
First seen:2022-09-08 14:58:05 UTC
Last seen:2022-09-09 02:34:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:7j2w7F7fpcosyH/nhdYhWRec0Q7Y5zDawjn123gOyzhmZCv8knly7:ntD1H/v2aXxt3EREl
Threatray 26 similar samples on MalwareBazaar
TLSH T1C23633BE567A9CFAE62A2FBBF2E9E33CD54121743274DD351C863813B15C02A07161B9
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc425378894_652041482?hash=JO63ApOBUOD72WgRPw9AfQFE6zZwanVdgVU7YwbFpmT&dl=GQZDKMZXHA4DSNA:1662647072:GwchK2pLEDxJ5B6vCp9FovsjopKtUJLonD4OAhwrn78&api=1&no_preview=1#1055ww14

Intelligence

File Origin
# of uploads :
3
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-09-08 15:05:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9995912-e641-492e-b110-8ec7a174f130

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308827/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.29778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Creating a file in the system32 subdirectories
Creating a file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/631a03f4bdec86ddb45cfe38/reports/914e1af9-3553-41f9-9c37-b514c77f5c74/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dd1fdfff-e53d-465b-80a3-c138ae2bcec4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1067259
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 699791 Sample: file.exe Startdate: 08/09/2022 Architecture: WINDOWS Score: 80 23 goback.delivery 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus detection for URL or domain 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 8 file.exe 2->8         started        signatures3 process4 process5 10 powershell.exe 11 8->10         started        13 powershell.exe 11 8->13         started        15 powershell.exe 11 8->15         started        signatures6 33 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->33 35 Queries memory information (via WMI often done to detect virtual machines) 10->35 17 conhost.exe 10->17         started        19 conhost.exe 13->19         started        21 conhost.exe 15->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fa5971fde4364c32e47c5a8e6b189fc214ffd019077f30c14fbfb4e240909e1/
Threat name:
Win64.Infostealer.BroPass
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 14:59:35 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6szoh66insmglshywuonmmj7qqu77ibsb37gdau7p5u4jajbhqq._file
Verdict:
unknown
Similar samples:
057e92d5cb962f0860f3f59f767645350a870c5a884afe1a2806509954036633
0cba0f9dafbb15b07c0e8b87ccd3ea7c306198b67dd480c42aa822c0e51ad2e8
5d72a8ffcefedd15f16a8ac752b0e09fef6d9359c0019fa1627be76581358152
6ace84c8a5b97075e435df18a59c7dcaa90091c8b3140deedf5139329d1890df
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
7235b9b0554815b59a73d9d2a99b1485ba3667655d8a983b4f2e67d5a8082812
82346f3a4b7e84f746f6242ff70265b1467ffdcd01954f71806f86c2989a9819
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef91b2a1887cb0fa13a3305220dfb78d4d7b041fe8177b5810772e0d27487f90
f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/220908-scqzxscadm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
6bc013821649ca872496d1e22ac3c5bf8a06c93be06f3a26276042d316422a12
MD5 hash:
5e67d515995a39040913d030b6c9d76c
SHA1 hash:
cb5bd92fdcf72e0bdc00cee8340e420022649f97
Link:
https://www.unpac.me/results/688b5fc7-835d-40fe-97e7-7f07458d6168/
SH256 hash:
7fa5971fde4364c32e47c5a8e6b189fc214ffd019077f30c14fbfb4e240909e1
MD5 hash:
405a81ce9f59b55a5a841588947971aa
SHA1 hash:
ab99fc26cbd7dc17997900ac3ddca54d186f5a86
Link:
https://www.unpac.me/results/688b5fc7-835d-40fe-97e7-7f07458d6168/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7fa5971fde4364c32e47c5a8e6b189fc214ffd019077f30c14fbfb4e240909e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/308827/

Comments