MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb7b8baeb8b32f9aaf1f414913ff1086024844852ae80c6d6d0f34223f90823. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fb7b8baeb8b32f9aaf1f414913ff1086024844852ae80c6d6d0f34223f90823
SHA3-384 hash: 452b4631a713c3b34f8dc273cfecd6770a28bb83bb049b8c498833d6a92ce29ae9dab2de12f2aacf0f6fd2777517e05d
SHA1 hash: 6f60a48a7011676c994a244c65c4dc0f691180bc
MD5 hash: 6e8a887ccd029300cc040aa7facff017
humanhash: idaho-vermont-delta-fish
File name:7fb7b8baeb8b32f9aaf1f414913ff1086024844852ae80c6d6d0f34223f90823
Download: download sample
File size:2'608'128 bytes
First seen:2022-11-09 12:44:38 UTC
Last seen:2022-11-09 14:42:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (61 x LummaStealer, 49 x AuroraStealer, 45 x Vidar)
ssdeep 49152:RiuXKoiP09KpfNK47+HVT4Js/ddbuf1D1d8:0uNF97S9
TLSH T1AEC52990FDD784F1DA0329305467A2AF2B3179094F34DB87EA207F2AE8776E14D36259
gimphash e5e13268ef3df8fa999deafd5f528e7befda2b47954a017641353af68efb2d1d
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter petikvx

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fb7b8baeb8b32f9aaf1f414913ff1086024844852ae80c6d6d0f34223f90823
Verdict:
Malicious activity
Analysis date:
2022-11-09 13:10:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb6f6831-95c3-4ddc-aee9-b4e0b71b1ed5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331199/
Detection(s):
SecuriteInfo.com.Trojan.Heur3.LPT.FAW@a01sXqiab.1557.10619.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive golang greyware
Link:
https://www.filescan.io/uploads/636ba0d05ae98d57706896df/reports/444cd7ed-f964-44d5-91bc-b0f8356dc786/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7a3e975e-0738-4d4b-9e8a-adc315cc9587
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1109272
Signature
Antivirus / Scanner detection for submitted sample
Clears the windows event log
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May encrypt documents and pictures (Ransomware)
Multi AV Scanner detection for submitted file
Uses bcdedit to modify the Windows boot settings
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 741952 Sample: bfWs0xSiTY.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 96 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 2 other signatures 2->46 7 bfWs0xSiTY.exe 475 2->7         started        process3 file4 38 C:\$Recycle.Bin\aeskey.keyfile, ASCII 7->38 dropped 48 Clears the windows event log 7->48 50 Creates files in the recycle bin to hide itself 7->50 52 Uses cmd line tools excessively to alter registry or file data 7->52 54 3 other signatures 7->54 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 39 other processes 7->18 signatures5 process6 signatures7 56 Uses cmd line tools excessively to alter registry or file data 11->56 58 Deletes shadow drive data (may be related to ransomware) 11->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 11->60 20 conhost.exe 11->20         started        22 reg.exe 1 1 11->22         started        24 conhost.exe 14->24         started        26 reg.exe 1 14->26         started        28 conhost.exe 16->28         started        30 reg.exe 1 16->30         started        32 conhost.exe 18->32         started        34 conhost.exe 18->34         started        36 71 other processes 18->36 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fb7b8baeb8b32f9aaf1f414913ff1086024844852ae80c6d6d0f34223f90823/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-07 16:46:35 UTC
File Type:
PE (Exe)
AV detection:
9 of 41 (21.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p633roxlrmzptkxr6qkjcp7rbbqcjbcikkxibrww2dzuei7zbarq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/221109-py23jaaedl/
Behaviour
Interacts with shadow copies
Kills process with taskkill
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Adds Run key to start application
Reads user/profile data of web browsers
Modifies extensions of user files
Stops running service(s)
Clears Windows event logs
Deletes shadow copies
Modifies security service
Unpacked files
SH256 hash:
7fb7b8baeb8b32f9aaf1f414913ff1086024844852ae80c6d6d0f34223f90823
MD5 hash:
6e8a887ccd029300cc040aa7facff017
SHA1 hash:
6f60a48a7011676c994a244c65c4dc0f691180bc
Link:
https://www.unpac.me/results/d1332cd2-bd11-48d9-99b9-83fe69c4acf7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7fb7b8baeb8b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fb7b8baeb8b32f9aaf1f414913ff1086024844852ae80c6d6d0f34223f90823

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Author:ditekSHen
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331199/

Comments